From cb7346d5aef168fdfcd3106486a2136f5295b91c0482c9f6a1fbcc56743ebd96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= <ismail@i10z.com>
Date: Fri, 22 Jul 2016 11:16:08 +0000
Subject: [PATCH] - Add CVE-2016-6265.patch to fix a use-after-free bsc#990195

OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=39
---
 CVE-2016-6265.patch | 23 +++++++++++++++++++++++
 mupdf.changes       |  5 +++++
 mupdf.spec          |  2 ++
 3 files changed, 30 insertions(+)
 create mode 100644 CVE-2016-6265.patch

diff --git a/CVE-2016-6265.patch b/CVE-2016-6265.patch
new file mode 100644
index 0000000..595ef2b
--- /dev/null
+++ b/CVE-2016-6265.patch
@@ -0,0 +1,23 @@
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-xref.c;h=32225998178b7c4d465046ff5158a3796103d73d;hp=576c315de2a30cfd553652bfa82521edb07043c2;hb=fa1936405b6a84e5c9bb440912c23d532772f958;hpb=e98091d56afdf1cf6c9a017fa0bd35dd0b8968f0
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 576c315..3222599 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 				fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
+ 		}
+ 		if (entry->type == 'o')
+-			if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
+-				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
++		{
++			/* Read this into a local variable here, because pdf_get_xref_entry
++			 * may solidify the xref, hence invalidating "entry", meaning we
++			 * need a stashed value for the throw. */
++			fz_off_t ofs = entry->ofs;
++			if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
++				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
++		}
+ 	}
+ }
+ 
diff --git a/mupdf.changes b/mupdf.changes
index 2b4daa4..ac23c26 100644
--- a/mupdf.changes
+++ b/mupdf.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jul 22 11:02:28 UTC 2016 - idonmez@suse.com
+
+- Add CVE-2016-6265.patch to fix a use-after-free bsc#990195 
+
 -------------------------------------------------------------------
 Fri Apr 22 17:57:34 UTC 2016 - idonmez@suse.com
 
diff --git a/mupdf.spec b/mupdf.spec
index 09ac395..395fa79 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -29,6 +29,7 @@ Source1:        mupdf.desktop
 Source2:        mupdf.png
 # PATCH-FIX-OPENSUSE mupdf-fix-openjpeg2.patch gber@opensuse.org -- Fix build against openjpeg2 2.1 on openSUSE
 Patch0:         mupdf-fix-openjpeg2.patch
+Patch1:         CVE-2016-6265.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@@ -69,6 +70,7 @@ based on mupdf.
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)
 
 %patch0 -p1
+%patch1 -p1
 
 mkdir docs/examples
 for src in docs/*.c; do