From a32e43e4eacdd543452846329c04eaeeb18cacd7dd36a3fa6f8cc718341641a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Sat, 3 Feb 2018 12:13:35 +0000 Subject: [PATCH] Accepting request 572213 from home:kbabioch:branches:Publishing - CVE-2018-6192.patch: Use official fix from usptream (CVE-2018-6192 boo#1077755) OBS-URL: https://build.opensuse.org/request/show/572213 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=69 --- CVE-2018-6192.patch | 113 ++++++++++++-------------------------------- mupdf.changes | 6 +++ 2 files changed, 36 insertions(+), 83 deletions(-) diff --git a/CVE-2018-6192.patch b/CVE-2018-6192.patch index d79fb58..f302c34 100644 --- a/CVE-2018-6192.patch +++ b/CVE-2018-6192.patch @@ -1,91 +1,38 @@ -Index: mupdf-1.12.0-source/source/pdf/pdf-lex.c -=================================================================== ---- mupdf-1.12.0-source.orig/source/pdf/pdf-lex.c -+++ mupdf-1.12.0-source/source/pdf/pdf-lex.c -@@ -151,12 +151,21 @@ lex_number(fz_context *ctx, fz_stream *f - char *e = buf->scratch + buf->size - 1; /* leave space for zero terminator */ - char *isreal = (c == '.' ? s : NULL); - int neg = (c == '-'); -+ int isbad = 0; - - *s++ = c; - -+ c = fz_read_byte(ctx, f); -+ -+ /* skip extra '-' signs at start of number */ -+ if (neg) -+ { -+ while (c == '-') -+ c = fz_read_byte(ctx, f); -+ } -+ - while (s < e) - { -- c = fz_read_byte(ctx, f); - switch (c) - { - case IS_WHITE: -@@ -165,21 +174,27 @@ lex_number(fz_context *ctx, fz_stream *f - goto end; - case EOF: - goto end; -- case '-': -- neg++; -- *s++ = c; -- break; - case '.': -+ if (isreal) -+ isbad = 1; - isreal = s; -- /* Fall through */ -+ *s++ = c; -+ break; -+ case RANGE_0_9: -+ *s++ = c; -+ break; - default: -+ isbad = 1; - *s++ = c; - break; - } -+ c = fz_read_byte(ctx, f); - } - - end: - *s = '\0'; -+ if (isbad) -+ return PDF_TOK_ERROR; - if (isreal) - { - /* We'd like to use the fastest possible atof +From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Tue, 30 Jan 2018 02:05:57 +0100 +Subject: [PATCH] Bug 698916: Indirect object numbers must be in range. + +--- + source/pdf/pdf-parse.c | 2 ++ + source/pdf/pdf-xref.c | 4 ++-- + 2 files changed, 4 insertions(+), 2 deletions(-) Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c +++ mupdf-1.12.0-source/source/pdf/pdf-parse.c -@@ -457,7 +457,8 @@ pdf_parse_array(fz_context *ctx, pdf_doc - break; +@@ -616,6 +616,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_d + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number"); + } + num = buf->i; ++ if (num < 0 || num > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range"); - default: -- fz_throw(ctx, FZ_ERROR_SYNTAX, "cannot parse token in array"); -+ pdf_array_push_drop(ctx, ary, pdf_new_null(ctx, doc)); -+ break; - } - } - end: -@@ -547,10 +548,13 @@ pdf_parse_dict(fz_context *ctx, pdf_docu - break; - } - } -- fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid indirect reference in dict"); -+ fz_warn(ctx, "invalid indirect reference in dict"); -+ val = pdf_new_null(ctx, doc); -+ break; + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_INT) +Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c ++++ mupdf-1.12.0-source/source/pdf/pdf-xref.c +@@ -234,8 +234,8 @@ pdf_xref_entry *pdf_get_populating_xref_ + } - default: -- fz_throw(ctx, FZ_ERROR_SYNTAX, "unknown token in dict"); -+ val = pdf_new_null(ctx, doc); -+ break; - } + /* Prevent accidental heap underflow */ +- if (num < 0) +- fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num); ++ if (num < 0 || num > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num); - pdf_dict_put(ctx, dict, key, val); + /* Return the pointer to the entry in the last section. */ + xref = &doc->xref_sections[doc->num_xref_sections-1]; diff --git a/mupdf.changes b/mupdf.changes index 6804e75..015b5c3 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Feb 2 20:48:34 UTC 2018 - kbabioch@suse.com + +- CVE-2018-6192.patch: Use official fix from usptream (CVE-2018-6192 + boo#1077755) + ------------------------------------------------------------------- Fri Feb 2 14:58:40 UTC 2018 - kbabioch@suse.com