rpm/mupdf
SHA256
1
0
Fork 0
forked from pool/mupdf
Code Pull Requests Activity

Accepting request 572053 from home:kbabioch:branches:Publishing

Browse Source 
- Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in
  pdf/pdf-xref.c (CVE-2018-6544 boo#1079100)
- Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within
  pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755)

OBS-URL: https://build.opensuse.org/request/show/572053
OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=68
This commit is contained in:
Martin Pluskal 2018-02-02 15:44:48 +00:00 committed by Git OBS Bridge
parent bc5c7d9419
commit 0f2117f19d
4 changed files with 157 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
CVE-2018-6192.patch Normal file
View File

@ -0,0 +1,91 @@
Index: mupdf-1.12.0-source/source/pdf/pdf-lex.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-lex.c
+++ mupdf-1.12.0-source/source/pdf/pdf-lex.c
@@ -151,12 +151,21 @@ lex_number(fz_context *ctx, fz_stream *f
char *e = buf->scratch + buf->size - 1; /* leave space for zero terminator */
char *isreal = (c == '.' ? s : NULL);
int neg = (c == '-');
+ int isbad = 0;
*s++ = c;
+ c = fz_read_byte(ctx, f);
+
+ /* skip extra '-' signs at start of number */
+ if (neg)
+ {
+ while (c == '-')
+ c = fz_read_byte(ctx, f);
+ }
+
while (s < e)
{
- c = fz_read_byte(ctx, f);
switch (c)
{
case IS_WHITE:
@@ -165,21 +174,27 @@ lex_number(fz_context *ctx, fz_stream *f
goto end;
case EOF:
goto end;
- case '-':
- neg++;
- *s++ = c;
- break;
case '.':
+ if (isreal)
+ isbad = 1;
isreal = s;
- /* Fall through */
+ *s++ = c;
+ break;
+ case RANGE_0_9:
+ *s++ = c;
+ break;
default:
+ isbad = 1;
*s++ = c;
break;
}
+ c = fz_read_byte(ctx, f);
}
end:
*s = '\0';
+ if (isbad)
+ return PDF_TOK_ERROR;
if (isreal)
{
/* We'd like to use the fastest possible atof
Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c
+++ mupdf-1.12.0-source/source/pdf/pdf-parse.c
@@ -457,7 +457,8 @@ pdf_parse_array(fz_context *ctx, pdf_doc
break;
default:
- fz_throw(ctx, FZ_ERROR_SYNTAX, "cannot parse token in array");
+ pdf_array_push_drop(ctx, ary, pdf_new_null(ctx, doc));
+ break;
}
}
end:
@@ -547,10 +548,13 @@ pdf_parse_dict(fz_context *ctx, pdf_docu
break;
}
}
- fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid indirect reference in dict");
+ fz_warn(ctx, "invalid indirect reference in dict");
+ val = pdf_new_null(ctx, doc);
+ break;
default:
- fz_throw(ctx, FZ_ERROR_SYNTAX, "unknown token in dict");
+ val = pdf_new_null(ctx, doc);
+ break;
}
pdf_dict_put(ctx, dict, key, val);

53
CVE-2018-6544.patch Normal file
View File

@ -0,0 +1,53 @@
Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c
+++ mupdf-1.12.0-source/source/pdf/pdf-stream.c
@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_
*orig_gen = 0;
}
- fz_var(chain);
+ chain = fz_keep_stream(ctx, chain);
fz_try(ctx)
{
len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
- /* don't close chain when we close this filter */
- chain2 = fz_keep_stream(ctx, chain);
+ chain2 = chain;
chain = NULL;
chain = fz_open_null(ctx, chain2, len, offset);
Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
+++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
@@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
{
objstm = pdf_load_object(ctx, doc, num);
+ if (pdf_obj_marked(ctx, objstm))
+ fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
+ }
+ fz_catch(ctx)
+ {
+ pdf_drop_obj(ctx, objstm);
+ fz_rethrow(ctx);
+ }
+
+ fz_try(ctx)
+ {
+ pdf_mark_obj(ctx, objstm);
+
count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
@@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
fz_drop_stream(ctx, stm);
fz_free(ctx, ofsbuf);
fz_free(ctx, numbuf);
+ pdf_unmark_obj(ctx, objstm);
pdf_drop_obj(ctx, objstm);
}
fz_catch(ctx)

9
mupdf.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Fri Feb 2 14:58:40 UTC 2018 - kbabioch@suse.com
- Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in
pdf/pdf-xref.c (CVE-2018-6544 boo#1079100)
- Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within
pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 2 07:52:06 UTC 2018 - kbabioch@suse.com Fri Feb 2 07:52:06 UTC 2018 - kbabioch@suse.com

4
mupdf.spec
View File

@ -31,6 +31,8 @@ Patch1: fix-openjpeg-flags.patch
Patch2: CVE-2018-5686.patch Patch2: CVE-2018-5686.patch
Patch3: CVE-2017-17858.patch Patch3: CVE-2017-17858.patch
Patch4: CVE-2018-6187.patch Patch4: CVE-2018-6187.patch
Patch5: CVE-2018-6192.patch
Patch6: CVE-2018-6544.patch
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: jbig2dec-devel BuildRequires: jbig2dec-devel
@ -70,6 +72,8 @@ based on mupdf.
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%patch6 -p1
# do not use the inlined copies of build dpendencies except for mujs # do not use the inlined copies of build dpendencies except for mujs
rm -rf $(ls -d thirdparty/*/ | grep -v mujs) rm -rf $(ls -d thirdparty/*/ | grep -v mujs)