CVE-2017-15369, CVE-2017-15587
This commit is contained in:
parent
3aae5268e0
commit
3de7e96196
|
@ -0,0 +1,45 @@
|
|||
From c2663e51238ec8256da7fc61ad580db891d9fe9a Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Rasmussen <sebras@gmail.com>
|
||||
Date: Mon, 25 Sep 2017 13:04:11 +0200
|
||||
Subject: [PATCH] Bug 698592: Mark variable fz_var(), avoiding optimization.
|
||||
|
||||
The change in 2707fa9e8e6d17d794330e719dec1b08161fb045
|
||||
in build_filter_chain() allows for the variable chain
|
||||
to reside in a register, which means that the bug is
|
||||
likely to only be visible if built under optimization.
|
||||
|
||||
First the chain variable is transferred to chain2, then
|
||||
set to NULL, then when an exception occurs in build_filter()
|
||||
the filter chain will be freed by build_filter(). Next
|
||||
the expectation is that execution proceeds to fz_catch()
|
||||
where fz_drop_stream() would be called with chain == NULL.
|
||||
|
||||
However due to the chain variable residing in a register,
|
||||
its value is not NULL as expected, but was reset to its
|
||||
original value upon the exception (since they use setjmp()),
|
||||
hence fz_drop_stream() is called with a non-NULL value.
|
||||
|
||||
Marking the chain variable with fz_var() prevents the
|
||||
compiler from allowing the chain variable to reside in
|
||||
a register and hence its value will remain NULL and
|
||||
never be reset.
|
||||
---
|
||||
source/pdf/pdf-stream.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
|
||||
index baf9f0a..56592b0 100644
|
||||
--- a/source/pdf/pdf-stream.c
|
||||
+++ b/source/pdf/pdf-stream.c
|
||||
@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
|
||||
pdf_obj *p;
|
||||
int i, n;
|
||||
|
||||
+ fz_var(chain);
|
||||
+
|
||||
fz_try(ctx)
|
||||
{
|
||||
n = pdf_array_len(ctx, fs);
|
||||
--
|
||||
2.9.1
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
From 82df2631d7d0446b206ea6b434ea609b6c28b0e8 Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Mon, 16 Oct 2017 13:14:25 +0200
|
||||
Subject: [PATCH] Check for integer overflow when validating new style xref
|
||||
Index.
|
||||
|
||||
---
|
||||
source/pdf/pdf-xref.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
||||
index 66bd0ed..6292793 100644
|
||||
--- a/source/pdf/pdf-xref.c
|
||||
+++ b/source/pdf/pdf-xref.c
|
||||
@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
|
||||
pdf_xref_entry *table;
|
||||
int i, n;
|
||||
|
||||
- if (i0 < 0 || i1 < 0)
|
||||
+ if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
|
||||
fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
|
||||
//if (i0 + i1 > pdf_xref_len(ctx, doc))
|
||||
// fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
|
||||
--
|
||||
2.9.1
|
||||
|
10
mupdf.spec
10
mupdf.spec
|
@ -1,6 +1,6 @@
|
|||
Name: mupdf
|
||||
Version: 1.11
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Summary: A lightweight PDF viewer and toolkit
|
||||
Group: Applications/Publishing
|
||||
License: GPLv3
|
||||
|
@ -13,6 +13,8 @@ BuildRequires: libjpeg-devel freetype-devel libXext-devel curl-devel
|
|||
BuildRequires: harfbuzz-devel
|
||||
BuildRequires: glfw-devel mesa-libGL-devel
|
||||
Patch0: %{name}-1.11-openjpeg.patch
|
||||
Patch1: %{name}-1.11-CVE-2017-15369.patch
|
||||
Patch2: %{name}-1.11-CVE-2017-15587.patch
|
||||
|
||||
|
||||
%description
|
||||
|
@ -44,6 +46,8 @@ applications that use mupdf and static libraries
|
|||
%setup -q -n %{name}-%{version}-source
|
||||
rm -rf thirdparty
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
|
||||
|
@ -81,6 +85,10 @@ update-desktop-database &> /dev/null || :
|
|||
%{_libdir}/lib%{name}*.a
|
||||
|
||||
%changelog
|
||||
* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-9
|
||||
* CVE-2017-15369
|
||||
* CVE-2017-15587
|
||||
|
||||
* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-8
|
||||
* repair FTBFS from version specific patch in 412e729 ("New release 1.11", 2017-04-11)
|
||||
|
||||
|
|
Loading…
Reference in New Issue