Fix buffer overflow in pdf-layer.c (#1439643)

2017-04-06 14:01:38 +02:00 · 2017-04-06 14:01:38 +02:00 · 20aa2225f8
parent 71ac78f599
commit 20aa2225f8
2 changed files with 51 additions and 1 deletions
--- a/mupdf-bz1439643.patch
+++ b/mupdf-bz1439643.patch
@ -0,0 +1,44 @@
+commit 2590fed7a355a421f062ebd4293df892800fa7ac
+Author: Sebastian Rasmussen <sebras@gmail.com>
+Date:   Thu Dec 1 17:15:27 2016 -0500
+
+    Bug 697400: Mark visited objects when counting OCG layer entries.
+
+diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
+index 3296b6c..fc29c9d 100644
+--- a/source/pdf/pdf-layer.c
+++ b/source/pdf/pdf-layer.c
+@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
+ 	for (i = 0; i < len; i++)
+ 	{
+ 		pdf_obj *o = pdf_array_get(ctx, obj, i);
+-		count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+		if (pdf_mark_obj(ctx, o))
+			continue;
+		fz_try(ctx)
+			count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+		fz_always(ctx)
+			pdf_unmark_obj(ctx, o);
+		fz_catch(ctx)
+			fz_rethrow(ctx);
+ 	}
+ 	return count;
+ }
+@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ 		pdf_obj *o = pdf_array_get(ctx, order, i);
+ 		if (pdf_is_array(ctx, o))
+ 		{
+-			ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+			if (pdf_mark_obj(ctx, o))
+				continue;
+
+			fz_try(ctx)
+				ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+			fz_always(ctx)
+				pdf_unmark_obj(ctx, o);
+			fz_catch(ctx)
+				fz_rethrow(ctx);
+
+ 			continue;
+ 		}
+ 		ui->depth = depth;
--- a/mupdf.spec
+++ b/mupdf.spec
@ -1,6 +1,6 @@
 Name:           mupdf
 Version:        1.10a
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        A lightweight PDF viewer and toolkit
 Group:          Applications/Publishing
 License:        GPLv3
@ -15,6 +15,8 @@ Patch0:         %{name}-1.10a-openjpeg.patch
 ## https://bugzilla.redhat.com/show_bug.cgi?id=1425338
 Patch1:         %{name}-Bug-697500-Fix-NULL-ptr-access.patch
 Patch2:         %{name}-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch
+Patch3:         %{name}-bz1439643.patch
+

 %description
 MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@ -47,6 +49,7 @@ rm -rf thirdparty
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 %build
 export CFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
@ -84,6 +87,9 @@ update-desktop-database &> /dev/null || :
 %{_libdir}/lib%{name}*.a

 %changelog
+* Thu Apr  6 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-5
+- Fix stack consumption CVE (#1439643)
+
 * Thu Mar  2 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-4
 - fix buffer overflow (#1425338)