- Add CVE-2016-10221.patch, CVE-2016-8728.patch and

CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728, CVE-2016-8729 and CVE-2017-7976 bsc#1032140 bsc#1039850 bsc#1052029 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=56
2017-08-03 08:30:44 +00:00 · 2017-08-03 08:30:44 +00:00 · 1369417c55
commit 1369417c55
parent 40f06adcc0
5 changed files with 99 additions and 0 deletions
--- a/CVE-2016-10221.patch
+++ b/CVE-2016-10221.patch
@ -0,0 +1,40 @@
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-layer.c;h=fc29c9d3e78eefa823cf768a9a37c476ba6f7c20;hp=3296b6c5ad953a1050899ae01021be05b3b08fa3;hb=2590fed7a355a421f062ebd4293df892800fa7ac;hpb=ffc4b61e6baf7a4d4e34c8901ae78ffd57da2530
+
+diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
+index 3296b6c..fc29c9d 100644
+--- a/source/pdf/pdf-layer.c
+++ b/source/pdf/pdf-layer.c
+@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
+ 	for (i = 0; i < len; i++)
+ 	{
+ 		pdf_obj *o = pdf_array_get(ctx, obj, i);
+-		count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+		if (pdf_mark_obj(ctx, o))
+			continue;
+		fz_try(ctx)
+			count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+		fz_always(ctx)
+			pdf_unmark_obj(ctx, o);
+		fz_catch(ctx)
+			fz_rethrow(ctx);
+ 	}
+ 	return count;
+ }
+@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ 		pdf_obj *o = pdf_array_get(ctx, order, i);
+ 		if (pdf_is_array(ctx, o))
+ 		{
+-			ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+			if (pdf_mark_obj(ctx, o))
+				continue;
+
+			fz_try(ctx)
+				ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+			fz_always(ctx)
+				pdf_unmark_obj(ctx, o);
+			fz_catch(ctx)
+				fz_rethrow(ctx);
+
+ 			continue;
+ 		}
+ 		ui->depth = depth;
--- a/CVE-2016-8728.patch
+++ b/CVE-2016-8728.patch
@ -0,0 +1,31 @@
+Index: mupdf-1.10a-source/source/fitz/draw-scale-simple.c
+===================================================================
+--- mupdf-1.10a-source.orig/source/fitz/draw-scale-simple.c
+++ mupdf-1.10a-source/source/fitz/draw-scale-simple.c
+@@ -1294,7 +1294,7 @@ scale_single_row(unsigned char * restric
+ 		tmp[j] = 128;
+ 	if (weights->flip)
+ 	{
+-		dst += (weights->count-1)*n;
+		dst += (weights->count-1)*nf;
+ 		for (i=weights->count; i > 0; i--)
+ 		{
+ 			min = *contrib++;
+Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
+===================================================================
+--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c
+++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
+@@ -38,6 +38,13 @@ jbig2_image_new(Jbig2Ctx *ctx, int width
+     int stride;
+     int64_t check;
+ 
+    if (width == 0 || height == 0) {
+        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
+            "zero width (%d) or height (%d) in jbig2_image_new",
+            width, height);
+        return NULL;
+    }
+
+     image = jbig2_new(ctx, Jbig2Image, 1);
+     if (image == NULL) {
+         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "could not allocate image structure in jbig2_image_new");
--- a/CVE-2017-7976.patch
+++ b/CVE-2017-7976.patch
@ -0,0 +1,14 @@
+Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
+===================================================================
+--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c
+++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
+@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {
--- a/mupdf.changes
+++ b/mupdf.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug  3 08:23:47 UTC 2017 - idonmez@suse.com
+
+- Add CVE-2016-10221.patch, CVE-2016-8728.patch and
+  CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728,
+  CVE-2016-8729 and CVE-2017-7976
+  bsc#1032140 bsc#1039850 bsc#1052029
+
 -------------------------------------------------------------------
 Mon May 29 14:46:49 UTC 2017 - bwiedemann@suse.com

--- a/mupdf.spec
+++ b/mupdf.spec
@ -37,6 +37,9 @@ Patch7:         CVE-2017-5896.patch
 Patch8:         bsc1023760.patch
 # PATCH-FIX-UPSTREAM https://bugs.ghostscript.com/show_bug.cgi?id=697958
 Patch9:         reproducible.patch
+Patch10:        CVE-2016-8728.patch
+Patch11:        CVE-2017-7976.patch
+Patch12:        CVE-2016-10221.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@ -76,6 +79,9 @@ based on mupdf.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1

 pushd ./thirdparty/mujs
 %patch2 -p1