Accepting request 572053 from home:kbabioch:branches:Publishing

- Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in pdf/pdf-xref.c (CVE-2018-6544 boo#1079100) - Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755) OBS-URL: https://build.opensuse.org/request/show/572053 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=68
2018-02-02 15:44:48 +00:00 · 2018-02-02 15:44:48 +00:00 · 0f2117f19d
commit 0f2117f19d
parent bc5c7d9419
4 changed files with 157 additions and 0 deletions
--- a/CVE-2018-6192.patch
+++ b/CVE-2018-6192.patch
@ -0,0 +1,91 @@
+Index: mupdf-1.12.0-source/source/pdf/pdf-lex.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-lex.c
+++ mupdf-1.12.0-source/source/pdf/pdf-lex.c
+@@ -151,12 +151,21 @@ lex_number(fz_context *ctx, fz_stream *f
+ 	char *e = buf->scratch + buf->size - 1; /* leave space for zero terminator */
+ 	char *isreal = (c == '.' ? s : NULL);
+ 	int neg = (c == '-');
+	int isbad = 0;
+ 
+ 	*s++ = c;
+ 
+	c = fz_read_byte(ctx, f);
+
+	/* skip extra '-' signs at start of number */
+	if (neg)
+	{
+		while (c == '-')
+			c = fz_read_byte(ctx, f);
+	}
+
+ 	while (s < e)
+ 	{
+-		c = fz_read_byte(ctx, f);
+ 		switch (c)
+ 		{
+ 		case IS_WHITE:
+@@ -165,21 +174,27 @@ lex_number(fz_context *ctx, fz_stream *f
+ 			goto end;
+ 		case EOF:
+ 			goto end;
+-		case '-':
+-			neg++;
+-			*s++ = c;
+-			break;
+ 		case '.':
+			if (isreal)
+				isbad = 1;
+ 			isreal = s;
+-			/* Fall through */
+			*s++ = c;
+			break;
+		case RANGE_0_9:
+			*s++ = c;
+			break;
+ 		default:
+			isbad = 1;
+ 			*s++ = c;
+ 			break;
+ 		}
+		c = fz_read_byte(ctx, f);
+ 	}
+ 
+ end:
+ 	*s = '\0';
+	if (isbad)
+		return PDF_TOK_ERROR;
+ 	if (isreal)
+ 	{
+ 		/* We'd like to use the fastest possible atof
+
+Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c
+++ mupdf-1.12.0-source/source/pdf/pdf-parse.c
+@@ -457,7 +457,8 @@ pdf_parse_array(fz_context *ctx, pdf_doc
+ 				break;
+ 
+ 			default:
+-				fz_throw(ctx, FZ_ERROR_SYNTAX, "cannot parse token in array");
+				pdf_array_push_drop(ctx, ary, pdf_new_null(ctx, doc));
+				break;
+ 			}
+ 		}
+ end:
+@@ -547,10 +548,13 @@ pdf_parse_dict(fz_context *ctx, pdf_docu
+ 						break;
+ 					}
+ 				}
+-				fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid indirect reference in dict");
+				fz_warn(ctx, "invalid indirect reference in dict");
+				val = pdf_new_null(ctx, doc);
+				break;
+ 
+ 			default:
+-				fz_throw(ctx, FZ_ERROR_SYNTAX, "unknown token in dict");
+				val = pdf_new_null(ctx, doc);
+				break;
+ 			}
+ 
+ 			pdf_dict_put(ctx, dict, key, val);
--- a/CVE-2018-6544.patch
+++ b/CVE-2018-6544.patch
@ -0,0 +1,53 @@
+Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c
+++ mupdf-1.12.0-source/source/pdf/pdf-stream.c
+@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_
+ 		*orig_gen = 0;
+ 	}
+ 
+-	fz_var(chain);
+	chain = fz_keep_stream(ctx, chain);
+ 
+ 	fz_try(ctx)
+ 	{
+ 		len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
+ 
+-		/* don't close chain when we close this filter */
+-		chain2 = fz_keep_stream(ctx, chain);
+		chain2 = chain;
+ 		chain = NULL;
+ 		chain = fz_open_null(ctx, chain2, len, offset);
+ 
+Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
+++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
+@@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
+ 	{
+ 		objstm = pdf_load_object(ctx, doc, num);
+ 
+		if (pdf_obj_marked(ctx, objstm))
+			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
+	}
+	fz_catch(ctx)
+	{
+		pdf_drop_obj(ctx, objstm);
+		fz_rethrow(ctx);
+	}
+
+	fz_try(ctx)
+	{
+		pdf_mark_obj(ctx, objstm);
+
+ 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
+ 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
+ 
+@@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
+ 		fz_drop_stream(ctx, stm);
+ 		fz_free(ctx, ofsbuf);
+ 		fz_free(ctx, numbuf);
+		pdf_unmark_obj(ctx, objstm);
+ 		pdf_drop_obj(ctx, objstm);
+ 	}
+ 	fz_catch(ctx)
--- a/mupdf.changes
+++ b/mupdf.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Feb  2 14:58:40 UTC 2018 - kbabioch@suse.com
+
+- Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in
+  pdf/pdf-xref.c (CVE-2018-6544 boo#1079100)
+
+- Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within
+  pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755)
+
 -------------------------------------------------------------------
 Fri Feb  2 07:52:06 UTC 2018 - kbabioch@suse.com

--- a/mupdf.spec
+++ b/mupdf.spec
@ -31,6 +31,8 @@ Patch1:         fix-openjpeg-flags.patch
 Patch2:         CVE-2018-5686.patch
 Patch3:         CVE-2017-17858.patch
 Patch4:         CVE-2018-6187.patch
+Patch5:         CVE-2018-6192.patch
+Patch6:         CVE-2018-6544.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@ -70,6 +72,8 @@ based on mupdf.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1

 # do not use the inlined copies of build dpendencies except for mujs
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)