Project import/mupdf - Diff aae910b1d1...ecd224d24e

... ... --- a/.abf.yml
... ... +++ b/.abf.yml
... ... @@ -1,2 +1,6 @@
1 1
sources:
2 2
  mupdf-1.11-source.tar.gz: f782d36aaa896319207e81953e5a622201477b5b
3
  mupdf-1.12.0-source.tar.gz: 0daee66600023de2bda2f1928a97a8515c17d2d2
4
  mupdf16.png: 4d1a01c29bd90f173fc6306176beabff59efd90e
5
  mupdf32.png: da49ad4506d72db5fece47cf02fa46bb0a330274
6
  mupdf48.png: 3cf02322577405c3cc702f169ef5aacb3befea94
view file @ aae910b1d1
... ... --- a/mupdf-1.10-no_opj_static.patch
... ... +++ /dev/null
... ... @@ -1,13 +0,0 @@
0
--- mupdf-1.10a-source/source/fitz/load-jpx.c.orig	2016-12-13 14:18:03.800137794 +0000
1
+++ mupdf-1.10a-source/source/fitz/load-jpx.c	2016-12-13 14:18:15.672724093 +0000
2
@@ -481,10 +481,6 @@
3
 
4
 #else /* HAVE_LURATECH */
5
 
6
-/* Without the definition of OPJ_STATIC, compilation fails on windows
7
- * due to the use of __stdcall. We believe it is required on some
8
- * linux toolchains too. */
9
-#define OPJ_STATIC
10
 #ifndef _MSC_VER
11
 #define OPJ_HAVE_STDINT_H
12
 #endif
view file @ aae910b1d1
... ... --- a/mupdf-1.11-fix_opj_static.patch
... ... +++ /dev/null
... ... @@ -1,10 +0,0 @@
0
--- a/source/fitz/load-jpx.c.orig       2017-04-05 11:02:21 UTC
1
+++ b/source/fitz/load-jpx.c
2
@@ -444,7 +444,6 @@ fz_load_jpx_info(fz_context *ctx, unsign
3
 
4
 #else /* HAVE_LURATECH */
5
 
6
-#define OPJ_STATIC
7
 #define OPJ_HAVE_INTTYPES_H
8
 #if !defined(_WIN32) && !defined(_WIN64)
9
 #define OPJ_HAVE_STDINT_H
view file @ ecd224d24e
... ... --- /dev/null
... ... +++ b/mupdf-1.12-CVE-2017-17858.patch
... ... @@ -0,0 +1,102 @@
1
From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
2
Message-Id: <55c3f68d638ac1263a386e0aaa004bb6e8bde731.1516782952.git.mjg@fedoraproject.org>
3
From: Sebastian Rasmussen <sebras@gmail.com>
4
Date: Mon, 11 Dec 2017 14:09:15 +0100
5
Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
6
 limit.
7
8
This ensures that:
9
 * xref tables with objects pointers do not grow out of bounds.
10
 * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
11
---
12
 include/mupdf/pdf/object.h |  3 +++
13
 source/pdf/pdf-repair.c    |  5 +----
14
 source/pdf/pdf-xref.c      | 21 ++++++++++++---------
15
 3 files changed, 16 insertions(+), 13 deletions(-)
16
17
diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
18
index 21ed8595..4177112b 100644
19
--- a/include/mupdf/pdf/object.h
20
+++ b/include/mupdf/pdf/object.h
21
@@ -3,6 +3,9 @@
22
 
23
 typedef struct pdf_document_s pdf_document;
24
 
25
+/* Defined in PDF 1.7 according to Acrobat limit. */
26
+#define PDF_MAX_OBJECT_NUMBER 8388607
27
+
28
 /*
29
  * Dynamic objects.
30
  * The same type of objects as found in PDF and PostScript.
31
diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
32
index ca149bd3..0c29758e 100644
33
--- a/source/pdf/pdf-repair.c
34
+++ b/source/pdf/pdf-repair.c
35
@@ -6,9 +6,6 @@
36
 
37
 /* Scan file for objects and reconstruct xref table */
38
 
39
-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
40
-#define MAX_OBJECT_NUMBER (10 << 20)
41
-
42
 struct entry
43
 {
44
 	int num;
45
@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
46
 					break;
47
 				}
48
 
