From 15f1cc451a45e56eab58ccb384d321d8a1e131ce Mon Sep 17 00:00:00 2001 From: Michael J Gruber Date: Tue, 20 Dec 2022 15:12:32 +0100 Subject: [PATCH] fix png_write_band (rhbz#2154545) ... (gsbz#706227) --- mupdf-1.21.1-fix-png_write_band.patch | 50 +++++++++++++++++++++++++++ mupdf.spec | 3 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 mupdf-1.21.1-fix-png_write_band.patch diff --git a/mupdf-1.21.1-fix-png_write_band.patch b/mupdf-1.21.1-fix-png_write_band.patch new file mode 100644 index 0000000..65f49b5 --- /dev/null +++ b/mupdf-1.21.1-fix-png_write_band.patch @@ -0,0 +1,50 @@ +From: Mamoru TASAKA +Date: Sun, 18 Dec 2022 00:22:04 +0000 (+0900) +Subject: Bug 706227: png_write_band: initialize stream before calling deflateBound +X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=a76b4ed0d3a2c7e52bba2d6c10b44d11d5ade2fe + +Bug 706227: png_write_band: initialize stream before calling deflateBound + +zlib deflateBound manual says when calling this function, +stream should have been initialized via a call to deflateInit_() +or deflateInit2_(), so change so. + +Note that without this fix, "mutool draw -F png" segfaults on s390x, +perhaps on big endian, uninitialized bytes of a value (which is +not wholly initialized) is read, on the other hand, on little endian +initialized bytes of the value is read, so it happens not to cause +segfault. + +Fixes https://bugs.ghostscript.com/show_bug.cgi?id=706227 +--- + +diff --git a/source/fitz/output-png.c b/source/fitz/output-png.c +index 17279f913..979c75eeb 100644 +--- a/source/fitz/output-png.c ++++ b/source/fitz/output-png.c +@@ -236,6 +236,12 @@ png_write_band(fz_context *ctx, fz_band_writer *writer_, int stride, int band_st + if (usize > SIZE_MAX / band_height) + fz_throw(ctx, FZ_ERROR_GENERIC, "png data too large."); + usize *= band_height; ++ writer->stream.opaque = ctx; ++ writer->stream.zalloc = fz_zlib_alloc; ++ writer->stream.zfree = fz_zlib_free; ++ err = deflateInit(&writer->stream, Z_DEFAULT_COMPRESSION); ++ if (err != Z_OK) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "compression error %d", err); + writer->usize = usize; + /* Now figure out how large a buffer we need to compress into. + * deflateBound always expands a bit, and it's limited by being +@@ -245,12 +251,6 @@ png_write_band(fz_context *ctx, fz_band_writer *writer_, int stride, int band_st + writer->csize = UINT32_MAX; + writer->udata = Memento_label(fz_malloc(ctx, writer->usize), "png_write_udata"); + writer->cdata = Memento_label(fz_malloc(ctx, writer->csize), "png_write_cdata"); +- writer->stream.opaque = ctx; +- writer->stream.zalloc = fz_zlib_alloc; +- writer->stream.zfree = fz_zlib_free; +- err = deflateInit(&writer->stream, Z_DEFAULT_COMPRESSION); +- if (err != Z_OK) +- fz_throw(ctx, FZ_ERROR_GENERIC, "compression error %d", err); + } + + dp = writer->udata; diff --git a/mupdf.spec b/mupdf.spec index ebd77e5..d1acd01 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -14,6 +14,7 @@ URL: http://mupdf.com/ Source0: http://mupdf.com/downloads/archive/%{name}-%{upversion}-source.tar.gz Source1: %{name}.desktop Source2: %{name}-gl.desktop +Patch: mupdf-1.21.1-fix-png_write_band.patch BuildRequires: gcc gcc-c++ make binutils desktop-file-utils coreutils pkgconfig BuildRequires: openjpeg2-devel desktop-file-utils BuildRequires: libjpeg-devel freetype-devel libXext-devel curl-devel @@ -60,7 +61,7 @@ The mupdf-devel package contains header files for developing applications that use mupdf and static libraries %prep -%setup -q -n %{name}-%{upversion}-source +%autosetup -p1 -n %{name}-%{upversion}-source for d in $(ls thirdparty | grep -v -e extract -e freeglut -e lcms2 -e mujs) do rm -rf thirdparty/$d