Hello community, here is the log from the commit of package mupdf for openSUSE:Factory checked in at 2018-01-26 13:35:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mupdf (Old) and /work/SRC/openSUSE:Factory/.mupdf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mupdf" Fri Jan 26 13:35:17 2018 rev:31 rq:569433 version:1.12.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mupdf/mupdf.changes 2018-01-20 11:24:30.510555634 +0100 +++ /work/SRC/openSUSE:Factory/.mupdf.new/mupdf.changes 2018-01-26 13:35:22.932832924 +0100 @@ -1,0 +2,12 @@ +Tue Jan 23 09:12:22 UTC 2018 - [email protected] + +- Add CVE-2017-17858.patch to fix an heap-based buffer overflow + CVE-2017-17858 bsc#1077161 + +------------------------------------------------------------------- +Mon Jan 22 12:20:48 UTC 2018 - [email protected] + +- Add CVE-2018-5686.patch to fix an infinite loop + CVE-2018-5686 bsc#1075936 + +------------------------------------------------------------------- @@ -32,0 +45 @@ +- Fixes CVE-2017-15369 (bsc#1063413), CVE-2017-15587 (bsc#1064027) New: ---- CVE-2017-17858.patch CVE-2018-5686.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mupdf.spec ++++++ --- /var/tmp/diff_new_pack.JVdNvS/_old 2018-01-26 13:35:24.284769778 +0100 +++ /var/tmp/diff_new_pack.JVdNvS/_new 2018-01-26 13:35:24.288769592 +0100 @@ -28,6 +28,8 @@ Source1: mupdf.desktop Source2: mupdf.png Patch1: fix-openjpeg-flags.patch +Patch2: CVE-2018-5686.patch +Patch3: CVE-2017-17858.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -64,6 +66,8 @@ %prep %setup -q -n %{name}-%{version}-source %patch1 -p1 +%patch2 -p1 +%patch3 -p1 # do not use the inlined copies of build dpendencies except for mujs rm -rf $(ls -d thirdparty/*/ | grep -v mujs) ++++++ CVE-2017-17858.patch ++++++ >From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen <[email protected]> Date: Mon, 11 Dec 2017 14:09:15 +0100 Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below limit. This ensures that: * xref tables with objects pointers do not grow out of bounds. * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf. --- include/mupdf/pdf/object.h | 3 +++ source/pdf/pdf-repair.c | 5 +---- source/pdf/pdf-xref.c | 21 ++++++++++++--------- 3 files changed, 16 insertions(+), 13 deletions(-) Index: mupdf-1.12.0-source/include/mupdf/pdf/object.h =================================================================== --- mupdf-1.12.0-source.orig/include/mupdf/pdf/object.h +++ mupdf-1.12.0-source/include/mupdf/pdf/object.h @@ -3,6 +3,9 @@ typedef struct pdf_document_s pdf_document; +/* Defined in PDF 1.7 according to Acrobat limit. */ +#define PDF_MAX_OBJECT_NUMBER 8388607 + /* * Dynamic objects. * The same type of objects as found in PDF and PostScript. Index: mupdf-1.12.0-source/source/pdf/pdf-repair.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-repair.c +++ mupdf-1.12.0-source/source/pdf/pdf-repair.c @@ -6,9 +6,6 @@ /* Scan file for objects and reconstruct xref table */ -/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */ -#define MAX_OBJECT_NUMBER (10 << 20) - struct entry { int num; @@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_doc break; } - if (num <= 0 || num > MAX_OBJECT_NUMBER) + if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER) { fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen); goto have_next_token; Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c +++ mupdf-1.12.0-source/source/pdf/pdf-xref.c @@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_d fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR); } - if (ofs < 0) - fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs); - if (ofs > INT64_MAX - len) - fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big"); - + if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER + || len < 0 || len > PDF_MAX_OBJECT_NUMBER + || ofs + len - 1 > PDF_MAX_OBJECT_NUMBER) + { + fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range"); + } /* broken pdfs where size in trailer undershoots entries in xref sections */ if (ofs + len > xref_len) { @@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ct pdf_xref_entry *table; int i, n; - if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1) - fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index"); - //if (i0 + i1 > pdf_xref_len(ctx, doc)) - // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries"); + if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER) + fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range"); table = pdf_xref_find_subsection(ctx, doc, i0, i1); for (i = i0; i < i0 + i1; i++) @@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_d /* TODO: reuse free object slots by properly linking free object chains in the ofs field */ pdf_xref_entry *entry; int num = pdf_xref_len(ctx, doc); + + if (num > PDF_MAX_OBJECT_NUMBER) + fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf"); + entry = pdf_get_incremental_xref_entry(ctx, doc, num); entry->type = 'f'; entry->ofs = -1; ++++++ CVE-2018-5686.patch ++++++ X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=include%2Fmupdf%2Ffitz%2Fstream.h;h=790a0a83d3850facdceefb3c3e598fdb63d4e14d;hp=cd26be9039c064c8028fd6ca958044d133644e29;hb=b70eb93f6936c03d8af52040bbca4d4a7db39079;hpb=0d7359fbcd331ec0a22ec163dacff953f9817814 Index: mupdf-1.12.0-source/include/mupdf/fitz/stream.h =================================================================== --- mupdf-1.12.0-source.orig/include/mupdf/fitz/stream.h +++ mupdf-1.12.0-source/include/mupdf/fitz/stream.h @@ -335,10 +335,11 @@ static inline size_t fz_available(fz_con if (len) return len; + if (stm->eof) + return 0; + fz_try(ctx) - { c = stm->next(ctx, stm, max); - } fz_catch(ctx) { fz_rethrow_if(ctx, FZ_ERROR_TRYLATER); @@ -369,10 +370,10 @@ static inline int fz_read_byte(fz_contex if (stm->rp != stm->wp) return *stm->rp++; + if (stm->eof) + return EOF; fz_try(ctx) - { c = stm->next(ctx, stm, 1); - } fz_catch(ctx) { fz_rethrow_if(ctx, FZ_ERROR_TRYLATER); @@ -398,6 +399,8 @@ static inline int fz_peek_byte(fz_contex if (stm->rp != stm->wp) return *stm->rp; + if (stm->eof) + return EOF; c = stm->next(ctx, stm, 1); if (c != EOF)
