~alpine/aports

2

[alpine-aports] [PATCH edge] main/mupdf: fix for CVE-2017-5991

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170309164908.17024-1-dsabogalcc@gmail.com>
Sender timestamp
1489078146
DKIM signature
missing
Download raw message
Patch: +98 -2
use !check
---
 main/mupdf/APKBUILD            |  9 ++++-
 main/mupdf/CVE-2017-5991.patch | 91 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 98 insertions(+), 2 deletions(-)
 create mode 100644 main/mupdf/CVE-2017-5991.patch

diff --git a/main/mupdf/APKBUILD b/main/mupdf/APKBUILD
index a242705c4c..4313969bc9 100644
--- a/main/mupdf/APKBUILD
+++ b/main/mupdf/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Daniel Sabogal <dsabogalcc@gmail.com>
pkgname=mupdf
pkgver=1.10a
pkgrel=1
pkgrel=2
pkgdesc="A lightweight PDF and XPS viewer"
url="http://mupdf.com"
arch="all"
@@ -13,13 +13,17 @@ makedepends="freetype-dev jpeg-dev jbig2dec-dev libx11-dev libxext-dev
	openjpeg-dev harfbuzz-dev glfw-dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
	$pkgname-gl:_gl $pkgname-tools:_tools"
options="!check"
source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
	shared-lib.patch
	openjpeg-2.1.patch
	CVE-2017-5896.patch
	CVE-2017-5991.patch
	"

# secfixes:
#   1.10a-r2:
#   - CVE-2017-5991
#   1.10a-r1:
#   - CVE-2017-5896

@@ -82,4 +86,5 @@ _tools() {
sha512sums="8c735963364985e74ceb38242afae555a3d2ee7c69abe3fe5c485e8613a83d996a58f231cb689a156019d431fa67d565503247d010b0a404054850483aed9fec  mupdf-1.10a-source.tar.gz
bc38cc6935ed1c5941773e0671bea25d33897c1018c30f11ff3a1ec1e583276597f521b9e526f9bd38a6f9a1e76aa3e52782995ded72a618d07811abcd7ca734  shared-lib.patch
bfb509c529e26c3d2dc827298ce3a6083640fbe3fd7491560ffb1e8f86d62bbd4a5d52721079caef8a38d6f332132b581859276000b397f9512673eedb0315a7  openjpeg-2.1.patch
e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7  CVE-2017-5896.patch"
e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7  CVE-2017-5896.patch
b65a9dce7ba239be788d144c27edb7528ebcf08ead4defe887a08d7879cf72ca3b172a9a33ec3f9426743f45ecb9aac17baf1b526bf5f880beb00bdd84bdc42a  CVE-2017-5991.patch"
diff --git a/main/mupdf/CVE-2017-5991.patch b/main/mupdf/CVE-2017-5991.patch
new file mode 100644
index 0000000000..d19d2e6c4e
--- /dev/null
+++ b/main/mupdf/CVE-2017-5991.patch
@@ -0,0 +1,91 @@
From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Thu, 9 Feb 2017 15:49:15 +0000
Subject: [PATCH] Bug 697500: Fix NULL ptr access.

Cope better with errors during rendering - avoid letting the
gstate stack get out of sync.

This avoids us ever getting into the situation of popping
a clip when we should be popping a mask or a group. This was
causing an unexpected case in the painting.
---
 source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
index a3ea895..f1eac8d 100644
--- a/source/pdf/pdf-op-run.c
+++ b/source/pdf/pdf-op-run.c
@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
 	pdf_run_processor *pr = (pdf_run_processor *)proc;
 	pdf_gstate *gstate = NULL;
 	int oldtop = 0;
+	int oldbot = -1;
 	fz_matrix local_transform = *transform;
 	softmask_save softmask = { NULL };
 	int gparent_save;
@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
 	fz_var(cleanup_state);
 	fz_var(gstate);
 	fz_var(oldtop);
+	fz_var(oldbot);
 
 	gparent_save = pr->gparent;
 	pr->gparent = pr->gtop;
+	oldtop = pr->gtop;
 
 	fz_try(ctx)
 	{
 		pdf_gsave(ctx, pr);
 
 		gstate = pr->gstate + pr->gtop;
-		oldtop = pr->gtop;
 
 		pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
 		pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
 
 		doc = pdf_get_bound_document(ctx, xobj->obj);
 
