rpms/mupdf
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bz #1626483 #1626484

Browse Source
This commit is contained in:
Michael J Gruber 2018-11-15 10:01:19 +01:00
parent 7eeedaa6df
commit 3da1a090e5
2 changed files with 83 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
mupdf-CVE-2018-16647.patch Normal file
View File

@ -0,0 +1,77 @@
From 351c99d8ce23bbf7099dbd52771a095f67e45a2c Mon Sep 17 00:00:00 2001
Message-Id: <351c99d8ce23bbf7099dbd52771a095f67e45a2c.1542272011.git.mjg@fedoraproject.org>
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 1 Oct 2018 15:13:13 +0800
Subject: [PATCH] Avoid being smart about keeping only a single reference to
the buffer.
When pdf_dev_pop() is called it will drop the reference to the buffer.
pdf_dev_push_new_buf() will either create a new buffer reference or take a reference to the existing buffer.
When pdf_dev_pop() is called unbalance this creates a problem as the
top level buffer will be unreferenced too many times.
fails-32.pdf
---
source/pdf/pdf-device.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
index 31a7a10f..0103e9a7 100644
--- a/source/pdf/pdf-device.c
+++ b/source/pdf/pdf-device.c
@@ -66,7 +66,6 @@ struct pdf_device_s
pdf_document *doc;
pdf_obj *resources;
- fz_buffer *buffer;
int in_text;
@@ -1061,7 +1060,10 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
int i;
for (i = pdev->num_gstates-1; i >= 0; i--)
+ {
+ fz_drop_buffer(ctx, pdev->gstates[i].buf);
fz_drop_stroke_state(ctx, pdev->gstates[i].stroke_state);
+ }
for (i = pdev->num_cid_fonts-1; i >= 0; i--)
fz_drop_font(ctx, pdev->cid_fonts[i]);
@@ -1069,7 +1071,6 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
for (i = pdev->num_groups - 1; i >= 0; i--)
pdf_drop_obj(ctx, pdev->groups[i].ref);
- fz_drop_buffer(ctx, pdev->buffer);
pdf_drop_obj(ctx, pdev->resources);
fz_free(ctx, pdev->cid_fonts);
fz_free(ctx, pdev->image_indices);
@@ -1111,10 +1112,13 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc
dev->super.begin_tile = pdf_dev_begin_tile;
dev->super.end_tile = pdf_dev_end_tile;
+ fz_var(buf);
+
fz_try(ctx)
{
- dev->buffer = fz_keep_buffer(ctx, buf);
- if (!buf)
+ if (buf)
+ buf = fz_keep_buffer(ctx, buf);
+ else
buf = fz_new_buffer(ctx, 256);
dev->doc = doc;
dev->resources = pdf_keep_obj(ctx, resources);
@@ -1136,8 +1140,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc
}
fz_catch(ctx)
{
- if (dev->gstates && dev->buffer == NULL)
- fz_drop_buffer(ctx, dev->gstates[0].buf);
+ fz_drop_buffer(ctx, buf);
fz_free(ctx, dev);
fz_rethrow(ctx);
}
--
2.19.1.1238.g4b45f61cc0

7
mupdf.spec
View File

@ -1,6 +1,6 @@
Name: mupdf
Version: 1.14.0
Release: 1%{?dist}
Release: 2%{?dist}
Summary: A lightweight PDF viewer and toolkit
Group: Applications/Publishing
License: AGPLv3+
@ -23,6 +23,7 @@ Provides: bundled(freeglut-devel) = 3.0.0
# version so bundling them is the safer choice.
Provides: bundled(mujs-devel) = 1.0.5
Patch0: 0001-fix-build-on-big-endian.patch
Patch1: mupdf-CVE-2018-16647.patch
%description
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@ -56,6 +57,7 @@ do
rm -rf thirdparty/$d
done
%patch0 -p1 -d thirdparty/lcms2
%patch1 -p1
echo > user.make "\
USE_SYSTEM_FREETYPE := yes
USE_SYSTEM_HARFBUZZ := yes
@ -109,6 +111,9 @@ update-desktop-database &> /dev/null || :
%{_libdir}/lib%{name}*.a
%changelog
* Thu Nov 15 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.14.0-2
- bz #1626483 #1626484
* Thu Nov 15 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.14.0-1
- rebase to 1.14.0