From bf6f961ab91eb4250e000e61f62332931ef670f6 Mon Sep 17 00:00:00 2001 From: Michael J Gruber Date: Tue, 23 Feb 2021 21:12:30 +0100 Subject: [PATCH] CVE-2021-3407 (bz #1931964, bz#1931965) --- ...ouble-free-of-object-during-lineariz.patch | 49 +++++++++++++++++++ mupdf.spec | 8 ++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch diff --git a/0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch b/0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch new file mode 100644 index 0000000..1664c14 --- /dev/null +++ b/0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch @@ -0,0 +1,49 @@ +From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001 +Message-Id: +From: Robin Watts +Date: Fri, 22 Jan 2021 17:05:15 +0000 +Subject: [PATCH] Bug 703366: Fix double free of object during linearization. + +This appears to happen because we parse an illegal object from +a broken file and assign it to object 0, which is defined to +be free. + +Here, we fix the parsing code so this can't happen. +--- + source/pdf/pdf-parse.c | 6 ++++++ + source/pdf/pdf-xref.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c +index 7abc8c3d4..5761c3351 100644 +--- a/source/pdf/pdf-parse.c ++++ b/source/pdf/pdf-parse.c +@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); + } + gen = buf->i; ++ if (gen < 0 || gen >= 65536) ++ { ++ if (try_repair) ++ *try_repair = 1; ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); ++ } + + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_OBJ) +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 1b2bdcd59..30197b4b8 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + { + ofs = fz_tell(ctx, doc->file); + trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); ++ if (num == 0) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); + } + fz_catch(ctx) + { +-- +2.30.1.724.gc30ef96fb6 + diff --git a/mupdf.spec b/mupdf.spec index a219fbf..c9e0545 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -5,7 +5,7 @@ Name: mupdf Version: 1.18.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A lightweight PDF viewer and toolkit License: AGPLv3+ URL: http://mupdf.com/ @@ -31,6 +31,7 @@ Provides: bundled(freeglut-devel) = 3.0.0 # version so bundling them is the safer choice. Provides: bundled(mujs-devel) = 1.0.9 Patch1: 0001-support-PyMuPDF.patch +Patch2: 0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch %description MuPDF is a lightweight PDF viewer and toolkit written in portable C. @@ -63,6 +64,8 @@ do rm -rf thirdparty/$d done %patch1 -p1 +%patch2 -p1 + echo > user.make "\ USE_SYSTEM_FREETYPE := yes USE_SYSTEM_HARFBUZZ := yes @@ -110,6 +113,9 @@ cd %{buildroot}/%{_bindir} && ln -s %{name}-x11 %{name} %{_libdir}/lib%{name}*.a %changelog +* Tue Feb 23 2021 Michael J Gruber - 1.18.0-5 +- CVE-2021-3407 (bz #1931964, bz#1931965) + * Tue Jan 26 2021 Michael J Gruber - 1.18.0-4 - (original date: Thu Oct 29 2020) - remove obsolete patch