CVE-2018-6192 CVE-2018-6544 CVE-2018-1000051

- CVE-2018-6192 (rh bz #1539845 #1539846) (gs bz #698916)
 - CVE-2018-6544 (rh bz #1542264 #1542265) (gs bz #698830 #698965)
 - CVE-2018-1000051 (rh bz #1544847 #1544848) (gs bz #698825 #698873)

mupdf-1.12-CVE-2017-17858.patch

@@ -8,8 +8,6 @@ Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
 This ensures that:
  * xref tables with objects pointers do not grow out of bounds.
  * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
-
-Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
 ---
  include/mupdf/pdf/object.h |  3 +++
  source/pdf/pdf-repair.c    |  5 +----

mupdf-1.12-CVE-2018-1000051.patch

@@ -0,0 +1,80 @@
+From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001
+Message-Id: <321ba1de287016b0036bf4a56ce774ad11763384.1518616543.git.mjg@fedoraproject.org>
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Tue, 19 Dec 2017 23:47:47 +0100
+Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces.
+
+Previously the borrowed colorspace was dropped when updating annotation
+appearances, leading to use after free warnings from valgrind/ASAN.
+---
+ source/pdf/pdf-appearance.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c
+index 70f684f4..d7a1dddd 100644
+--- a/source/pdf/pdf-appearance.c
++++ b/source/pdf/pdf-appearance.c
+@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
+ 	fz_device *dev = NULL;
+ 	font_info font_rec;
+ 	fz_text *text = NULL;
+-	fz_colorspace *cs = NULL;
+ 	fz_matrix page_ctm;
+ 
+ 	pdf_page_transform(ctx, annot->page, NULL, &page_ctm);
+@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
+ 	fz_var(dlist);
+ 	fz_var(dev);
+ 	fz_var(text);
+-	fz_var(cs);
+ 	fz_try(ctx)
+ 	{
+ 		char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents));
+ 		char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA));
++		fz_colorspace *cs;
+ 		fz_point pos;
+ 		fz_rect rect;
+ 
+@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
+ 		fz_drop_display_list(ctx, dlist);
+ 		font_info_fin(ctx, &font_rec);
+ 		fz_drop_text(ctx, text);
+-		fz_drop_colorspace(ctx, cs);
+ 	}
+ 	fz_catch(ctx)
+ 	{
+@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
+ 	fz_device *dev = NULL;
+ 	font_info font_rec;
+ 	fz_text *text = NULL;
+-	fz_colorspace *cs = NULL;
+ 	fz_path *path = NULL;
+ 	fz_buffer *fzbuf = NULL;
+ 	fz_matrix page_ctm;
+@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
+ 	fz_var(dlist);
+ 	fz_var(dev);
+ 	fz_var(text);
+-	fz_var(cs);
+ 	fz_var(fzbuf);
+ 	fz_try(ctx)
+ 	{
+@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
+ 		fz_rect logo_bounds;
+ 		fz_matrix logo_tm;
+ 		fz_rect rect;
++		fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */
+ 
+ 		pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect);
+ 		rect = annot_rect;
+@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
+ 		fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds);
+ 		center_rect_within_rect(&logo_bounds, &rect, &logo_tm);
+ 		fz_concat(&logo_tm, &logo_tm, &page_ctm);
+-		cs = fz_device_rgb(ctx); /* Borrowed reference */
+ 		fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL);
+ 
+ 		get_font_info(ctx, doc, dr, da, &font_rec);
+-- 
+2.16.1.312.g365a692731
+

mupdf-1.12-CVE-2018-5686.patch

@@ -8,8 +8,6 @@ Once a stream has thrown an exception or reached EOF,
 don't allow further reading.
 
 The EOF flag is reset when fz_seek is invoked.
-
-Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
 ---
  include/mupdf/fitz/stream.h | 11 +++++++----
  1 file changed, 7 insertions(+), 4 deletions(-)

mupdf-1.12-CVE-2018-6187.patch

@@ -7,8 +7,6 @@ Subject: [PATCH] Bug 698908: Resize object use and renumbering lists after
 
 Previously repair might end up increasing xref_len, but the lists
 were not correspodingly expanded, leading to ASAN complaints.
-
-Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
 ---
  source/pdf/pdf-write.c | 13 +++++++++----
  1 file changed, 9 insertions(+), 4 deletions(-)

mupdf-1.12-CVE-2018-6192.patch

@@ -4,7 +4,6 @@ From: Sebastian Rasmussen <sebras@gmail.com>
 Date: Tue, 30 Jan 2018 02:05:57 +0100
 Subject: [PATCH] Bug 698916: Indirect object numbers must be in range.
 
-Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
 ---
  source/pdf/pdf-parse.c | 2 ++
  source/pdf/pdf-xref.c  | 4 ++--

mupdf-1.12-CVE-2018-6544-1.patch

@@ -0,0 +1,46 @@
+From 26527eef77b3e51c2258c8e40845bfbc015e405d Mon Sep 17 00:00:00 2001
+Message-Id: <26527eef77b3e51c2258c8e40845bfbc015e405d.1518616043.git.mjg@fedoraproject.org>
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Mon, 29 Jan 2018 02:00:48 +0100
+Subject: [PATCH] Bug 698830: Don't drop unkept stream if running out of error
+ stack.
+
+Under normal conditions where fz_keep_stream() is called inside
+fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions.
+The issue comes when fz_keep_stream() has not yet been called but is
+dropped in fz_catch(). This happens in the PDF from the bug when
+fz_try() runs out of exception stack, and next the code in fz_catch()
+runs, dropping the caller's reference to the filter chain stream!
+
+The simplest way of fixing this it to always keep the filter chain
+stream before fz_try() is called. That way fz_catch() may drop the
+stream whether an exception has occurred or if the fz_try() ran out of
+exception stack.
+---
+ source/pdf/pdf-stream.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
+index c89da5c4..c6ba7ad3 100644
+--- a/source/pdf/pdf-stream.c
++++ b/source/pdf/pdf-stream.c
+@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_ob
+ 		*orig_gen = 0;
+ 	}
+ 
+-	fz_var(chain);
++	chain = fz_keep_stream(ctx, chain);
+ 
+ 	fz_try(ctx)
+ 	{
+ 		len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
+ 
+-		/* don't close chain when we close this filter */
+-		chain2 = fz_keep_stream(ctx, chain);
++		chain2 = chain;
+ 		chain = NULL;
+ 		chain = fz_open_null(ctx, chain2, len, offset);
+ 
+-- 
+2.16.1.312.g365a692731
+

mupdf-1.12-CVE-2018-6544-2.patch

@@ -0,0 +1,54 @@
+From b03def134988da8c800adac1a38a41a1f09a1d89 Mon Sep 17 00:00:00 2001
+Message-Id: <b03def134988da8c800adac1a38a41a1f09a1d89.1518616030.git.mjg@fedoraproject.org>
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Thu, 1 Feb 2018 16:36:14 +0100
+Subject: [PATCH] Bug 698830: Avoid recursion when loading object streams
+ objects.
+
+If there were indirect references in the object stream dictionary and
+one of those indirect references referred to an object inside the object
+stream itself, mupdf would previously enter recursion only bounded by the
+exception stack. After this commit the object stream is checked if it is
+marked immediately after being loaded. If it is marked then we terminate
+the recursion at this point, if it is not marked then mark it and
+attempt to load the desired object within. We also take care to unmark
+the stream object when done or upon exception.
+---
+ source/pdf/pdf-xref.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 723b543c..ed09094c 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1576,6 +1576,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
+ 	{
+ 		objstm = pdf_load_object(ctx, doc, num);
+ 
++		if (pdf_obj_marked(ctx, objstm))
++			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
++	}
++	fz_catch(ctx)
++	{
++		pdf_drop_obj(ctx, objstm);
++		fz_rethrow(ctx);
++	}
++
++	fz_try(ctx)
++	{
++		pdf_mark_obj(ctx, objstm);
++
+ 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
+ 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
+ 
+@@ -1655,6 +1668,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
+ 		fz_drop_stream(ctx, stm);
+ 		fz_free(ctx, ofsbuf);
+ 		fz_free(ctx, numbuf);
++		pdf_unmark_obj(ctx, objstm);
+ 		pdf_drop_obj(ctx, objstm);
+ 	}
+ 	fz_catch(ctx)
+-- 
+2.16.1.312.g365a692731
+

mupdf.spec

@@ -17,6 +17,9 @@ Patch1:         %{name}-1.12-CVE-2017-17858.patch
 Patch2:         %{name}-1.12-CVE-2018-5686.patch
 Patch3:         %{name}-1.12-CVE-2018-6187.patch
 Patch4:         %{name}-1.12-CVE-2018-6192.patch
+Patch5:         %{name}-1.12-CVE-2018-6544-1.patch
+Patch6:         %{name}-1.12-CVE-2018-6544-2.patch
+Patch7:         %{name}-1.12-CVE-2018-1000051.patch
 
 %description
 MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@@ -51,6 +54,9 @@ rm -rf thirdparty
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 %build
 export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
@@ -90,6 +96,8 @@ update-desktop-database &> /dev/null || :
 %changelog
 * Wed Feb 14 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.12.0-5
 - CVE-2018-6192 (rh bz #1539845 #1539846) (gs bz #698916)
+- CVE-2018-6544 (rh bz #1542264 #1542265) (gs bz #698830 #698965)
+- CVE-2018-1000051 (rh bz #1544847 #1544848) (gs bz #698825 #698873)
 
 * Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.12.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild