CVE-2021-3407 (bz #1931964, bz#1931965)

2021-02-23 21:12:30 +01:00 · 2021-02-23 21:12:30 +01:00 · bf6f961ab9
parent 44f3b8465a
commit bf6f961ab9
2 changed files with 56 additions and 1 deletions
--- a/0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
+++ b/0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
@ -0,0 +1,49 @@
+From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001
+Message-Id: <cee7cefc610d42fd383b3c80c12cbc675443176a.1614110865.git.mjg@fedoraproject.org>
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Fri, 22 Jan 2021 17:05:15 +0000
+Subject: [PATCH] Bug 703366: Fix double free of object during linearization.
+
+This appears to happen because we parse an illegal object from
+a broken file and assign it to object 0, which is defined to
+be free.
+
+Here, we fix the parsing code so this can't happen.
+---
+ source/pdf/pdf-parse.c | 6 ++++++
+ source/pdf/pdf-xref.c  | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
+index 7abc8c3d4..5761c3351 100644
+--- a/source/pdf/pdf-parse.c
+++ b/source/pdf/pdf-parse.c
+@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
+ 		fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num);
+ 	}
+ 	gen = buf->i;
+	if (gen < 0 || gen >= 65536)
+	{
+		if (try_repair)
+			*try_repair = 1;
+		fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen);
+	}
+ 
+ 	tok = pdf_lex(ctx, file, buf);
+ 	if (tok != PDF_TOK_OBJ)
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 1b2bdcd59..30197b4b8 100644
+--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
+@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 	{
+ 		ofs = fz_tell(ctx, doc->file);
+ 		trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL);
+		if (num == 0)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n");
+ 	}
+ 	fz_catch(ctx)
+ 	{
+-- 
+2.30.1.724.gc30ef96fb6
+
--- a/mupdf.spec
+++ b/mupdf.spec
@ -5,7 +5,7 @@

 Name:           mupdf
 Version:        1.18.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        A lightweight PDF viewer and toolkit
 License:        AGPLv3+
 URL:            http://mupdf.com/
@ -31,6 +31,7 @@ Provides:       bundled(freeglut-devel) = 3.0.0
 # version so bundling them is the safer choice.
 Provides:       bundled(mujs-devel) = 1.0.9
 Patch1:		0001-support-PyMuPDF.patch
+Patch2:		0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch

 %description
 MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@ -63,6 +64,8 @@ do
  rm -rf thirdparty/$d
 done
 %patch1 -p1
+%patch2 -p1
+
 echo > user.make "\
  USE_SYSTEM_FREETYPE := yes
  USE_SYSTEM_HARFBUZZ := yes
@ -110,6 +113,9 @@ cd %{buildroot}/%{_bindir} && ln -s %{name}-x11 %{name}
 %{_libdir}/lib%{name}*.a

 %changelog
+* Tue Feb 23 2021 Michael J Gruber <mjg@fedoraproject.org> - 1.18.0-5
+- CVE-2021-3407 (bz #1931964, bz#1931965)
+
 * Tue Jan 26 2021 Michael J Gruber <mjg@fedoraproject.org> - 1.18.0-4
 - (original date: Thu Oct 29 2020)
 - remove obsolete patch