CVE-2021-3407 (bz #1931964, bz#1931965)
This commit is contained in:
parent
44f3b8465a
commit
bf6f961ab9
@ -0,0 +1,49 @@
|
|||||||
|
From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001
|
||||||
|
Message-Id: <cee7cefc610d42fd383b3c80c12cbc675443176a.1614110865.git.mjg@fedoraproject.org>
|
||||||
|
From: Robin Watts <Robin.Watts@artifex.com>
|
||||||
|
Date: Fri, 22 Jan 2021 17:05:15 +0000
|
||||||
|
Subject: [PATCH] Bug 703366: Fix double free of object during linearization.
|
||||||
|
|
||||||
|
This appears to happen because we parse an illegal object from
|
||||||
|
a broken file and assign it to object 0, which is defined to
|
||||||
|
be free.
|
||||||
|
|
||||||
|
Here, we fix the parsing code so this can't happen.
|
||||||
|
---
|
||||||
|
source/pdf/pdf-parse.c | 6 ++++++
|
||||||
|
source/pdf/pdf-xref.c | 2 ++
|
||||||
|
2 files changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
|
||||||
|
index 7abc8c3d4..5761c3351 100644
|
||||||
|
--- a/source/pdf/pdf-parse.c
|
||||||
|
+++ b/source/pdf/pdf-parse.c
|
||||||
|
@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
|
||||||
|
fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num);
|
||||||
|
}
|
||||||
|
gen = buf->i;
|
||||||
|
+ if (gen < 0 || gen >= 65536)
|
||||||
|
+ {
|
||||||
|
+ if (try_repair)
|
||||||
|
+ *try_repair = 1;
|
||||||
|
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
tok = pdf_lex(ctx, file, buf);
|
||||||
|
if (tok != PDF_TOK_OBJ)
|
||||||
|
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
||||||
|
index 1b2bdcd59..30197b4b8 100644
|
||||||
|
--- a/source/pdf/pdf-xref.c
|
||||||
|
+++ b/source/pdf/pdf-xref.c
|
||||||
|
@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
|
||||||
|
{
|
||||||
|
ofs = fz_tell(ctx, doc->file);
|
||||||
|
trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL);
|
||||||
|
+ if (num == 0)
|
||||||
|
+ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n");
|
||||||
|
}
|
||||||
|
fz_catch(ctx)
|
||||||
|
{
|
||||||
|
--
|
||||||
|
2.30.1.724.gc30ef96fb6
|
||||||
|
|
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
Name: mupdf
|
Name: mupdf
|
||||||
Version: 1.18.0
|
Version: 1.18.0
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Summary: A lightweight PDF viewer and toolkit
|
Summary: A lightweight PDF viewer and toolkit
|
||||||
License: AGPLv3+
|
License: AGPLv3+
|
||||||
URL: http://mupdf.com/
|
URL: http://mupdf.com/
|
||||||
@ -31,6 +31,7 @@ Provides: bundled(freeglut-devel) = 3.0.0
|
|||||||
# version so bundling them is the safer choice.
|
# version so bundling them is the safer choice.
|
||||||
Provides: bundled(mujs-devel) = 1.0.9
|
Provides: bundled(mujs-devel) = 1.0.9
|
||||||
Patch1: 0001-support-PyMuPDF.patch
|
Patch1: 0001-support-PyMuPDF.patch
|
||||||
|
Patch2: 0001-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
|
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
|
||||||
@ -63,6 +64,8 @@ do
|
|||||||
rm -rf thirdparty/$d
|
rm -rf thirdparty/$d
|
||||||
done
|
done
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
echo > user.make "\
|
echo > user.make "\
|
||||||
USE_SYSTEM_FREETYPE := yes
|
USE_SYSTEM_FREETYPE := yes
|
||||||
USE_SYSTEM_HARFBUZZ := yes
|
USE_SYSTEM_HARFBUZZ := yes
|
||||||
@ -110,6 +113,9 @@ cd %{buildroot}/%{_bindir} && ln -s %{name}-x11 %{name}
|
|||||||
%{_libdir}/lib%{name}*.a
|
%{_libdir}/lib%{name}*.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 23 2021 Michael J Gruber <mjg@fedoraproject.org> - 1.18.0-5
|
||||||
|
- CVE-2021-3407 (bz #1931964, bz#1931965)
|
||||||
|
|
||||||
* Tue Jan 26 2021 Michael J Gruber <mjg@fedoraproject.org> - 1.18.0-4
|
* Tue Jan 26 2021 Michael J Gruber <mjg@fedoraproject.org> - 1.18.0-4
|
||||||
- (original date: Thu Oct 29 2020)
|
- (original date: Thu Oct 29 2020)
|
||||||
- remove obsolete patch
|
- remove obsolete patch
|
||||||
|
Loading…
Reference in New Issue
Block a user