+		oldbot = pr->gbot;
+		pr->gbot = pr->gtop;
+
 		pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
 	}
 	fz_always(ctx)
 	{
+		/* Undo any gstate mismatches due to the pdf_process_contents call */
+		if (oldbot != -1)
+		{
+			while (pr->gtop > pr->gbot)
+			{
+				pdf_grestore(ctx, pr);
+			}
+			pr->gbot = oldbot;
+		}
+
 		if (cleanup_state >= 3)
-			pdf_grestore(ctx, pr); /* Remove the clippath */
+			pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
 
 		/* wrap up transparency stacks */
 		if (transparency)
@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
 		pr->gstate[pr->gparent].ctm = gparent_save_ctm;
 		pr->gparent = gparent_save;
 
-		if (gstate)
-		{
-			while (oldtop < pr->gtop)
-				pdf_grestore(ctx, pr);
-
+		while (oldtop < pr->gtop)
 			pdf_grestore(ctx, pr);
-		}
 
 		pdf_unmark_obj(ctx, xobj->obj);
 	}
-- 
2.9.1

-- 
2.11.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 1/2 3.5-stable] main/mupdf: fix for CVE-2017-5896

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170309164908.17024-2-dsabogalcc@gmail.com>
In-Reply-To
<20170309164908.17024-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1489078147
DKIM signature
missing
Download raw message
Patch: +63 -4
---
 main/mupdf/APKBUILD            | 16 +++++++++----
 main/mupdf/CVE-2017-5896.patch | 51 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 main/mupdf/CVE-2017-5896.patch

diff --git a/main/mupdf/APKBUILD b/main/mupdf/APKBUILD
index bc9ed9cdd5..a9ade1b397 100644
--- a/main/mupdf/APKBUILD
+++ b/main/mupdf/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Daniel Sabogal <dsabogalcc@gmail.com>
pkgname=mupdf
pkgver=1.10a
pkgrel=0
pkgrel=1
pkgdesc="A lightweight PDF and XPS viewer"
url="http://mupdf.com"
arch="all"
@@ -16,8 +16,13 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
	shared-lib.patch
	openjpeg-2.1.patch
	CVE-2017-5896.patch
	"

# secfixes:
#   1.10a-r1:
#   - CVE-2017-5896

builddir="$srcdir/$pkgname-$pkgver-source"
prepare() {
	default_prepare || return 1
@@ -76,10 +81,13 @@ _tools() {

md5sums="f80fbba2524d1d52f6ed09237d382411  mupdf-1.10a-source.tar.gz
8c4c5ec03c3df7e87a672c79302f6df5  shared-lib.patch
a5b85a55be0e958c16f900730ff24ad8  openjpeg-2.1.patch"
a5b85a55be0e958c16f900730ff24ad8  openjpeg-2.1.patch
64d2931655dbea67a291032221b67e10  CVE-2017-5896.patch"
sha256sums="aacc1f36b9180f562022ef1ab3439b009369d944364f3cff8a2a898834e3a836  mupdf-1.10a-source.tar.gz
3ff3c9413c4c1005db7e41a085ce8e72ee1e956e8d1538a615f51f86f8bb1d14  shared-lib.patch
12ea2a295b62ca85298273d54b423ec8e73fb52d712bcee20bab0507a595b7a0  openjpeg-2.1.patch"
12ea2a295b62ca85298273d54b423ec8e73fb52d712bcee20bab0507a595b7a0  openjpeg-2.1.patch
23994ce0dc819b29f983328503d073595d56d75fd1001674d30275170fe96792  CVE-2017-5896.patch"
sha512sums="8c735963364985e74ceb38242afae555a3d2ee7c69abe3fe5c485e8613a83d996a58f231cb689a156019d431fa67d565503247d010b0a404054850483aed9fec  mupdf-1.10a-source.tar.gz
bc38cc6935ed1c5941773e0671bea25d33897c1018c30f11ff3a1ec1e583276597f521b9e526f9bd38a6f9a1e76aa3e52782995ded72a618d07811abcd7ca734  shared-lib.patch
bfb509c529e26c3d2dc827298ce3a6083640fbe3fd7491560ffb1e8f86d62bbd4a5d52721079caef8a38d6f332132b581859276000b397f9512673eedb0315a7  openjpeg-2.1.patch"
bfb509c529e26c3d2dc827298ce3a6083640fbe3fd7491560ffb1e8f86d62bbd4a5d52721079caef8a38d6f332132b581859276000b397f9512673eedb0315a7  openjpeg-2.1.patch
e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7  CVE-2017-5896.patch"
diff --git a/main/mupdf/CVE-2017-5896.patch b/main/mupdf/CVE-2017-5896.patch
new file mode 100644
index 0000000000..a68715ac31
--- /dev/null
+++ b/main/mupdf/CVE-2017-5896.patch
@@ -0,0 +1,51 @@
From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 9 Feb 2017 07:12:16 -0800
Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap

