Bring F26 branch back to sane state

F26 had deviated from master/branch due to individual "rebuild commits"
("we" still use distgit as if it were cvs).

Bring back the F27/master state so that all current security fixes are
in F26, and future fixes can be built on top efficiently.

Branching in Fedora is hard, it seems...

.gitignore

@@ -10,3 +10,4 @@
 /mupdf-1.7a-source.tar.gz
 /mupdf-1.8-source.tar.gz
 /mupdf-1.10a-source.tar.gz
+/mupdf-1.11-source.tar.gz

mupdf-1.10a-openjpeg.patch

@@ -1,31 +0,0 @@
---- a/source/fitz/load-jpx.c                                                                                                                                                                                        
-+++ b/source/fitz/load-jpx.c
-@@ -484,13 +484,18 @@
- /* Without the definition of OPJ_STATIC, compilation fails on windows
-  * due to the use of __stdcall. We believe it is required on some
-  * linux toolchains too. */
-+
-+#ifdef __cplusplus
-+extern "C"
-+{
- #define OPJ_STATIC
- #ifndef _MSC_VER
- #define OPJ_HAVE_STDINT_H
- #endif
-+#endif
- 
--#include <openjpeg.h>
--
-+#include <openjpeg-2.1/openjpeg.h>
-+    
- /* OpenJPEG does not provide a safe mechanism to intercept
-  * allocations. In the latest version all allocations go
-  * though opj_malloc etc, but no context is passed around.
-@@ -972,3 +977,7 @@
- }
- 
- #endif /* HAVE_LURATECH */
-+
-+#ifdef __cplusplus                                                                                                                                                                                                 
-+}                                                                                                                                                                                                                  
-+#endif

mupdf-1.11-CVE-2017-15369.patch

@@ -0,0 +1,45 @@
+From c2663e51238ec8256da7fc61ad580db891d9fe9a Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Mon, 25 Sep 2017 13:04:11 +0200
+Subject: [PATCH] Bug 698592: Mark variable fz_var(), avoiding optimization.
+
+The change in 2707fa9e8e6d17d794330e719dec1b08161fb045
+in build_filter_chain() allows for the variable chain
+to reside in a register, which means that the bug is
+likely to only be visible if built under optimization.
+
+First the chain variable is transferred to chain2, then
+set to NULL, then when an exception occurs in build_filter()
+the filter chain will be freed by build_filter(). Next
+the expectation is that execution proceeds to fz_catch()
+where fz_drop_stream() would be called with chain == NULL.
+
+However due to the chain variable residing in a register,
+its value is not NULL as expected, but was reset to its
+original value upon the exception (since they use setjmp()),
+hence fz_drop_stream() is called with a non-NULL value.
+
+Marking the chain variable with fz_var() prevents the
+compiler from allowing the chain variable to reside in
+a register and hence its value will remain NULL and
+never be reset.
+---
+ source/pdf/pdf-stream.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
+index baf9f0a..56592b0 100644
+--- a/source/pdf/pdf-stream.c
++++ b/source/pdf/pdf-stream.c
+@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
+ 	pdf_obj *p;
+ 	int i, n;
+ 
++	fz_var(chain);
++
+ 	fz_try(ctx)
+ 	{
+ 		n = pdf_array_len(ctx, fs);
+-- 
+2.9.1
+

mupdf-1.11-CVE-2017-15587.patch

@@ -0,0 +1,26 @@
+From 82df2631d7d0446b206ea6b434ea609b6c28b0e8 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 16 Oct 2017 13:14:25 +0200
+Subject: [PATCH] Check for integer overflow when validating new style xref
+ Index.
+
+---
+ source/pdf/pdf-xref.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 66bd0ed..6292793 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0)
++	if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+ 	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+ 	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
+-- 
+2.9.1
+

mupdf-1.11-openjpeg.patch

@@ -0,0 +1,31 @@
+diff --git i/source/fitz/load-jpx.c w/source/fitz/load-jpx.c
+index d01de585..9934e47a 100644
+--- i/source/fitz/load-jpx.c
++++ w/source/fitz/load-jpx.c
+@@ -443,12 +443,15 @@ fz_load_jpx_info(fz_context *ctx, unsigned char *data, size_t size, int *wp, int
+ }
+ 
+ #else /* HAVE_LURATECH */
+-
++#ifdef __cplusplus
++extern "C"
++{
+ #define OPJ_STATIC
+ #define OPJ_HAVE_INTTYPES_H
+ #if !defined(_WIN32) && !defined(_WIN64)
+ #define OPJ_HAVE_STDINT_H
+ #endif
++#endif
+ #define USE_JPIP
+ 
+ #include <openjpeg.h>
+@@ -920,6 +923,9 @@ fz_load_jpx_info(fz_context *ctx, unsigned char *data, size_t size, int *wp, int
+ }
+ 
+ #endif /* HAVE_LURATECH */
++#ifdef __cplusplus
++}
++#endif
+ 
+ #else /* FZ_ENABLE_JPX */
+ 

mupdf-Bug-697500-Fix-NULL-ptr-access.patch

@@ -1,91 +0,0 @@
-From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
-From: Robin Watts <robin.watts@artifex.com>
-Date: Thu, 9 Feb 2017 15:49:15 +0000
-Subject: [PATCH 2/2] Bug 697500: Fix NULL ptr access.
-
-Cope better with errors during rendering - avoid letting the
-gstate stack get out of sync.
-
-This avoids us ever getting into the situation of popping
-a clip when we should be popping a mask or a group. This was
-causing an unexpected case in the painting.
----
- source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
-index a3ea895..f1eac8d 100644
---- a/source/pdf/pdf-op-run.c
-+++ b/source/pdf/pdf-op-run.c
-@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
- 	pdf_run_processor *pr = (pdf_run_processor *)proc;
- 	pdf_gstate *gstate = NULL;
- 	int oldtop = 0;
-+	int oldbot = -1;
- 	fz_matrix local_transform = *transform;
- 	softmask_save softmask = { NULL };
- 	int gparent_save;
-@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
- 	fz_var(cleanup_state);
- 	fz_var(gstate);
- 	fz_var(oldtop);
-+	fz_var(oldbot);
- 
- 	gparent_save = pr->gparent;
- 	pr->gparent = pr->gtop;
-+	oldtop = pr->gtop;
- 
- 	fz_try(ctx)
- 	{
- 		pdf_gsave(ctx, pr);
- 
- 		gstate = pr->gstate + pr->gtop;
--		oldtop = pr->gtop;
- 
- 		pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
- 		pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
-@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
- 
- 		doc = pdf_get_bound_document(ctx, xobj->obj);
- 
-+		oldbot = pr->gbot;
-+		pr->gbot = pr->gtop;
-+
- 		pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
- 	}
- 	fz_always(ctx)
- 	{
-+		/* Undo any gstate mismatches due to the pdf_process_contents call */
-+		if (oldbot != -1)
-+		{
-+			while (pr->gtop > pr->gbot)
-+			{
-+				pdf_grestore(ctx, pr);
-+			}
-+			pr->gbot = oldbot;
-+		}
-+
- 		if (cleanup_state >= 3)
--			pdf_grestore(ctx, pr); /* Remove the clippath */
-+			pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
- 
- 		/* wrap up transparency stacks */
- 		if (transparency)
-@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
- 		pr->gstate[pr->gparent].ctm = gparent_save_ctm;
- 		pr->gparent = gparent_save;
- 
--		if (gstate)
--		{
--			while (oldtop < pr->gtop)
--				pdf_grestore(ctx, pr);
--
-+		while (oldtop < pr->gtop)
- 			pdf_grestore(ctx, pr);
--		}
- 
- 		pdf_unmark_obj(ctx, xobj->obj);
- 	}
--- 
-2.9.3
-

mupdf-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch

@@ -1,51 +0,0 @@
-From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
-From: Robin Watts <Robin.Watts@artifex.com>
-Date: Thu, 9 Feb 2017 07:12:16 -0800
-Subject: [PATCH 1/2] bug 697515: Fix out of bounds read in fz_subsample_pixmap
-
-Pointer arithmetic for final special case was going wrong.
----
- source/fitz/pixmap.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
-index a831712..f1291dc 100644
---- a/source/fitz/pixmap.c
-+++ b/source/fitz/pixmap.c
-@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
- 	"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
- 	"ldr	r4, [r13,#4*22]		@ r4 = divXY			\n"
- 	"ldr	r5, [r13,#4*11]		@ for (nn = n; nn > 0; n--) {	\n"
-+	"ldr	r8, [r13,#4*17]		@ r8 = back4			\n"
- 	"18:				@				\n"
- 	"mov	r14,#0			@ r14= v = 0			\n"
- 	"sub	r5, r5, r1, LSL #8	@ for (xx = x; xx > 0; x--) {	\n"
-@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
- 	"mul	r14,r4, r14		@ r14= v *= divX		\n"
- 	"mov	r14,r14,LSR #16		@ r14= v >>= 16			\n"
- 	"strb	r14,[r9], #1		@ *d++ = r14			\n"
--	"sub	r0, r0, r8		@ s -= back2			\n"
-+	"sub	r0, r0, r8		@ s -= back4			\n"
- 	"subs	r5, r5, #1		@ n--				\n"
- 	"bgt	18b			@ }				\n"
- 	"21:				@				\n"
-@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
- 		x += f;
- 		if (x > 0)
- 		{
-+			int back4 = x * n - 1;
- 			div = x * y;
- 			for (nn = n; nn > 0; nn--)
- 			{
-@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
- 					s -= back5;
- 				}
- 				*d++ = v / div;
--				s -= back2;
-+				s -= back4;
- 			}
- 		}
- 	}
--- 
-2.9.3
-