49
-				if (num <= 0 || num > MAX_OBJECT_NUMBER)
50
+				if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
51
 				{
52
 					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
53
 					goto have_next_token;
54
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
55
index 00586dbd..6284e70b 100644
56
--- a/source/pdf/pdf-xref.c
57
+++ b/source/pdf/pdf-xref.c
58
@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
59
 			fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
60
 		}
61
 
62
-		if (ofs < 0)
63
-			fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
64
-		if (ofs > INT64_MAX - len)
65
-			fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
66
-
67
+		if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
68
+				|| len < 0 || len > PDF_MAX_OBJECT_NUMBER
69
+				|| ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
70
+		{
71
+			fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
72
+		}
73
 		/* broken pdfs where size in trailer undershoots entries in xref sections */
74
 		if (ofs + len > xref_len)
75
 		{
76
@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in
77
 	pdf_xref_entry *table;
78
 	int i, n;
79
 
80
-	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
81
-		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
82
-	//if (i0 + i1 > pdf_xref_len(ctx, doc))
83
-	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
84
+	if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
85
+		fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
86
 
87
 	table = pdf_xref_find_subsection(ctx, doc, i0, i1);
88
 	for (i = i0; i < i0 + i1; i++)
89
@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
90
 	/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
91
 	pdf_xref_entry *entry;
92
 	int num = pdf_xref_len(ctx, doc);
93
+
94
+	if (num > PDF_MAX_OBJECT_NUMBER)
95
+		fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
96
+
97
 	entry = pdf_get_incremental_xref_entry(ctx, doc, num);
98
 	entry->type = 'f';
99
 	entry->ofs = -1;
100
-- 
101
2.16.1.338.gd8f744ddde
102
view file @ ecd224d24e
... ... --- /dev/null
... ... +++ b/mupdf-1.12-CVE-2018-1000051.patch
... ... @@ -0,0 +1,80 @@
1
From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001
2
Message-Id: <321ba1de287016b0036bf4a56ce774ad11763384.1518616543.git.mjg@fedoraproject.org>
3
From: Sebastian Rasmussen <sebras@gmail.com>
4
Date: Tue, 19 Dec 2017 23:47:47 +0100
5
Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces.
6
7
Previously the borrowed colorspace was dropped when updating annotation
8
appearances, leading to use after free warnings from valgrind/ASAN.
9
---
10
 source/pdf/pdf-appearance.c | 8 ++------
11
 1 file changed, 2 insertions(+), 6 deletions(-)
12
13
diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c
14
index 70f684f4..d7a1dddd 100644
15
--- a/source/pdf/pdf-appearance.c
16
+++ b/source/pdf/pdf-appearance.c
17
@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
18
 	fz_device *dev = NULL;
19
 	font_info font_rec;
20
 	fz_text *text = NULL;
21
-	fz_colorspace *cs = NULL;
22
 	fz_matrix page_ctm;
23
 
24
 	pdf_page_transform(ctx, annot->page, NULL, &page_ctm);
25
@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
26
 	fz_var(dlist);
27
 	fz_var(dev);
28
 	fz_var(text);
29
-	fz_var(cs);
30
 	fz_try(ctx)
31
 	{
32
 		char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents));
33
 		char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA));
34
+		fz_colorspace *cs;
35
 		fz_point pos;
36
 		fz_rect rect;
37
 
38
@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
39
 		fz_drop_display_list(ctx, dlist);
40
 		font_info_fin(ctx, &font_rec);
41
 		fz_drop_text(ctx, text);
42
-		fz_drop_colorspace(ctx, cs);
43
 	}
44
 	fz_catch(ctx)
45
 	{
46
@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
47
 	fz_device *dev = NULL;
48
 	font_info font_rec;
49
 	fz_text *text = NULL;
50
-	fz_colorspace *cs = NULL;
51
 	fz_path *path = NULL;
52
 	fz_buffer *fzbuf = NULL;
53
 	fz_matrix page_ctm;
54
@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
55
 	fz_var(dlist);
56
 	fz_var(dev);
57
 	fz_var(text);
58
-	fz_var(cs);
59
 	fz_var(fzbuf);
60
 	fz_try(ctx)
61
 	{
62
@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
63
 		fz_rect logo_bounds;
64
 		fz_matrix logo_tm;
65
 		fz_rect rect;
66
+		fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */
67
 
