From 3da1a090e5c8cf59b21eb1809efb07d31e3b3103 Mon Sep 17 00:00:00 2001 From: Michael J Gruber Date: Thu, 15 Nov 2018 10:01:19 +0100 Subject: [PATCH] bz #1626483 #1626484 --- mupdf-CVE-2018-16647.patch | 77 ++++++++++++++++++++++++++++++++++++++ mupdf.spec | 7 +++- 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 mupdf-CVE-2018-16647.patch diff --git a/mupdf-CVE-2018-16647.patch b/mupdf-CVE-2018-16647.patch new file mode 100644 index 0000000..5b06974 --- /dev/null +++ b/mupdf-CVE-2018-16647.patch @@ -0,0 +1,77 @@ +From 351c99d8ce23bbf7099dbd52771a095f67e45a2c Mon Sep 17 00:00:00 2001 +Message-Id: <351c99d8ce23bbf7099dbd52771a095f67e45a2c.1542272011.git.mjg@fedoraproject.org> +From: Sebastian Rasmussen +Date: Mon, 1 Oct 2018 15:13:13 +0800 +Subject: [PATCH] Avoid being smart about keeping only a single reference to + the buffer. + +When pdf_dev_pop() is called it will drop the reference to the buffer. +pdf_dev_push_new_buf() will either create a new buffer reference or take a reference to the existing buffer. +When pdf_dev_pop() is called unbalance this creates a problem as the +top level buffer will be unreferenced too many times. + +fails-32.pdf +--- + source/pdf/pdf-device.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c +index 31a7a10f..0103e9a7 100644 +--- a/source/pdf/pdf-device.c ++++ b/source/pdf/pdf-device.c +@@ -66,7 +66,6 @@ struct pdf_device_s + + pdf_document *doc; + pdf_obj *resources; +- fz_buffer *buffer; + + int in_text; + +@@ -1061,7 +1060,10 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev) + int i; + + for (i = pdev->num_gstates-1; i >= 0; i--) ++ { ++ fz_drop_buffer(ctx, pdev->gstates[i].buf); + fz_drop_stroke_state(ctx, pdev->gstates[i].stroke_state); ++ } + + for (i = pdev->num_cid_fonts-1; i >= 0; i--) + fz_drop_font(ctx, pdev->cid_fonts[i]); +@@ -1069,7 +1071,6 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev) + for (i = pdev->num_groups - 1; i >= 0; i--) + pdf_drop_obj(ctx, pdev->groups[i].ref); + +- fz_drop_buffer(ctx, pdev->buffer); + pdf_drop_obj(ctx, pdev->resources); + fz_free(ctx, pdev->cid_fonts); + fz_free(ctx, pdev->image_indices); +@@ -1111,10 +1112,13 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc + dev->super.begin_tile = pdf_dev_begin_tile; + dev->super.end_tile = pdf_dev_end_tile; + ++ fz_var(buf); ++ + fz_try(ctx) + { +- dev->buffer = fz_keep_buffer(ctx, buf); +- if (!buf) ++ if (buf) ++ buf = fz_keep_buffer(ctx, buf); ++ else + buf = fz_new_buffer(ctx, 256); + dev->doc = doc; + dev->resources = pdf_keep_obj(ctx, resources); +@@ -1136,8 +1140,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc + } + fz_catch(ctx) + { +- if (dev->gstates && dev->buffer == NULL) +- fz_drop_buffer(ctx, dev->gstates[0].buf); ++ fz_drop_buffer(ctx, buf); + fz_free(ctx, dev); + fz_rethrow(ctx); + } +-- +2.19.1.1238.g4b45f61cc0 + diff --git a/mupdf.spec b/mupdf.spec index 33b0145..6c97667 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -1,6 +1,6 @@ Name: mupdf Version: 1.14.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A lightweight PDF viewer and toolkit Group: Applications/Publishing License: AGPLv3+ @@ -23,6 +23,7 @@ Provides: bundled(freeglut-devel) = 3.0.0 # version so bundling them is the safer choice. Provides: bundled(mujs-devel) = 1.0.5 Patch0: 0001-fix-build-on-big-endian.patch +Patch1: mupdf-CVE-2018-16647.patch %description MuPDF is a lightweight PDF viewer and toolkit written in portable C. @@ -56,6 +57,7 @@ do rm -rf thirdparty/$d done %patch0 -p1 -d thirdparty/lcms2 +%patch1 -p1 echo > user.make "\ USE_SYSTEM_FREETYPE := yes USE_SYSTEM_HARFBUZZ := yes @@ -109,6 +111,9 @@ update-desktop-database &> /dev/null || : %{_libdir}/lib%{name}*.a %changelog +* Thu Nov 15 2018 Michael J Gruber - 1.14.0-2 +- bz #1626483 #1626484 + * Thu Nov 15 2018 Michael J Gruber - 1.14.0-1 - rebase to 1.14.0