From cb7346d5aef168fdfcd3106486a2136f5295b91c0482c9f6a1fbcc56743ebd96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= <ismail@i10z.com> Date: Fri, 22 Jul 2016 11:16:08 +0000 Subject: [PATCH] - Add CVE-2016-6265.patch to fix a use-after-free bsc#990195 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=39 --- CVE-2016-6265.patch | 23 +++++++++++++++++++++++ mupdf.changes | 5 +++++ mupdf.spec | 2 ++ 3 files changed, 30 insertions(+) create mode 100644 CVE-2016-6265.patch diff --git a/CVE-2016-6265.patch b/CVE-2016-6265.patch new file mode 100644 index 0000000..595ef2b --- /dev/null +++ b/CVE-2016-6265.patch @@ -0,0 +1,23 @@ +X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-xref.c;h=32225998178b7c4d465046ff5158a3796103d73d;hp=576c315de2a30cfd553652bfa82521edb07043c2;hb=fa1936405b6a84e5c9bb440912c23d532772f958;hpb=e98091d56afdf1cf6c9a017fa0bd35dd0b8968f0 + +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 576c315..3222599 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i); + } + if (entry->type == 'o') +- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n') +- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i); ++ { ++ /* Read this into a local variable here, because pdf_get_xref_entry ++ * may solidify the xref, hence invalidating "entry", meaning we ++ * need a stashed value for the throw. */ ++ fz_off_t ofs = entry->ofs; ++ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n') ++ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i); ++ } + } + } + diff --git a/mupdf.changes b/mupdf.changes index 2b4daa4..ac23c26 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jul 22 11:02:28 UTC 2016 - idonmez@suse.com + +- Add CVE-2016-6265.patch to fix a use-after-free bsc#990195 + ------------------------------------------------------------------- Fri Apr 22 17:57:34 UTC 2016 - idonmez@suse.com diff --git a/mupdf.spec b/mupdf.spec index 09ac395..395fa79 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -29,6 +29,7 @@ Source1: mupdf.desktop Source2: mupdf.png # PATCH-FIX-OPENSUSE mupdf-fix-openjpeg2.patch gber@opensuse.org -- Fix build against openjpeg2 2.1 on openSUSE Patch0: mupdf-fix-openjpeg2.patch +Patch1: CVE-2016-6265.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -69,6 +70,7 @@ based on mupdf. rm -rf $(ls -d thirdparty/*/ | grep -v mujs) %patch0 -p1 +%patch1 -p1 mkdir docs/examples for src in docs/*.c; do