68
 		pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect);
69
 		rect = annot_rect;
70
@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
71
 		fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds);
72
 		center_rect_within_rect(&logo_bounds, &rect, &logo_tm);
73
 		fz_concat(&logo_tm, &logo_tm, &page_ctm);
74
-		cs = fz_device_rgb(ctx); /* Borrowed reference */
75
 		fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL);
76
 
77
 		get_font_info(ctx, doc, dr, da, &font_rec);
78
-- 
79
2.16.1.312.g365a692731
80
view file @ ecd224d24e
... ... --- /dev/null
... ... +++ b/mupdf-1.12-CVE-2018-5686.patch
... ... @@ -0,0 +1,57 @@
1
From b70eb93f6936c03d8af52040bbca4d4a7db39079 Mon Sep 17 00:00:00 2001
2
Message-Id: <b70eb93f6936c03d8af52040bbca4d4a7db39079.1516784329.git.mjg@fedoraproject.org>
3
From: Tor Andersson <tor.andersson@artifex.com>
4
Date: Tue, 9 Jan 2018 13:52:41 +0100
5
Subject: [PATCH] Don't allow reading from a 'dead' fz_stream.
6
7
Once a stream has thrown an exception or reached EOF,
8
don't allow further reading.
9
10
The EOF flag is reset when fz_seek is invoked.
11
---
12
 include/mupdf/fitz/stream.h | 11 +++++++----
13
 1 file changed, 7 insertions(+), 4 deletions(-)
14
15
diff --git a/include/mupdf/fitz/stream.h b/include/mupdf/fitz/stream.h
16
index cd26be90..790a0a83 100644
17
--- a/include/mupdf/fitz/stream.h
18
+++ b/include/mupdf/fitz/stream.h
19
@@ -335,10 +335,11 @@ static inline size_t fz_available(fz_context *ctx, fz_stream *stm, size_t max)
20
 
21
 	if (len)
22
 		return len;
23
+	if (stm->eof)
24
+		return 0;
25
+
26
 	fz_try(ctx)
27
-	{
28
 		c = stm->next(ctx, stm, max);
29
-	}
30
 	fz_catch(ctx)
31
 	{
32
 		fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
33
@@ -369,10 +370,10 @@ static inline int fz_read_byte(fz_context *ctx, fz_stream *stm)
34
 
35
 	if (stm->rp != stm->wp)
36
 		return *stm->rp++;
37
+	if (stm->eof)
38
+		return EOF;
39
 	fz_try(ctx)
40
-	{
41
 		c = stm->next(ctx, stm, 1);
42
-	}
43
 	fz_catch(ctx)
44
 	{
45
 		fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
46
@@ -398,6 +399,8 @@ static inline int fz_peek_byte(fz_context *ctx, fz_stream *stm)
47
 
48
 	if (stm->rp != stm->wp)
49
 		return *stm->rp;
50
+	if (stm->eof)
51
+		return EOF;
52
 
53
 	c = stm->next(ctx, stm, 1);
54
 	if (c != EOF)
55
-- 
56
2.16.1.338.gd8f744ddde
57
view file @ ecd224d24e
... ... --- /dev/null
... ... +++ b/mupdf-1.12-CVE-2018-6187.patch
... ... @@ -0,0 +1,76 @@
1
From 6ba8c036e9a2147156a426550d97144d16f4cd02 Mon Sep 17 00:00:00 2001
2
Message-Id: <6ba8c036e9a2147156a426550d97144d16f4cd02.1518615186.git.mjg@fedoraproject.org>
3
From: Sebastian Rasmussen <sebras@gmail.com>
4
Date: Mon, 29 Jan 2018 23:40:19 +0100
5
Subject: [PATCH] Bug 698908: Resize object use and renumbering lists after
6
 repair.
7
8
Previously repair might end up increasing xref_len, but the lists
9
were not correspodingly expanded, leading to ASAN complaints.
10
---
11
 source/pdf/pdf-write.c | 13 +++++++++----
12
 1 file changed, 9 insertions(+), 4 deletions(-)
13
14
diff --git a/source/pdf/pdf-write.c b/source/pdf/pdf-write.c
15
index 9fcdbf0a..beb49252 100644
16
--- a/source/pdf/pdf-write.c
17
+++ b/source/pdf/pdf-write.c
18
@@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_state *opts, int num)
19
 {
20
 	int i;
21
 
