- Add CVE-2016-6265.patch to fix a use-after-free bsc#990195

OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=39
2016-07-22 11:16:08 +00:00 · 2016-07-22 11:16:08 +00:00 · cb7346d5ae
commit cb7346d5ae
parent 419ab3e4a0
3 changed files with 30 additions and 0 deletions
--- a/CVE-2016-6265.patch
+++ b/CVE-2016-6265.patch
@ -0,0 +1,23 @@
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-xref.c;h=32225998178b7c4d465046ff5158a3796103d73d;hp=576c315de2a30cfd553652bfa82521edb07043c2;hb=fa1936405b6a84e5c9bb440912c23d532772f958;hpb=e98091d56afdf1cf6c9a017fa0bd35dd0b8968f0
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 576c315..3222599 100644
+--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
+@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 				fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
+ 		}
+ 		if (entry->type == 'o')
+-			if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
+-				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
+		{
+			/* Read this into a local variable here, because pdf_get_xref_entry
+			 * may solidify the xref, hence invalidating "entry", meaning we
+			 * need a stashed value for the throw. */
+			fz_off_t ofs = entry->ofs;
+			if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
+				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
+		}
+ 	}
+ }
+ 
--- a/mupdf.changes
+++ b/mupdf.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jul 22 11:02:28 UTC 2016 - idonmez@suse.com
+
+- Add CVE-2016-6265.patch to fix a use-after-free bsc#990195 
+
 -------------------------------------------------------------------
 Fri Apr 22 17:57:34 UTC 2016 - idonmez@suse.com

--- a/mupdf.spec
+++ b/mupdf.spec
@ -29,6 +29,7 @@ Source1:        mupdf.desktop
 Source2:        mupdf.png
 # PATCH-FIX-OPENSUSE mupdf-fix-openjpeg2.patch gber@opensuse.org -- Fix build against openjpeg2 2.1 on openSUSE
 Patch0:         mupdf-fix-openjpeg2.patch
+Patch1:         CVE-2016-6265.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@ -69,6 +70,7 @@ based on mupdf.
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)

 %patch0 -p1
+%patch1 -p1

 mkdir docs/examples
 for src in docs/*.c; do