Accepting request 514182 from Publishing

- Add CVE-2016-10221.patch, CVE-2016-8728.patch and
  CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728,
  CVE-2016-8729 and CVE-2017-7976
  bsc#1032140 bsc#1039850 bsc#1052029

OBS-URL: https://build.opensuse.org/request/show/514182
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mupdf?expand=0&rev=28
This commit is contained in:
Yuchen Lin 2017-08-12 17:33:06 +00:00 committed by Git OBS Bridge
commit fa1bcde0d3
5 changed files with 99 additions and 0 deletions

40
CVE-2016-10221.patch Normal file
View File

@ -0,0 +1,40 @@
X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-layer.c;h=fc29c9d3e78eefa823cf768a9a37c476ba6f7c20;hp=3296b6c5ad953a1050899ae01021be05b3b08fa3;hb=2590fed7a355a421f062ebd4293df892800fa7ac;hpb=ffc4b61e6baf7a4d4e34c8901ae78ffd57da2530
diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
index 3296b6c..fc29c9d 100644
--- a/source/pdf/pdf-layer.c
+++ b/source/pdf/pdf-layer.c
@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
for (i = 0; i < len; i++)
{
pdf_obj *o = pdf_array_get(ctx, obj, i);
- count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+ if (pdf_mark_obj(ctx, o))
+ continue;
+ fz_try(ctx)
+ count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+ fz_always(ctx)
+ pdf_unmark_obj(ctx, o);
+ fz_catch(ctx)
+ fz_rethrow(ctx);
}
return count;
}
@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
pdf_obj *o = pdf_array_get(ctx, order, i);
if (pdf_is_array(ctx, o))
{
- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+ if (pdf_mark_obj(ctx, o))
+ continue;
+
+ fz_try(ctx)
+ ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+ fz_always(ctx)
+ pdf_unmark_obj(ctx, o);
+ fz_catch(ctx)
+ fz_rethrow(ctx);
+
continue;
}
ui->depth = depth;

31
CVE-2016-8728.patch Normal file
View File

@ -0,0 +1,31 @@
Index: mupdf-1.10a-source/source/fitz/draw-scale-simple.c
===================================================================
--- mupdf-1.10a-source.orig/source/fitz/draw-scale-simple.c
+++ mupdf-1.10a-source/source/fitz/draw-scale-simple.c
@@ -1294,7 +1294,7 @@ scale_single_row(unsigned char * restric
tmp[j] = 128;
if (weights->flip)
{
- dst += (weights->count-1)*n;
+ dst += (weights->count-1)*nf;
for (i=weights->count; i > 0; i--)
{
min = *contrib++;
Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
===================================================================
--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c
+++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
@@ -38,6 +38,13 @@ jbig2_image_new(Jbig2Ctx *ctx, int width
int stride;
int64_t check;
+ if (width == 0 || height == 0) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
+ "zero width (%d) or height (%d) in jbig2_image_new",
+ width, height);
+ return NULL;
+ }
+
image = jbig2_new(ctx, Jbig2Image, 1);
if (image == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "could not allocate image structure in jbig2_image_new");

14
CVE-2017-7976.patch Normal file
View File

@ -0,0 +1,14 @@
Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
===================================================================
--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c
+++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2
/* general OR case */
s = ss;
d = dd = dst->data + y * dst->stride + leftbyte;
- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
}
if (leftbyte == rightbyte) {

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Aug 3 08:23:47 UTC 2017 - idonmez@suse.com
- Add CVE-2016-10221.patch, CVE-2016-8728.patch and
CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728,
CVE-2016-8729 and CVE-2017-7976
bsc#1032140 bsc#1039850 bsc#1052029
-------------------------------------------------------------------
Mon May 29 14:46:49 UTC 2017 - bwiedemann@suse.com

View File

@ -37,6 +37,9 @@ Patch7: CVE-2017-5896.patch
Patch8: bsc1023760.patch
# PATCH-FIX-UPSTREAM https://bugs.ghostscript.com/show_bug.cgi?id=697958
Patch9: reproducible.patch
Patch10: CVE-2016-8728.patch
Patch11: CVE-2017-7976.patch
Patch12: CVE-2016-10221.patch
BuildRequires: freetype-devel
BuildRequires: gcc-c++
BuildRequires: jbig2dec-devel
@ -76,6 +79,9 @@ based on mupdf.
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
pushd ./thirdparty/mujs
%patch2 -p1