22
-	num++;
23
+	/* objects are numbered 0..num and maybe two additional objects for linearization */
24
+	num += 3;
25
 	opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list));
26
 	opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list));
27
 	opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list));
28
@@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *ctx, pdf_document *doc)
29
 {
30
 	pdf_obj *obj;
31
 	int num;
32
-	int xref_len = pdf_xref_len(ctx, doc);
33
 
34
-	for (num = 0; num < xref_len; num++)
35
+	/* xref_len may change due to repair, so check it every iteration */
36
+	for (num = 0; num < pdf_xref_len(ctx, doc); num++)
37
 	{
38
 		if (pdf_get_xref_entry(ctx, doc, num)->type == 'o')
39
 		{
40
@@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_context *ctx, pdf_document *doc, const pdf
41
 	opts->continue_on_error = in_opts->continue_on_error;
42
 	opts->errors = in_opts->errors;
43
 
44
-	expand_lists(ctx, opts, xref_len + 3);
45
+	expand_lists(ctx, opts, xref_len);
46
 }
47
 
48
 /* Free the resources held by the dynamic write options */
49
@@ -2892,6 +2893,8 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
50
 		{
51
 			pdf_ensure_solid_xref(ctx, doc, xref_len);
52
 			preloadobjstms(ctx, doc);
53
+			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
54
+			expand_lists(ctx, opts, xref_len);
55
 		}
56
 
57
 		/* Sweep & mark objects from the trailer */
58
@@ -2900,6 +2903,7 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
59
 		else
60
 		{
61
 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
62
+			expand_lists(ctx, opts, xref_len);
63
 			for (num = 0; num < xref_len; num++)
64
 				opts->use_list[num] = 1;
65
 		}
66
@@ -2920,6 +2924,7 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
67
 		if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental)
68
 		{
69
 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
70
+			expand_lists(ctx, opts, xref_len);
71
 			while (xref_len > 0 && !opts->use_list[xref_len-1])
72
 				xref_len--;
73
 		}
74
-- 
75
2.16.1.312.g365a692731
76
view file @ ecd224d24e
... ... --- /dev/null
... ... +++ b/mupdf-1.12-CVE-2018-6192.patch
... ... @@ -0,0 +1,42 @@
1
From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001
2
Message-Id: <5e411a99604ff6be5db9e273ee84737204113299.1518615489.git.mjg@fedoraproject.org>
3
From: Sebastian Rasmussen <sebras@gmail.com>
4
Date: Tue, 30 Jan 2018 02:05:57 +0100
5
Subject: [PATCH] Bug 698916: Indirect object numbers must be in range.
6
7
---
8
 source/pdf/pdf-parse.c | 2 ++
9
 source/pdf/pdf-xref.c  | 4 ++--
10
 2 files changed, 4 insertions(+), 2 deletions(-)
11
12
diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
13
index 7904ebd7..b4783ae8 100644
14
--- a/source/pdf/pdf-parse.c
15
+++ b/source/pdf/pdf-parse.c
16
@@ -623,6 +623,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
17
 		fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number");
18
 	}
19
 	num = buf->i;
20
+	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
21
+		fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range");
22
 
23
 	tok = pdf_lex(ctx, file, buf);
24
 	if (tok != PDF_TOK_INT)
25
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
26
index 4997ebe5..cfcd0a21 100644
27
--- a/source/pdf/pdf-xref.c
28
+++ b/source/pdf/pdf-xref.c
29
@@ -228,8 +228,8 @@ pdf_xref_entry *pdf_get_populating_xref_entry(fz_context *ctx, pdf_document *doc
30
 	}
31
 
32
 	/* Prevent accidental heap underflow */
33
-	if (num < 0)
34
-		fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num);
35
+	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
36
+		fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num);
37
 
