Fix buffer overflow in pdf-layer.c (#1439643)
This commit is contained in:
parent
71ac78f599
commit
20aa2225f8
44
mupdf-bz1439643.patch
Normal file
44
mupdf-bz1439643.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
commit 2590fed7a355a421f062ebd4293df892800fa7ac
|
||||||
|
Author: Sebastian Rasmussen <sebras@gmail.com>
|
||||||
|
Date: Thu Dec 1 17:15:27 2016 -0500
|
||||||
|
|
||||||
|
Bug 697400: Mark visited objects when counting OCG layer entries.
|
||||||
|
|
||||||
|
diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
|
||||||
|
index 3296b6c..fc29c9d 100644
|
||||||
|
--- a/source/pdf/pdf-layer.c
|
||||||
|
+++ b/source/pdf/pdf-layer.c
|
||||||
|
@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
|
||||||
|
for (i = 0; i < len; i++)
|
||||||
|
{
|
||||||
|
pdf_obj *o = pdf_array_get(ctx, obj, i);
|
||||||
|
- count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
|
||||||
|
+ if (pdf_mark_obj(ctx, o))
|
||||||
|
+ continue;
|
||||||
|
+ fz_try(ctx)
|
||||||
|
+ count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
|
||||||
|
+ fz_always(ctx)
|
||||||
|
+ pdf_unmark_obj(ctx, o);
|
||||||
|
+ fz_catch(ctx)
|
||||||
|
+ fz_rethrow(ctx);
|
||||||
|
}
|
||||||
|
return count;
|
||||||
|
}
|
||||||
|
@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
|
||||||
|
pdf_obj *o = pdf_array_get(ctx, order, i);
|
||||||
|
if (pdf_is_array(ctx, o))
|
||||||
|
{
|
||||||
|
- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
|
||||||
|
+ if (pdf_mark_obj(ctx, o))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ fz_try(ctx)
|
||||||
|
+ ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
|
||||||
|
+ fz_always(ctx)
|
||||||
|
+ pdf_unmark_obj(ctx, o);
|
||||||
|
+ fz_catch(ctx)
|
||||||
|
+ fz_rethrow(ctx);
|
||||||
|
+
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
ui->depth = depth;
|
@ -1,6 +1,6 @@
|
|||||||
Name: mupdf
|
Name: mupdf
|
||||||
Version: 1.10a
|
Version: 1.10a
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Summary: A lightweight PDF viewer and toolkit
|
Summary: A lightweight PDF viewer and toolkit
|
||||||
Group: Applications/Publishing
|
Group: Applications/Publishing
|
||||||
License: GPLv3
|
License: GPLv3
|
||||||
@ -15,6 +15,8 @@ Patch0: %{name}-1.10a-openjpeg.patch
|
|||||||
## https://bugzilla.redhat.com/show_bug.cgi?id=1425338
|
## https://bugzilla.redhat.com/show_bug.cgi?id=1425338
|
||||||
Patch1: %{name}-Bug-697500-Fix-NULL-ptr-access.patch
|
Patch1: %{name}-Bug-697500-Fix-NULL-ptr-access.patch
|
||||||
Patch2: %{name}-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch
|
Patch2: %{name}-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch
|
||||||
|
Patch3: %{name}-bz1439643.patch
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
|
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
|
||||||
@ -47,6 +49,7 @@ rm -rf thirdparty
|
|||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export CFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
|
export CFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
|
||||||
@ -84,6 +87,9 @@ update-desktop-database &> /dev/null || :
|
|||||||
%{_libdir}/lib%{name}*.a
|
%{_libdir}/lib%{name}*.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 6 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-5
|
||||||
|
- Fix stack consumption CVE (#1439643)
|
||||||
|
|
||||||
* Thu Mar 2 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-4
|
* Thu Mar 2 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-4
|
||||||
- fix buffer overflow (#1425338)
|
- fix buffer overflow (#1425338)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user