Pointer arithmetic for final special case was going wrong.
---
 source/fitz/pixmap.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
index a831712..f1291dc 100644
--- a/source/fitz/pixmap.c
+++ b/source/fitz/pixmap.c
@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
 	"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
 	"ldr	r4, [r13,#4*22]		@ r4 = divXY			\n"
 	"ldr	r5, [r13,#4*11]		@ for (nn = n; nn > 0; n--) {	\n"
+	"ldr	r8, [r13,#4*17]		@ r8 = back4			\n"
 	"18:				@				\n"
 	"mov	r14,#0			@ r14= v = 0			\n"
 	"sub	r5, r5, r1, LSL #8	@ for (xx = x; xx > 0; x--) {	\n"
@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
 	"mul	r14,r4, r14		@ r14= v *= divX		\n"
 	"mov	r14,r14,LSR #16		@ r14= v >>= 16			\n"
 	"strb	r14,[r9], #1		@ *d++ = r14			\n"
-	"sub	r0, r0, r8		@ s -= back2			\n"
+	"sub	r0, r0, r8		@ s -= back4			\n"
 	"subs	r5, r5, #1		@ n--				\n"
 	"bgt	18b			@ }				\n"
 	"21:				@				\n"
@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
 		x += f;
 		if (x > 0)
 		{
+			int back4 = x * n - 1;
 			div = x * y;
 			for (nn = n; nn > 0; nn--)
 			{
@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
 					s -= back5;
 				}
 				*d++ = v / div;
-				s -= back2;
+				s -= back4;
 			}
 		}
 	}
-- 
2.9.1

-- 
2.11.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 2/2 3.5-stable] main/mupdf: fix for CVE-2017-5991

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170309164908.17024-3-dsabogalcc@gmail.com>
In-Reply-To
<20170309164908.17024-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1489078148
DKIM signature
missing
Download raw message
Patch: +101 -4
---
 main/mupdf/APKBUILD            | 14 +++++--
 main/mupdf/CVE-2017-5991.patch | 91 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+), 4 deletions(-)
 create mode 100644 main/mupdf/CVE-2017-5991.patch

diff --git a/main/mupdf/APKBUILD b/main/mupdf/APKBUILD
index a9ade1b397..166d6d5075 100644
--- a/main/mupdf/APKBUILD
+++ b/main/mupdf/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Daniel Sabogal <dsabogalcc@gmail.com>
pkgname=mupdf
pkgver=1.10a
pkgrel=1
pkgrel=2
pkgdesc="A lightweight PDF and XPS viewer"
url="http://mupdf.com"
arch="all"
@@ -17,9 +17,12 @@ source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
	shared-lib.patch
	openjpeg-2.1.patch
	CVE-2017-5896.patch
	CVE-2017-5991.patch
	"