38
 	/* Return the pointer to the entry in the last section. */
39
 	xref = &doc->xref_sections[doc->num_xref_sections-1];
40
-- 
41
2.16.1.312.g365a692731
42
view file @ ecd224d24e
... ... --- /dev/null
... ... +++ b/mupdf-1.12-CVE-2018-6544-1.patch
... ... @@ -0,0 +1,46 @@
1
From 26527eef77b3e51c2258c8e40845bfbc015e405d Mon Sep 17 00:00:00 2001
2
Message-Id: <26527eef77b3e51c2258c8e40845bfbc015e405d.1518616043.git.mjg@fedoraproject.org>
3
From: Sebastian Rasmussen <sebras@gmail.com>
4
Date: Mon, 29 Jan 2018 02:00:48 +0100
5
Subject: [PATCH] Bug 698830: Don't drop unkept stream if running out of error
6
 stack.
7
8
Under normal conditions where fz_keep_stream() is called inside
9
fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions.
10
The issue comes when fz_keep_stream() has not yet been called but is
11
dropped in fz_catch(). This happens in the PDF from the bug when
12
fz_try() runs out of exception stack, and next the code in fz_catch()
13
runs, dropping the caller's reference to the filter chain stream!
14
15
The simplest way of fixing this it to always keep the filter chain
16
stream before fz_try() is called. That way fz_catch() may drop the
17
stream whether an exception has occurred or if the fz_try() ran out of
18
exception stack.
19
---
20
 source/pdf/pdf-stream.c | 5 ++---
21
 1 file changed, 2 insertions(+), 3 deletions(-)
22
23
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
24
index c89da5c4..c6ba7ad3 100644
25
--- a/source/pdf/pdf-stream.c
26
+++ b/source/pdf/pdf-stream.c
27
@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_ob
28
 		*orig_gen = 0;
29
 	}
30
 
31
-	fz_var(chain);
32
+	chain = fz_keep_stream(ctx, chain);
33
 
34
 	fz_try(ctx)
35
 	{
36
 		len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
37
 
38
-		/* don't close chain when we close this filter */
39
-		chain2 = fz_keep_stream(ctx, chain);
40
+		chain2 = chain;
41
 		chain = NULL;
42
 		chain = fz_open_null(ctx, chain2, len, offset);
43
 
44
-- 
45
2.16.1.312.g365a692731
46
view file @ ecd224d24e
... ... --- /dev/null
... ... +++ b/mupdf-1.12-CVE-2018-6544-2.patch
... ... @@ -0,0 +1,54 @@
1
From b03def134988da8c800adac1a38a41a1f09a1d89 Mon Sep 17 00:00:00 2001
2
Message-Id: <b03def134988da8c800adac1a38a41a1f09a1d89.1518616030.git.mjg@fedoraproject.org>
3
From: Sebastian Rasmussen <sebras@gmail.com>
4
Date: Thu, 1 Feb 2018 16:36:14 +0100
5
Subject: [PATCH] Bug 698830: Avoid recursion when loading object streams
6
 objects.
7
8
If there were indirect references in the object stream dictionary and
9
one of those indirect references referred to an object inside the object
10
stream itself, mupdf would previously enter recursion only bounded by the
11
exception stack. After this commit the object stream is checked if it is
12
marked immediately after being loaded. If it is marked then we terminate
13
the recursion at this point, if it is not marked then mark it and
14
attempt to load the desired object within. We also take care to unmark
15
the stream object when done or upon exception.
16
---
17
 source/pdf/pdf-xref.c | 14 ++++++++++++++
18
 1 file changed, 14 insertions(+)
19
20
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
21
index 723b543c..ed09094c 100644
22
--- a/source/pdf/pdf-xref.c
23
+++ b/source/pdf/pdf-xref.c
24
@@ -1576,6 +1576,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
25
 	{
26
 		objstm = pdf_load_object(ctx, doc, num);
27
 
28
+		if (pdf_obj_marked(ctx, objstm))
29
+			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
30
+	}
31
+	fz_catch(ctx)
32
+	{
33
+		pdf_drop_obj(ctx, objstm);
34
+		fz_rethrow(ctx);
35
+	}
36
+
37
+	fz_try(ctx)
38
+	{
39
+		pdf_mark_obj(ctx, objstm);
40
+
41
 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
42
 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
43
 
