Bug#1010347: cloudcompare: diff for NMU version 2.11.3-7.1

Fri, 07 Apr 2023 05:00:14 -0700 

Dear maintainer,

I've prepared an NMU for cloudcompare (versioned as 2.11.3-7.1) and 
uploaded it to DELAYED/2. Please feel free to tell me if I should
cancel it.

cu
Adrian

diff -Nru cloudcompare-2.11.3/debian/changelog cloudcompare-2.11.3/debian/changelog
--- cloudcompare-2.11.3/debian/changelog	2022-10-10 15:52:30.000000000 +0300
+++ cloudcompare-2.11.3/debian/changelog	2023-04-07 14:45:46.000000000 +0300
@@ -1,3 +1,11 @@
+cloudcompare (2.11.3-7.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2021-21897: Heap-based buffer overflow loading a DXF file.
+    (Closes: #1010347)
+
+ -- Adrian Bunk <b...@debian.org>  Fri, 07 Apr 2023 14:45:46 +0300
+
 cloudcompare (2.11.3-7) unstable; urgency=medium
 
   * Drop png extension from desktop files. (Closes: #1021335)
diff -Nru cloudcompare-2.11.3/debian/patches/0001-check-vertexIndex-which-might-be-1-for-broken-DXF.patch cloudcompare-2.11.3/debian/patches/0001-check-vertexIndex-which-might-be-1-for-broken-DXF.patch
--- cloudcompare-2.11.3/debian/patches/0001-check-vertexIndex-which-might-be-1-for-broken-DXF.patch	1970-01-01 02:00:00.000000000 +0200
+++ cloudcompare-2.11.3/debian/patches/0001-check-vertexIndex-which-might-be-1-for-broken-DXF.patch	2023-03-20 10:27:04.000000000 +0200
@@ -0,0 +1,23 @@
+From 1eeffc5daf5a06cf6213ffc19e95923cdebb2eb8 Mon Sep 17 00:00:00 2001
+From: Andrew Mustun <and...@qcad.org>
+Date: Wed, 4 Aug 2021 22:32:43 +0200
+Subject: check vertexIndex which might be -1 for broken DXF
+
+--- a/contrib/dxflib-3.17.0/src/dl_dxf.cpp
++++ b/contrib/dxflib-3.17.0/dl_dxf.cpp
+@@ -1448,10 +1448,10 @@ bool DL_Dxf::handleLWPolylineData(DL_CreationInterface* /*creationInterface*/) {
+         }
+ 
+         if (groupCode<=30) {
+-            if (vertexIndex>=0 && vertexIndex<maxVertices) {
++            if (vertexIndex>=0 && vertexIndex<maxVertices && vertexIndex>=0) {
+                 vertices[4*vertexIndex + (groupCode/10-1)] = toReal(groupValue);
+             }
+-        } else if (groupCode==42 && vertexIndex<maxVertices) {
++        } else if (groupCode==42 && vertexIndex<maxVertices && vertexIndex>=0) {
+             vertices[4*vertexIndex + 3] = toReal(groupValue);
+         }
+         return true;
+-- 
+2.30.2
+
diff -Nru cloudcompare-2.11.3/debian/patches/series cloudcompare-2.11.3/debian/patches/series
--- cloudcompare-2.11.3/debian/patches/series	2022-07-21 16:18:05.000000000 +0300
+++ cloudcompare-2.11.3/debian/patches/series	2023-04-07 14:45:46.000000000 +0300
@@ -1,3 +1,4 @@
 grr
 0-stdlib.h
 ffmpeg-5.0.patch
+0001-check-vertexIndex-which-might-be-1-for-broken-DXF.patch

Reply via email to