X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-oi0-f65.google.com (mail-oi0-f65.google.com [209.85.218.65])
	by lists.alpinelinux.org (Postfix) with ESMTP id 8CC595C484B
	for <alpine-aports@lists.alpinelinux.org>; Tue,  6 Sep 2016 15:38:58 +0000 (GMT)
Received: by mail-oi0-f65.google.com with SMTP id 2so15276757oif.2
        for <alpine-aports@lists.alpinelinux.org>; Tue, 06 Sep 2016 08:38:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:to:subject:date:message-id:in-reply-to:references;
        bh=Z96ye0SUVpx5MBCaLzomsNLdzQ3St9WjCHsURlIguvU=;
        b=ctpg4gEw3pTE7BvGcSyg0UO+Wdm9SXEJVBSAb8xZwUtyBzWDLjafDX+JOKHabotk6N
         l/6ZJ3E6mG1GS4H3UH5nqCCde+Qwv4VKmiw5k//aA0gkTJpPZfRXsIG7poBT/hK2jzIV
         Inf9prhB8X3t3vxDXm16dNuF0lXh+L78q7CETWBxR6y7q8f1+Xzaf9Dx042VDXXoc9vH
         /rxvLMUA1pKinkpWn16VMDHTYhs5rKwEYTHW9gmy/xbJ6DBgoEo4xqoNhmNdRy1tJHcd
         YgZ5A65YuHt++m8KDHUEXKE2QeG6PWpewoPoCrSR6AMJnuCbQ/8bhf9mVEhrLaUwlUZg
         qpZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
         :references;
        bh=Z96ye0SUVpx5MBCaLzomsNLdzQ3St9WjCHsURlIguvU=;
        b=SEOQBZc7CfvJeTqxqvvwksWxpTm0OmafeOYKypGKLab0jXggLDy2uDTl03jGcbiv9K
         xtPRBaR7I41vfkphE9GJ9plnJnsGL+AJI2FfyGLh/SuVSXCAA3e3OYMWsJNKcxTzAnK5
         EKoaBo4+OsU6F+KA67yU0mFAibrhPSGp3443Agfme7uYtOt8/SFt22+SHh9q0rjqUaMv
         g5gDAW47+QiMGB57Kd10z8LPWCKpozEqiYl+3j+JpB8qNujGvcLUWUS+/ioOF0bzj9iq
         egEmlnaVl2CxQQ+/74dKyu3Hf7LjYqxN0/tbt2E1vZhW1w6dCFWPrfytpPwfjuhrOuk1
         eMjw==
X-Gm-Message-State: AE9vXwNhRfEWEwLzeD8u9ptCrnXVHGuRYJzKexhDQDHmx4eQ46cVtG3bOaw/QJuVvoNugg==
X-Received: by 10.202.86.146 with SMTP id k140mr2440859oib.152.1473176338185;
        Tue, 06 Sep 2016 08:38:58 -0700 (PDT)
Received: from alp.my.domain (ip72-196-114-247.ga.at.cox.net. [72.196.114.247])
        by smtp.gmail.com with ESMTPSA id f11sm742294oig.23.2016.09.06.08.38.57
        for <alpine-aports@lists.alpinelinux.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 06 Sep 2016 08:38:57 -0700 (PDT)
From: Daniel Sabogal <dsabogalcc@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Subject: [alpine-aports] [PATCH] testing/mupdf: fix for CVE-2016-6265 and CVE-2016-6525
Date: Tue,  6 Sep 2016 11:38:47 -0400
Message-Id: <20160906153847.18890-2-dsabogalcc@gmail.com>
X-Mailer: git-send-email 2.10.0
In-Reply-To: <20160906153847.18890-1-dsabogalcc@gmail.com>
References: <20160906153847.18890-1-dsabogalcc@gmail.com>
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

---
 testing/mupdf/APKBUILD            | 16 ++++++++++++----
 testing/mupdf/CVE-2016-6265.patch | 33 +++++++++++++++++++++++++++++++++
 testing/mupdf/CVE-2016-6525.patch | 23 +++++++++++++++++++++++
 3 files changed, 68 insertions(+), 4 deletions(-)
 create mode 100644 testing/mupdf/CVE-2016-6265.patch
 create mode 100644 testing/mupdf/CVE-2016-6525.patch

diff --git a/testing/mupdf/APKBUILD b/testing/mupdf/APKBUILD
index 7b554aa..0dcb5dc 100644
--- a/testing/mupdf/APKBUILD
+++ b/testing/mupdf/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Michael Zhou <zhoumichaely@gmail.com>
 pkgname=mupdf
 pkgver=1.9a
-pkgrel=3
+pkgrel=4
 pkgdesc="A lightweight PDF and XPS viewer"
 url="http://mupdf.com"
 arch="all"
@@ -15,6 +15,8 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
 source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
 	shared-lib.patch
 	openjpeg-2.1.1.patch
+	CVE-2016-6265.patch
+	CVE-2016-6525.patch
 	"
 