44
@@ -1655,6 +1668,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
45
 		fz_drop_stream(ctx, stm);
46
 		fz_free(ctx, ofsbuf);
47
 		fz_free(ctx, numbuf);
48
+		pdf_unmark_obj(ctx, objstm);
49
 		pdf_drop_obj(ctx, objstm);
50
 	}
51
 	fz_catch(ctx)
52
-- 
53
2.16.1.312.g365a692731
54
view file @ ecd224d24e
... ... --- /dev/null
... ... +++ b/mupdf-1.12-openjpeg.patch
... ... @@ -0,0 +1,31 @@
1
diff --git i/source/fitz/load-jpx.c w/source/fitz/load-jpx.c
2
index 65699bab..800ee32c 100644
3
--- i/source/fitz/load-jpx.c
4
+++ w/source/fitz/load-jpx.c
5
@@ -444,12 +444,15 @@ fz_load_jpx_info(fz_context *ctx, const unsigned char *data, size_t size, int *w
6
 }
7
 
8
 #else /* HAVE_LURATECH */
9
-
10
+#ifdef __cplusplus
11
+extern "C"
12
+{
13
 #define OPJ_STATIC
14
 #define OPJ_HAVE_INTTYPES_H
15
 #if !defined(_MSC_VER) || _MSC_VER >= 1600
16
 #define OPJ_HAVE_STDINT_H
17
 #endif
18
+#endif
19
 #define USE_JPIP
20
 
21
 #include <openjpeg.h>
22
@@ -931,6 +934,9 @@ fz_load_jpx_info(fz_context *ctx, const unsigned char *data, size_t size, int *w
23
 }
24
 
25
 #endif /* HAVE_LURATECH */
26
+#ifdef __cplusplus
27
+}
28
+#endif
29
 
30
 #else /* FZ_ENABLE_JPX */
31
 
... ... --- a/mupdf.spec
... ... +++ b/mupdf.spec
... ... @@ -4,19 +4,27 @@
4 4
5 5
Summary:	MuPDF is a lightweight PDF viewer and toolkit written in portable C
6 6
Name:		mupdf
7
Version:	1.11
8
Release:	2
7
Version:	1.12.0
8
Release:	1
9 9
License:	GPLv3
10 10
Group:		Office
11 11
Url:		http://mupdf.com/
12
Source0:	http://mupdf.googlecode.com/files/%{name}-%{version}-source.tar.gz
12
Source0:	http://mupdf.com/downloads/%{name}-%{version}-source.tar.gz
13 13
Source1:	mupdf.desktop
14 14
Source2:	mupdf16.png
15 15
Source3:	mupdf32.png
16 16
Source4:	mupdf48.png
17
Patch1:		mupdf-1.11-fix_opj_static.patch
17
Patch0:		%{name}-1.12-openjpeg.patch
18
Patch1:		%{name}-1.12-CVE-2017-17858.patch
19
Patch2:		%{name}-1.12-CVE-2018-5686.patch
20
Patch3:		%{name}-1.12-CVE-2018-6187.patch
21
Patch4:		%{name}-1.12-CVE-2018-6192.patch
22
Patch5:		%{name}-1.12-CVE-2018-6544-1.patch
23
Patch6:		%{name}-1.12-CVE-2018-6544-2.patch
24
Patch7:		%{name}-1.12-CVE-2018-1000051.patch
18 25
BuildRequires:	jbig2dec-devel
19 26
BuildRequires:	jpeg-devel
27
BuildRequires:	pkgconfig(freeglut)
20 28
BuildRequires:	pkgconfig(freetype2)
21 29
BuildRequires:	pkgconfig(libcurl)
22 30
BuildRequires:	pkgconfig(libopenjp2)
... ... @@ -44,8 +52,10 @@ searchable text, and rendering pages to image files is provided.
52 52
53 53
%files
54 54
%doc CHANGES CONTRIBUTORS README COPYING
55
%doc docs/*.txt
55
%doc docs/*
56
%{_bindir}/mjsgen
56 57
%{_bindir}/mujstest
58
%{_bindir}/mupdf-gl
57 59
%{_bindir}/mupdf-x11
58 60
%{_bindir}/mupdf-x11-curl
59 61
%{_bindir}/muraster
... ... @@ -67,7 +77,6 @@ The %{devname} package contains header files for developing
77 77
applications that use MuPDF toolkit.
78 78
79 79
%files -n %{devname}
80
%doc docs/*.txt docs/*.c
81 80
%{_libdir}/*.a
82 81
%{_includedir}/%{name}
83 82
... ... @@ -80,7 +89,7 @@ rm -rf thirdparty
89 89
90 90
%build
91 91
%setup_compile_flags
92
#export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
92
export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
93 93
%make
94 94
95 95
%install