mupdf/CVE-2018-6192.patch

Index: mupdf-1.12.0-source/source/pdf/pdf-lex.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-lex.c
+++ mupdf-1.12.0-source/source/pdf/pdf-lex.c
@@ -151,12 +151,21 @@ lex_number(fz_context *ctx, fz_stream *f
 	char *e = buf->scratch + buf->size - 1; /* leave space for zero terminator */
 	char *isreal = (c == '.' ? s : NULL);
 	int neg = (c == '-');
+	int isbad = 0;
 
 	*s++ = c;
 
+	c = fz_read_byte(ctx, f);
+
+	/* skip extra '-' signs at start of number */
+	if (neg)
+	{
+		while (c == '-')
+			c = fz_read_byte(ctx, f);
+	}
+
 	while (s < e)
 	{
-		c = fz_read_byte(ctx, f);
 		switch (c)
 		{
 		case IS_WHITE:
@@ -165,21 +174,27 @@ lex_number(fz_context *ctx, fz_stream *f
 			goto end;
 		case EOF:
 			goto end;
-		case '-':
-			neg++;
-			*s++ = c;
-			break;
 		case '.':
+			if (isreal)
+				isbad = 1;
 			isreal = s;
-			/* Fall through */
+			*s++ = c;
+			break;
+		case RANGE_0_9:
+			*s++ = c;
+			break;
 		default:
+			isbad = 1;
 			*s++ = c;
 			break;
 		}
+		c = fz_read_byte(ctx, f);
 	}
 
 end:
 	*s = '\0';
+	if (isbad)
+		return PDF_TOK_ERROR;
 	if (isreal)
 	{
 		/* We'd like to use the fastest possible atof

Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c
+++ mupdf-1.12.0-source/source/pdf/pdf-parse.c
@@ -457,7 +457,8 @@ pdf_parse_array(fz_context *ctx, pdf_doc
 				break;
 
 			default:
-				fz_throw(ctx, FZ_ERROR_SYNTAX, "cannot parse token in array");
+				pdf_array_push_drop(ctx, ary, pdf_new_null(ctx, doc));
+				break;
 			}
 		}
 end:
@@ -547,10 +548,13 @@ pdf_parse_dict(fz_context *ctx, pdf_docu
 						break;
 					}
 				}
-				fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid indirect reference in dict");
+				fz_warn(ctx, "invalid indirect reference in dict");
+				val = pdf_new_null(ctx, doc);
+				break;
 
 			default:
-				fz_throw(ctx, FZ_ERROR_SYNTAX, "unknown token in dict");
+				val = pdf_new_null(ctx, doc);
+				break;
 			}
 
 			pdf_dict_put(ctx, dict, key, val);
Accepting request 572053 from home:kbabioch:branches:Publishing - Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in pdf/pdf-xref.c (CVE-2018-6544 boo#1079100) - Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755) OBS-URL: https://build.opensuse.org/request/show/572053 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=68 2018-02-02 16:44:48 +01:00			`Index: mupdf-1.12.0-source/source/pdf/pdf-lex.c`
			`===================================================================`
			`--- mupdf-1.12.0-source.orig/source/pdf/pdf-lex.c`
			`+++ mupdf-1.12.0-source/source/pdf/pdf-lex.c`
			`@@ -151,12 +151,21 @@ lex_number(fz_context ctx, fz_stream f`
			`char e = buf->scratch + buf->size - 1; / leave space for zero terminator */`
			`char *isreal = (c == '.' ? s : NULL);`
			`int neg = (c == '-');`
			`+ int isbad = 0;`

			`*s++ = c;`

			`+ c = fz_read_byte(ctx, f);`
			`+`
			`+ /* skip extra '-' signs at start of number */`
			`+ if (neg)`
			`+ {`
			`+ while (c == '-')`
			`+ c = fz_read_byte(ctx, f);`
			`+ }`
			`+`
			`while (s < e)`
			`{`
			`- c = fz_read_byte(ctx, f);`
			`switch (c)`
			`{`
			`case IS_WHITE:`
			`@@ -165,21 +174,27 @@ lex_number(fz_context ctx, fz_stream f`
			`goto end;`
			`case EOF:`
			`goto end;`
			`- case '-':`
			`- neg++;`
			`- *s++ = c;`
			`- break;`
			`case '.':`
			`+ if (isreal)`
			`+ isbad = 1;`
			`isreal = s;`
			`- /* Fall through */`
			`+ *s++ = c;`
			`+ break;`
			`+ case RANGE_0_9:`
			`+ *s++ = c;`
			`+ break;`
			`default:`
			`+ isbad = 1;`
			`*s++ = c;`
			`break;`
			`}`
			`+ c = fz_read_byte(ctx, f);`
			`}`

			`end:`
			`*s = '\0';`
			`+ if (isbad)`
			`+ return PDF_TOK_ERROR;`
			`if (isreal)`
			`{`
			`/* We'd like to use the fastest possible atof`

			`Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c`
			`===================================================================`
			`--- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c`
			`+++ mupdf-1.12.0-source/source/pdf/pdf-parse.c`
			`@@ -457,7 +457,8 @@ pdf_parse_array(fz_context *ctx, pdf_doc`
			`break;`

			`default:`
			`- fz_throw(ctx, FZ_ERROR_SYNTAX, "cannot parse token in array");`
			`+ pdf_array_push_drop(ctx, ary, pdf_new_null(ctx, doc));`
			`+ break;`
			`}`
			`}`
			`end:`
			`@@ -547,10 +548,13 @@ pdf_parse_dict(fz_context *ctx, pdf_docu`
			`break;`
			`}`
			`}`
			`- fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid indirect reference in dict");`
			`+ fz_warn(ctx, "invalid indirect reference in dict");`
			`+ val = pdf_new_null(ctx, doc);`
			`+ break;`

			`default:`
			`- fz_throw(ctx, FZ_ERROR_SYNTAX, "unknown token in dict");`
			`+ val = pdf_new_null(ctx, doc);`
			`+ break;`
			`}`

			`pdf_dict_put(ctx, dict, key, val);`