Author: ken Date: Wed Mar 10 12:28:14 2021 New Revision: 4271 Log: Upstream mupdf patch.
Added: trunk/mupdf/mupdf-1.18.0-security_fix-1.patch Added: trunk/mupdf/mupdf-1.18.0-security_fix-1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ trunk/mupdf/mupdf-1.18.0-security_fix-1.patch Wed Mar 10 12:28:14 2021 (r4271) @@ -0,0 +1,51 @@ +Submitted By: Ken Moffat <ken at linuxfromscratch dot org> +Date: 2021-03-10 +Initial Package Version: 1.18.0 +Upstream Status: Applied +Origin: Upstream +Description: Fixes CVE-2021-3407 + +From: Robin Watts <[email protected]> +Date: Fri, 22 Jan 2021 17:05:15 +0000 (+0000) +Subject: Bug 703366: Fix double free of object during linearization. +X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=cee7cefc610d42fd383b3c80c12cbc675443176a;hp=fb9eb3322d0564cdf1e7e11fb7647641785ef93b + +Bug 703366: Fix double free of object during linearization. + +This appears to happen because we parse an illegal object from +a broken file and assign it to object 0, which is defined to +be free. + +Here, we fix the parsing code so this can't happen. +--- + +diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c +index 7abc8c3d4..5761c3351 100644 +--- a/source/pdf/pdf-parse.c ++++ b/source/pdf/pdf-parse.c +@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); + } + gen = buf->i; ++ if (gen < 0 || gen >= 65536) ++ { ++ if (try_repair) ++ *try_repair = 1; ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); ++ } + + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_OBJ) +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 1b2bdcd59..30197b4b8 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + { + ofs = fz_tell(ctx, doc->file); + trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); ++ if (num == 0) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); + } + fz_catch(ctx) + { -- http://lists.linuxfromscratch.org/listinfo/patches FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
