From 20aa2225f8be1b53089897f9fb5fe631f20aa8e8 Mon Sep 17 00:00:00 2001
From: Pavel Zhukov <pzhukov@redhat.com>
Date: Thu, 6 Apr 2017 14:01:38 +0200
Subject: [PATCH] Fix buffer overflow in pdf-layer.c (#1439643)

---
 mupdf-bz1439643.patch | 44 +++++++++++++++++++++++++++++++++++++++++++
 mupdf.spec            |  8 +++++++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 mupdf-bz1439643.patch

diff --git a/mupdf-bz1439643.patch b/mupdf-bz1439643.patch
new file mode 100644
index 0000000..5879c61
--- /dev/null
+++ b/mupdf-bz1439643.patch
@@ -0,0 +1,44 @@
+commit 2590fed7a355a421f062ebd4293df892800fa7ac
+Author: Sebastian Rasmussen <sebras@gmail.com>
+Date:   Thu Dec 1 17:15:27 2016 -0500
+
+    Bug 697400: Mark visited objects when counting OCG layer entries.
+
+diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
+index 3296b6c..fc29c9d 100644
+--- a/source/pdf/pdf-layer.c
++++ b/source/pdf/pdf-layer.c
+@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
+ 	for (i = 0; i < len; i++)
+ 	{
+ 		pdf_obj *o = pdf_array_get(ctx, obj, i);
+-		count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
++		if (pdf_mark_obj(ctx, o))
++			continue;
++		fz_try(ctx)
++			count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
++		fz_always(ctx)
++			pdf_unmark_obj(ctx, o);
++		fz_catch(ctx)
++			fz_rethrow(ctx);
+ 	}
+ 	return count;
+ }
+@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ 		pdf_obj *o = pdf_array_get(ctx, order, i);
+ 		if (pdf_is_array(ctx, o))
+ 		{
+-			ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
++			if (pdf_mark_obj(ctx, o))
++				continue;
++
++			fz_try(ctx)
++				ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
++			fz_always(ctx)
++				pdf_unmark_obj(ctx, o);
++			fz_catch(ctx)
++				fz_rethrow(ctx);
++
+ 			continue;
+ 		}
+ 		ui->depth = depth;
diff --git a/mupdf.spec b/mupdf.spec
index 36d048f..c7e0608 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -1,6 +1,6 @@
 Name:           mupdf
 Version:        1.10a
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        A lightweight PDF viewer and toolkit
 Group:          Applications/Publishing
 License:        GPLv3
@@ -15,6 +15,8 @@ Patch0:         %{name}-1.10a-openjpeg.patch
 ## https://bugzilla.redhat.com/show_bug.cgi?id=1425338
 Patch1:         %{name}-Bug-697500-Fix-NULL-ptr-access.patch
 Patch2:         %{name}-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch
+Patch3:         %{name}-bz1439643.patch
+
 
 %description
 MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@@ -47,6 +49,7 @@ rm -rf thirdparty
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 export CFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
@@ -84,6 +87,9 @@ update-desktop-database &> /dev/null || :
 %{_libdir}/lib%{name}*.a
 
 %changelog
+* Thu Apr  6 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-5
+- Fix stack consumption CVE (#1439643)
+
 * Thu Mar  2 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-4
 - fix buffer overflow (#1425338)