 builddir="$srcdir/$pkgname-$pkgver-source"
@@ -73,10 +75,16 @@ _tools() {
 
 md5sums="658b90788a57d858dcb069cf326e11c3  mupdf-1.9a-source.tar.gz
 8c4c5ec03c3df7e87a672c79302f6df5  shared-lib.patch
-ba8b6171c4ae38662632259e1c496da1  openjpeg-2.1.1.patch"
+ba8b6171c4ae38662632259e1c496da1  openjpeg-2.1.1.patch
+57b78ee32e4b341d93b29778c55f4ab6  CVE-2016-6265.patch
+52db3b30aa98a5d15599a87038992e80  CVE-2016-6525.patch"
 sha256sums="8015c55f4e6dd892d3c50db4f395c1e46660a10b460e2ecd180a497f55bbc4cc  mupdf-1.9a-source.tar.gz
 3ff3c9413c4c1005db7e41a085ce8e72ee1e956e8d1538a615f51f86f8bb1d14  shared-lib.patch
-46f91311ce2f2972986d6d2f4a57fec5e1a556de494e52226206781942522894  openjpeg-2.1.1.patch"
+46f91311ce2f2972986d6d2f4a57fec5e1a556de494e52226206781942522894  openjpeg-2.1.1.patch
+287b9e4764d680a66b04040c24e3f982f5aa5fce263749794df0fa57ef4f18a8  CVE-2016-6265.patch
+83ab00f0d6bd5e07c286a97a815fa38e9d98df7b5d9925e6cf6fc12e20f5c31c  CVE-2016-6525.patch"
 sha512sums="9f804fd65c2dc6b7a3bd73961b1f1a8bf93d52903cccf6302acd6982dfa433125a3b8e77b808984921aee097877280fa21aafb87468cd0a8e4cfa900284a262b  mupdf-1.9a-source.tar.gz
 bc38cc6935ed1c5941773e0671bea25d33897c1018c30f11ff3a1ec1e583276597f521b9e526f9bd38a6f9a1e76aa3e52782995ded72a618d07811abcd7ca734  shared-lib.patch
-6eb33da5f05c5e5d8fa2af7223261153769b454d535128056015819c164ff59d068354680ebc135c2221f2ae7a3b6ec99833247bfefa83e9a4bab09f243452f1  openjpeg-2.1.1.patch"
+6eb33da5f05c5e5d8fa2af7223261153769b454d535128056015819c164ff59d068354680ebc135c2221f2ae7a3b6ec99833247bfefa83e9a4bab09f243452f1  openjpeg-2.1.1.patch
+a69d1db475c25f3a298c3cf3ab4858ca9298087bc9839caacc65e3bc7695c0e3dd600e3c7f5c6cd042ceb536a2cf90404c4f13a90ad0e266791cbcf329873992  CVE-2016-6265.patch
+2d8300f93bfe4cf11d817b38e3879ca7eaa704e58274930ee1368f5f1e13cc9baac786421feec0d5a720dd0cbe6cd8b0d94f4a91f2dd762e6e3923fea9deb4bf  CVE-2016-6525.patch"
diff --git a/testing/mupdf/CVE-2016-6265.patch b/testing/mupdf/CVE-2016-6265.patch
new file mode 100644
index 0000000..5053aa3
--- /dev/null
+++ b/testing/mupdf/CVE-2016-6265.patch
@@ -0,0 +1,33 @@
+From: Robin Watts <robin.watts@artifex.com>
+Date: Thu, 21 Jul 2016 14:39:11 +0000 (+0100)
+Subject: Bug 696941: Fix use after free.
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=fa1936405b6a84e5c9bb440912c23d532772f958;hp=e98091d56afdf1cf6c9a017fa0bd35dd0b8968f0
+
+Bug 696941: Fix use after free.
+
+The file is HORRIBLY corrupt, and triggers Sophos to think it's
+PDF malware (which it isn't). It does however trigger a use
+after free, worked around here.
+---
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 576c315..3222599 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 				fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
+ 		}
+ 		if (entry->type == 'o')
+-			if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
+-				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
++		{
++			/* Read this into a local variable here, because pdf_get_xref_entry
++			 * may solidify the xref, hence invalidating "entry", meaning we
++			 * need a stashed value for the throw. */
++			fz_off_t ofs = entry->ofs;
++			if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
++				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
++		}
+ 	}
+ }
+ 
diff --git a/testing/mupdf/CVE-2016-6525.patch b/testing/mupdf/CVE-2016-6525.patch
new file mode 100644
index 0000000..003d86b
--- /dev/null
+++ b/testing/mupdf/CVE-2016-6525.patch
@@ -0,0 +1,23 @@
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Wed, 27 Jul 2016 14:19:39 +0000 (+0800)
+Subject: Make sure that number of colors in mesh params is valid.
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e;hp=fa1936405b6a84e5c9bb440912c23d532772f958
+
+Make sure that number of colors in mesh params is valid.
+
+Fixes bug 696954.
+---
+
+diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
+index 7815b3c..6e25efa 100644
+--- a/source/pdf/pdf-shade.c
++++ b/source/pdf/pdf-shade.c
+@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
+ 	obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
+ 	if (pdf_array_len(ctx, obj) >= 6)
+ 	{
+-		n = (pdf_array_len(ctx, obj) - 4) / 2;
++		n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
+ 		shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
+ 		shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
+ 		shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
-- 
2.10.0



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---