From 1369417c55c3f463329cdd340033916e68030f87d38fe045851281d492bbc89e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Thu, 3 Aug 2017 08:30:44 +0000 Subject: [PATCH] - Add CVE-2016-10221.patch, CVE-2016-8728.patch and CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728, CVE-2016-8729 and CVE-2017-7976 bsc#1032140 bsc#1039850 bsc#1052029 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=56 --- CVE-2016-10221.patch | 40 ++++++++++++++++++++++++++++++++++++++++ CVE-2016-8728.patch | 31 +++++++++++++++++++++++++++++++ CVE-2017-7976.patch | 14 ++++++++++++++ mupdf.changes | 8 ++++++++ mupdf.spec | 6 ++++++ 5 files changed, 99 insertions(+) create mode 100644 CVE-2016-10221.patch create mode 100644 CVE-2016-8728.patch create mode 100644 CVE-2017-7976.patch diff --git a/CVE-2016-10221.patch b/CVE-2016-10221.patch new file mode 100644 index 0000000..a61d2b0 --- /dev/null +++ b/CVE-2016-10221.patch @@ -0,0 +1,40 @@ +X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-layer.c;h=fc29c9d3e78eefa823cf768a9a37c476ba6f7c20;hp=3296b6c5ad953a1050899ae01021be05b3b08fa3;hb=2590fed7a355a421f062ebd4293df892800fa7ac;hpb=ffc4b61e6baf7a4d4e34c8901ae78ffd57da2530 + +diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c +index 3296b6c..fc29c9d 100644 +--- a/source/pdf/pdf-layer.c ++++ b/source/pdf/pdf-layer.c +@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj) + for (i = 0; i < len; i++) + { + pdf_obj *o = pdf_array_get(ctx, obj, i); +- count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1); ++ if (pdf_mark_obj(ctx, o)) ++ continue; ++ fz_try(ctx) ++ count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1); ++ fz_always(ctx) ++ pdf_unmark_obj(ctx, o); ++ fz_catch(ctx) ++ fz_rethrow(ctx); + } + return count; + } +@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj * + pdf_obj *o = pdf_array_get(ctx, order, i); + if (pdf_is_array(ctx, o)) + { +- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked); ++ if (pdf_mark_obj(ctx, o)) ++ continue; ++ ++ fz_try(ctx) ++ ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked); ++ fz_always(ctx) ++ pdf_unmark_obj(ctx, o); ++ fz_catch(ctx) ++ fz_rethrow(ctx); ++ + continue; + } + ui->depth = depth; diff --git a/CVE-2016-8728.patch b/CVE-2016-8728.patch new file mode 100644 index 0000000..69d1b7e --- /dev/null +++ b/CVE-2016-8728.patch @@ -0,0 +1,31 @@ +Index: mupdf-1.10a-source/source/fitz/draw-scale-simple.c +=================================================================== +--- mupdf-1.10a-source.orig/source/fitz/draw-scale-simple.c ++++ mupdf-1.10a-source/source/fitz/draw-scale-simple.c +@@ -1294,7 +1294,7 @@ scale_single_row(unsigned char * restric + tmp[j] = 128; + if (weights->flip) + { +- dst += (weights->count-1)*n; ++ dst += (weights->count-1)*nf; + for (i=weights->count; i > 0; i--) + { + min = *contrib++; +Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c +=================================================================== +--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c ++++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c +@@ -38,6 +38,13 @@ jbig2_image_new(Jbig2Ctx *ctx, int width + int stride; + int64_t check; + ++ if (width == 0 || height == 0) { ++ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, ++ "zero width (%d) or height (%d) in jbig2_image_new", ++ width, height); ++ return NULL; ++ } ++ + image = jbig2_new(ctx, Jbig2Image, 1); + if (image == NULL) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "could not allocate image structure in jbig2_image_new"); diff --git a/CVE-2017-7976.patch b/CVE-2017-7976.patch new file mode 100644 index 0000000..f3886bc --- /dev/null +++ b/CVE-2017-7976.patch @@ -0,0 +1,14 @@ +Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c +=================================================================== +--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c ++++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c +@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2 + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || ++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { diff --git a/mupdf.changes b/mupdf.changes index e6e8ce9..9272760 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 3 08:23:47 UTC 2017 - idonmez@suse.com + +- Add CVE-2016-10221.patch, CVE-2016-8728.patch and + CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728, + CVE-2016-8729 and CVE-2017-7976 + bsc#1032140 bsc#1039850 bsc#1052029 + ------------------------------------------------------------------- Mon May 29 14:46:49 UTC 2017 - bwiedemann@suse.com diff --git a/mupdf.spec b/mupdf.spec index 78430d4..4be33bc 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -37,6 +37,9 @@ Patch7: CVE-2017-5896.patch Patch8: bsc1023760.patch # PATCH-FIX-UPSTREAM https://bugs.ghostscript.com/show_bug.cgi?id=697958 Patch9: reproducible.patch +Patch10: CVE-2016-8728.patch +Patch11: CVE-2017-7976.patch +Patch12: CVE-2016-10221.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -76,6 +79,9 @@ based on mupdf. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 pushd ./thirdparty/mujs %patch2 -p1