mupdf-bz1439643.patch

@@ -1,44 +0,0 @@
-commit 2590fed7a355a421f062ebd4293df892800fa7ac
-Author: Sebastian Rasmussen <sebras@gmail.com>
-Date:   Thu Dec 1 17:15:27 2016 -0500
-
-    Bug 697400: Mark visited objects when counting OCG layer entries.
-
-diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
-index 3296b6c..fc29c9d 100644
---- a/source/pdf/pdf-layer.c
-+++ b/source/pdf/pdf-layer.c
-@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
- 	for (i = 0; i < len; i++)
- 	{
- 		pdf_obj *o = pdf_array_get(ctx, obj, i);
--		count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
-+		if (pdf_mark_obj(ctx, o))
-+			continue;
-+		fz_try(ctx)
-+			count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
-+		fz_always(ctx)
-+			pdf_unmark_obj(ctx, o);
-+		fz_catch(ctx)
-+			fz_rethrow(ctx);
- 	}
- 	return count;
- }
-@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
- 		pdf_obj *o = pdf_array_get(ctx, order, i);
- 		if (pdf_is_array(ctx, o))
- 		{
--			ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
-+			if (pdf_mark_obj(ctx, o))
-+				continue;
-+
-+			fz_try(ctx)
-+				ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
-+			fz_always(ctx)
-+				pdf_unmark_obj(ctx, o);
-+			fz_catch(ctx)
-+				fz_rethrow(ctx);
-+
- 			continue;
- 		}
- 		ui->depth = depth;

mupdf.spec

@@ -1,6 +1,6 @@
 Name:           mupdf
-Version:        1.10a
-Release:        6%{?dist}
+Version:        1.11
+Release:        9%{?dist}
 Summary:        A lightweight PDF viewer and toolkit
 Group:          Applications/Publishing
 License:        GPLv3
@@ -11,11 +11,10 @@ BuildRequires:  gcc make binutils desktop-file-utils coreutils
 BuildRequires:  openjpeg2-devel jbig2dec-devel desktop-file-utils
 BuildRequires:  libjpeg-devel freetype-devel libXext-devel curl-devel
 BuildRequires:  harfbuzz-devel
-Patch0:         %{name}-1.10a-openjpeg.patch
-## https://bugzilla.redhat.com/show_bug.cgi?id=1425338
-Patch1:         %{name}-Bug-697500-Fix-NULL-ptr-access.patch
-Patch2:         %{name}-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch
-Patch3:         %{name}-bz1439643.patch
+BuildRequires:  glfw-devel mesa-libGL-devel
+Patch0:         %{name}-1.11-openjpeg.patch
+Patch1:         %{name}-1.11-CVE-2017-15369.patch
+Patch2:         %{name}-1.11-CVE-2017-15587.patch
 
 
 %description
@@ -49,14 +48,13 @@ rm -rf thirdparty
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
 
 %build
-export CFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
-make  %{?_smp_mflags} build=debug verbose=yes
+export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
 
+make  %{?_smp_mflags}  build=debug verbose=yes HAVE_GLFW=yes SYS_GLFW_CFLAGS="-I%{_includedir}/GL -I%{_includedir}/GLFW" GLFW_LIBS="-lGL -lglfw"
 %install
-make DESTDIR=%{buildroot} install prefix=%{_prefix} libdir=%{_libdir} build=debug verbose=yes
+make DESTDIR=%{buildroot} install prefix=%{_prefix} libdir=%{_libdir} build=debug verbose=yes HAVE_GLFW=yes
 ## handle docs on our own
 rm -rf %{buildroot}/%{_docdir}
 desktop-file-install --dir=%{buildroot}%{_datadir}/applications %{SOURCE1}
@@ -87,6 +85,22 @@ update-desktop-database &> /dev/null || :
 %{_libdir}/lib%{name}*.a
 
 %changelog
+* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-9
+- CVE-2017-15369
+- CVE-2017-15587
+
+* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-8
+- repair FTBFS from version specific patch in 412e729 ("New release 1.11", 2017-04-11)
+
+* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-7
+- rebuild with jbig2dec 0.14 (#1456731)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.11-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.11-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
 * Tue May  9 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-6
 - Rebuild with new jbig2dec(#1443933)
 

sources

@@ -1 +1 @@
-SHA512 (mupdf-1.10a-source.tar.gz) = 8c735963364985e74ceb38242afae555a3d2ee7c69abe3fe5c485e8613a83d996a58f231cb689a156019d431fa67d565503247d010b0a404054850483aed9fec
+SHA512 (mupdf-1.11-source.tar.gz) = 501670f540e298a8126806ebbd9db8b29866f663b7bbf26c9ade1933e42f0c00ad410b9d93f3ddbfb3e45c38722869095de28d832fe3fb3703c55cc9a01dbf63