# secfixes:
#   1.10a-r2:
#   - CVE-2017-5991
#   1.10a-r1:
#   - CVE-2017-5896

@@ -82,12 +85,15 @@ _tools() {
md5sums="f80fbba2524d1d52f6ed09237d382411  mupdf-1.10a-source.tar.gz
8c4c5ec03c3df7e87a672c79302f6df5  shared-lib.patch
a5b85a55be0e958c16f900730ff24ad8  openjpeg-2.1.patch
64d2931655dbea67a291032221b67e10  CVE-2017-5896.patch"
64d2931655dbea67a291032221b67e10  CVE-2017-5896.patch
1c10386d9b536669c5c787b3b1585d6f  CVE-2017-5991.patch"
sha256sums="aacc1f36b9180f562022ef1ab3439b009369d944364f3cff8a2a898834e3a836  mupdf-1.10a-source.tar.gz
3ff3c9413c4c1005db7e41a085ce8e72ee1e956e8d1538a615f51f86f8bb1d14  shared-lib.patch
12ea2a295b62ca85298273d54b423ec8e73fb52d712bcee20bab0507a595b7a0  openjpeg-2.1.patch
23994ce0dc819b29f983328503d073595d56d75fd1001674d30275170fe96792  CVE-2017-5896.patch"
23994ce0dc819b29f983328503d073595d56d75fd1001674d30275170fe96792  CVE-2017-5896.patch
c600d516648c6324069930ea6b606a0a040dfaf7a9d3d323156c5e7d80bc4eb9  CVE-2017-5991.patch"
sha512sums="8c735963364985e74ceb38242afae555a3d2ee7c69abe3fe5c485e8613a83d996a58f231cb689a156019d431fa67d565503247d010b0a404054850483aed9fec  mupdf-1.10a-source.tar.gz
bc38cc6935ed1c5941773e0671bea25d33897c1018c30f11ff3a1ec1e583276597f521b9e526f9bd38a6f9a1e76aa3e52782995ded72a618d07811abcd7ca734  shared-lib.patch
bfb509c529e26c3d2dc827298ce3a6083640fbe3fd7491560ffb1e8f86d62bbd4a5d52721079caef8a38d6f332132b581859276000b397f9512673eedb0315a7  openjpeg-2.1.patch
e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7  CVE-2017-5896.patch"
e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7  CVE-2017-5896.patch
b65a9dce7ba239be788d144c27edb7528ebcf08ead4defe887a08d7879cf72ca3b172a9a33ec3f9426743f45ecb9aac17baf1b526bf5f880beb00bdd84bdc42a  CVE-2017-5991.patch"
diff --git a/main/mupdf/CVE-2017-5991.patch b/main/mupdf/CVE-2017-5991.patch
new file mode 100644
index 0000000000..d19d2e6c4e
--- /dev/null
+++ b/main/mupdf/CVE-2017-5991.patch
@@ -0,0 +1,91 @@
From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Thu, 9 Feb 2017 15:49:15 +0000
Subject: [PATCH] Bug 697500: Fix NULL ptr access.

Cope better with errors during rendering - avoid letting the
gstate stack get out of sync.

This avoids us ever getting into the situation of popping
a clip when we should be popping a mask or a group. This was
causing an unexpected case in the painting.
---
 source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
index a3ea895..f1eac8d 100644
--- a/source/pdf/pdf-op-run.c
+++ b/source/pdf/pdf-op-run.c
@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
 	pdf_run_processor *pr = (pdf_run_processor *)proc;
 	pdf_gstate *gstate = NULL;
 	int oldtop = 0;
+	int oldbot = -1;
 	fz_matrix local_transform = *transform;
 	softmask_save softmask = { NULL };
 	int gparent_save;
@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
 	fz_var(cleanup_state);
 	fz_var(gstate);
 	fz_var(oldtop);
+	fz_var(oldbot);
 
 	gparent_save = pr->gparent;
 	pr->gparent = pr->gtop;
+	oldtop = pr->gtop;
 
 	fz_try(ctx)
 	{
 		pdf_gsave(ctx, pr);
 
 		gstate = pr->gstate + pr->gtop;
-		oldtop = pr->gtop;
 
 		pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
 		pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
 
 		doc = pdf_get_bound_document(ctx, xobj->obj);
 
+		oldbot = pr->gbot;
+		pr->gbot = pr->gtop;
+
 		pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
 	}
 	fz_always(ctx)
 	{
+		/* Undo any gstate mismatches due to the pdf_process_contents call */
+		if (oldbot != -1)
+		{
+			while (pr->gtop > pr->gbot)
+			{
+				pdf_grestore(ctx, pr);
+			}
+			pr->gbot = oldbot;
+		}
+
 		if (cleanup_state >= 3)
-			pdf_grestore(ctx, pr); /* Remove the clippath */
+			pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
 
 		/* wrap up transparency stacks */
 		if (transparency)
@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
 		pr->gstate[pr->gparent].ctm = gparent_save_ctm;
 		pr->gparent = gparent_save;
 
-		if (gstate)
-		{
-			while (oldtop < pr->gtop)
-				pdf_grestore(ctx, pr);
-
+		while (oldtop < pr->gtop)
 			pdf_grestore(ctx, pr);
-		}
 
 		pdf_unmark_obj(ctx, xobj->obj);
 	}
-- 
2.9.1

-- 
2.11.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)