commit: 197b4aee35918341c66b38a761b111d978b00fa6 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Tue Oct 13 23:21:32 2020 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Tue Oct 13 23:21:39 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=197b4aee
app-text/mupdf: add additional security patches * Harden populate_ui against unexpected repairs [0] * Fix overflow in fz_clear_pixmap_with_value [1] Both patches were committed post-1.18.0 upstream. [0] https://github.com/ArtifexSoftware/mupdf/commit/b82e9b6d6b46877e5c376.patch [1] https://github.com/ArtifexSoftware/mupdf/commit/32e4e8b4bcbacbf92af7c.patch Bug: https://bugs.gentoo.org/747151 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/mupdf-1.18.0-fix-oob-in-pdf-layer.c | 102 +++++++++++++++++++++ .../mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c | 41 +++++++++ app-text/mupdf/mupdf-1.18.0.ebuild | 3 + 3 files changed, 146 insertions(+) diff --git a/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pdf-layer.c b/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pdf-layer.c new file mode 100644 index 00000000000..dc4000b4cde --- /dev/null +++ b/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pdf-layer.c @@ -0,0 +1,102 @@ +From b82e9b6d6b46877e5c3763cc3bc641c66fa7eb54 Mon Sep 17 00:00:00 2001 +From: Robin Watts <robin.wa...@artifex.com> +Date: Thu, 8 Oct 2020 16:15:40 +0100 +Subject: [PATCH] Bug 701297: Harden populate_ui against unexpected repairs. + +We count the number of layers, and allocate space for them in +an array. We then walk the tree reading details of those layers +in. If we hit a problem that causes a repair while reading the +information, the number of layers can magically increase. In +the existing code we run off the end of the array. + +In the new code we watch for hitting the end of the array and +realloc as required. +--- + source/pdf/pdf-layer.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c +index 177f0c947..b8e9d7cad 100644 +--- a/source/pdf/pdf-layer.c ++++ b/source/pdf/pdf-layer.c +@@ -104,10 +104,27 @@ count_entries(fz_context *ctx, pdf_obj *obj) + } + + static pdf_ocg_ui * +-populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked) ++get_ocg_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill) ++{ ++ if (fill == desc->num_ui_entries) ++ { ++ /* Number of layers changed while parsing; ++ * probably due to a repair. */ ++ int newsize = desc->num_ui_entries * 2; ++ if (newsize == 0) ++ newsize = 4; /* Arbitrary non-zero */ ++ desc->ui = fz_realloc_array(ctx, desc->ui, newsize, pdf_ocg_ui); ++ desc->num_ui_entries = newsize; ++ } ++ return &desc->ui[fill]; ++} ++ ++static int ++populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked) + { + int len = pdf_array_len(ctx, order); + int i, j; ++ pdf_ocg_ui *ui; + + for (i = 0; i < len; i++) + { +@@ -118,7 +135,7 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj * + continue; + + fz_try(ctx) +- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked); ++ fill = populate_ui(ctx, desc, fill, o, depth+1, rbgroups, locked); + fz_always(ctx) + pdf_unmark_obj(ctx, o); + fz_catch(ctx) +@@ -126,14 +143,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj * + + continue; + } +- ui->depth = depth; + if (pdf_is_string(ctx, o)) + { ++ ui = get_ocg_ui(ctx, desc, fill++); ++ ui->depth = depth; + ui->ocg = -1; + ui->name = pdf_to_str_buf(ctx, o); + ui->button_flags = PDF_LAYER_UI_LABEL; + ui->locked = 1; +- ui++; + continue; + } + +@@ -144,13 +161,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj * + } + if (j == desc->len) + continue; /* OCG not found in main list! Just ignore it */ ++ ui = get_ocg_ui(ctx, desc, fill++); ++ ui->depth = depth; + ui->ocg = j; + ui->name = pdf_dict_get_string(ctx, o, PDF_NAME(Name), NULL); + ui->button_flags = pdf_array_contains(ctx, o, rbgroups) ? PDF_LAYER_UI_RADIOBOX : PDF_LAYER_UI_CHECKBOX; + ui->locked = pdf_array_contains(ctx, o, locked); +- ui++; + } +- return ui; ++ return fill; + } + + static void +@@ -188,7 +206,7 @@ load_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_obj *ocprops, pdf_obj *oc + desc->ui = Memento_label(fz_calloc(ctx, count, sizeof(pdf_ocg_ui)), "pdf_ocg_ui"); + fz_try(ctx) + { +- (void)populate_ui(ctx, desc, desc->ui, order, 0, rbgroups, locked); ++ desc->num_ui_entries = populate_ui(ctx, desc, 0, order, 0, rbgroups, locked); + } + fz_catch(ctx) + { diff --git a/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c b/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c new file mode 100644 index 00000000000..d19f0593a11 --- /dev/null +++ b/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c @@ -0,0 +1,41 @@ +From 32e4e8b4bcbacbf92af7c88337efae21986d9603 Mon Sep 17 00:00:00 2001 +From: Robin Watts <robin.wa...@artifex.com> +Date: Thu, 8 Oct 2020 18:10:28 +0100 +Subject: [PATCH] Bug 702958: Fix overflow in fz_clear_pixmap_with_value. + +--- + source/fitz/pixmap.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c +index 66873d214..80d8bb62f 100644 +--- a/source/fitz/pixmap.c ++++ b/source/fitz/pixmap.c +@@ -555,7 +555,8 @@ void + fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value) + { + unsigned char *s; +- int w, h, n, stride, len; ++ int w, h, n; ++ ptrdiff_t stride, len; + int alpha = pix->alpha; + + w = pix->w; +@@ -572,7 +573,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value) + + n = pix->n; + stride = pix->stride; +- len = w * n; ++ len = (ptrdiff_t)w * n; + + s = pix->samples; + if (value == 255 || !alpha) +@@ -584,7 +585,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value) + } + while (h--) + { +- memset(s, value, (unsigned int)len); ++ memset(s, value, len); + s += stride; + } + } diff --git a/app-text/mupdf/mupdf-1.18.0.ebuild b/app-text/mupdf/mupdf-1.18.0.ebuild index 05c1261e442..c7cab5a41c8 100644 --- a/app-text/mupdf/mupdf-1.18.0.ebuild +++ b/app-text/mupdf/mupdf-1.18.0.ebuild @@ -49,6 +49,9 @@ PATCHES=( "${FILESDIR}"/${PN}-1.15-openssl-x11.patch # General cross fixes from Debian (refreshed) "${FILESDIR}"/${PN}-1.18.0-cross-fixes.patch + # Additional security patches post-1.18.0 + "${FILESDIR}"/${P}-fix-oob-in-pdf-layer.c + "${FILESDIR}"/${P}-fix-oob-in-pixmap.c ) src_prepare() {
