fix png_write_band (rhbz#2154545)

... (gsbz#706227)
This commit is contained in:
Michael J Gruber 2022-12-20 15:12:32 +01:00
parent 4383cdfe1f
commit 15f1cc451a
2 changed files with 52 additions and 1 deletions

View File

@ -0,0 +1,50 @@
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
Date: Sun, 18 Dec 2022 00:22:04 +0000 (+0900)
Subject: Bug 706227: png_write_band: initialize stream before calling deflateBound
X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=a76b4ed0d3a2c7e52bba2d6c10b44d11d5ade2fe
Bug 706227: png_write_band: initialize stream before calling deflateBound
zlib deflateBound manual says when calling this function,
stream should have been initialized via a call to deflateInit_()
or deflateInit2_(), so change so.
Note that without this fix, "mutool draw -F png" segfaults on s390x,
perhaps on big endian, uninitialized bytes of a value (which is
not wholly initialized) is read, on the other hand, on little endian
initialized bytes of the value is read, so it happens not to cause
segfault.
Fixes https://bugs.ghostscript.com/show_bug.cgi?id=706227
---
diff --git a/source/fitz/output-png.c b/source/fitz/output-png.c
index 17279f913..979c75eeb 100644
--- a/source/fitz/output-png.c
+++ b/source/fitz/output-png.c
@@ -236,6 +236,12 @@ png_write_band(fz_context *ctx, fz_band_writer *writer_, int stride, int band_st
if (usize > SIZE_MAX / band_height)
fz_throw(ctx, FZ_ERROR_GENERIC, "png data too large.");
usize *= band_height;
+ writer->stream.opaque = ctx;
+ writer->stream.zalloc = fz_zlib_alloc;
+ writer->stream.zfree = fz_zlib_free;
+ err = deflateInit(&writer->stream, Z_DEFAULT_COMPRESSION);
+ if (err != Z_OK)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "compression error %d", err);
writer->usize = usize;
/* Now figure out how large a buffer we need to compress into.
* deflateBound always expands a bit, and it's limited by being
@@ -245,12 +251,6 @@ png_write_band(fz_context *ctx, fz_band_writer *writer_, int stride, int band_st
writer->csize = UINT32_MAX;
writer->udata = Memento_label(fz_malloc(ctx, writer->usize), "png_write_udata");
writer->cdata = Memento_label(fz_malloc(ctx, writer->csize), "png_write_cdata");
- writer->stream.opaque = ctx;
- writer->stream.zalloc = fz_zlib_alloc;
- writer->stream.zfree = fz_zlib_free;
- err = deflateInit(&writer->stream, Z_DEFAULT_COMPRESSION);
- if (err != Z_OK)
- fz_throw(ctx, FZ_ERROR_GENERIC, "compression error %d", err);
}
dp = writer->udata;

View File

@ -14,6 +14,7 @@ URL: http://mupdf.com/
Source0: http://mupdf.com/downloads/archive/%{name}-%{upversion}-source.tar.gz
Source1: %{name}.desktop
Source2: %{name}-gl.desktop
Patch: mupdf-1.21.1-fix-png_write_band.patch
BuildRequires: gcc gcc-c++ make binutils desktop-file-utils coreutils pkgconfig
BuildRequires: openjpeg2-devel desktop-file-utils
BuildRequires: libjpeg-devel freetype-devel libXext-devel curl-devel
@ -60,7 +61,7 @@ The mupdf-devel package contains header files for developing
applications that use mupdf and static libraries
%prep
%setup -q -n %{name}-%{upversion}-source
%autosetup -p1 -n %{name}-%{upversion}-source
for d in $(ls thirdparty | grep -v -e extract -e freeglut -e lcms2 -e mujs)
do
rm -rf thirdparty/$d