rpm/mupdf
SHA256
1
0
Fork 0
forked from pool/mupdf
Code Pull Requests Activity

Accepting request 568499 from home:kbabioch:branches:Publishing

Browse Source 
- Add CVE-2018-17858.patch to fix an heap-based buffer overflow
  CVE-2018-17858 bsc#1077161

OBS-URL: https://build.opensuse.org/request/show/568499
OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=64
This commit is contained in:
Martin Pluskal 2018-01-23 09:32:39 +00:00 committed by Git OBS Bridge
parent c2a31ad6be
commit 65c179307c
3 changed files with 106 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
CVE-2017-17858.patch Normal file
View File

@ -0,0 +1,98 @@
From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 11 Dec 2017 14:09:15 +0100
Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
limit.
This ensures that:
* xref tables with objects pointers do not grow out of bounds.
* other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
---
include/mupdf/pdf/object.h | 3 +++
source/pdf/pdf-repair.c | 5 +----
source/pdf/pdf-xref.c | 21 ++++++++++++---------
3 files changed, 16 insertions(+), 13 deletions(-)
Index: mupdf-1.12.0-source/include/mupdf/pdf/object.h
===================================================================
--- mupdf-1.12.0-source.orig/include/mupdf/pdf/object.h
+++ mupdf-1.12.0-source/include/mupdf/pdf/object.h
@@ -3,6 +3,9 @@
typedef struct pdf_document_s pdf_document;
+/* Defined in PDF 1.7 according to Acrobat limit. */
+#define PDF_MAX_OBJECT_NUMBER 8388607
+
/*
* Dynamic objects.
* The same type of objects as found in PDF and PostScript.
Index: mupdf-1.12.0-source/source/pdf/pdf-repair.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-repair.c
+++ mupdf-1.12.0-source/source/pdf/pdf-repair.c
@@ -6,9 +6,6 @@
/* Scan file for objects and reconstruct xref table */
-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
-#define MAX_OBJECT_NUMBER (10 << 20)
-
struct entry
{
int num;
@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_doc
break;
}
- if (num <= 0 || num > MAX_OBJECT_NUMBER)
+ if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
{
fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
goto have_next_token;
Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
+++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_d
fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
}
- if (ofs < 0)
- fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
- if (ofs > INT64_MAX - len)
- fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
-
+ if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
+ || len < 0 || len > PDF_MAX_OBJECT_NUMBER
+ || ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
+ {
+ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+ }
/* broken pdfs where size in trailer undershoots entries in xref sections */
if (ofs + len > xref_len)
{
@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ct
pdf_xref_entry *table;
int i, n;
- if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
- fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
- //if (i0 + i1 > pdf_xref_len(ctx, doc))
- // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
+ if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
table = pdf_xref_find_subsection(ctx, doc, i0, i1);
for (i = i0; i < i0 + i1; i++)
@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_d
/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
pdf_xref_entry *entry;
int num = pdf_xref_len(ctx, doc);
+
+ if (num > PDF_MAX_OBJECT_NUMBER)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
+
entry = pdf_get_incremental_xref_entry(ctx, doc, num);
entry->type = 'f';
entry->ofs = -1;

6
mupdf.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Jan 23 09:12:22 UTC 2018 - kbabioch@suse.com
- Add CVE-2018-17858.patch to fix an heap-based buffer overflow
CVE-2018-17858 bsc#1077161
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jan 22 12:20:48 UTC 2018 - idonmez@suse.com Mon Jan 22 12:20:48 UTC 2018 - idonmez@suse.com

2
mupdf.spec
View File

@ -29,6 +29,7 @@ Source1: mupdf.desktop
Source2: mupdf.png Source2: mupdf.png
Patch1: fix-openjpeg-flags.patch Patch1: fix-openjpeg-flags.patch
Patch2: CVE-2018-5686.patch Patch2: CVE-2018-5686.patch
Patch3: CVE-2017-17858.patch
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: jbig2dec-devel BuildRequires: jbig2dec-devel
@ -66,6 +67,7 @@ based on mupdf.
%setup -q -n %{name}-%{version}-source %setup -q -n %{name}-%{version}-source
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
# do not use the inlined copies of build dpendencies except for mujs # do not use the inlined copies of build dpendencies except for mujs
rm -rf $(ls -d thirdparty/*/ | grep -v mujs) rm -rf $(ls -d thirdparty/*/ | grep -v mujs)