guix-devel/gnu/packages/patches/mupdf-CVE-2016-6265.patch

Fix CVE-2016-6265 (use after free in pdf_load_xref()).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
https://security-tracker.debian.org/tracker/CVE-2016-6265

Patch copied from upstream source repository:

http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 576c315..3222599 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
 				fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
 		}
 		if (entry->type == 'o')
-			if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
-				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
+		{
+			/* Read this into a local variable here, because pdf_get_xref_entry
+			 * may solidify the xref, hence invalidating "entry", meaning we
+			 * need a stashed value for the throw. */
+			fz_off_t ofs = entry->ofs;
+			if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
+				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
+		}
 	}
 }
gnu: mupdf: Fix CVE-2016-{6265,6525}. * gnu/packages/patches/mupdf-CVE-2016-6265.patch, gnu/packages/patches/mupdf-CVE-2016-6525.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/pdf.scm (mupdf): Use them. 2016-08-27 23:31:52 +02:00			`Fix CVE-2016-6265 (use after free in pdf_load_xref()).`

			`https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265`
			`https://security-tracker.debian.org/tracker/CVE-2016-6265`

			`Patch copied from upstream source repository:`

			`http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958`

			`diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c`
			`index 576c315..3222599 100644`
			`--- a/source/pdf/pdf-xref.c`
			`+++ b/source/pdf/pdf-xref.c`
			`@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context ctx, pdf_document doc, pdf_lexbuf *buf)`
			`fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);`
			`}`
			`if (entry->type == 'o')`
			`- if (entry->ofs <= 0 \|\| entry->ofs >= xref_len \|\| pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')`
			`- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);`
			`+ {`
			`+ /* Read this into a local variable here, because pdf_get_xref_entry`
			`+ * may solidify the xref, hence invalidating "entry", meaning we`
			`+ * need a stashed value for the throw. */`
			`+ fz_off_t ofs = entry->ofs;`
			`+ if (ofs <= 0 \|\| ofs >= xref_len \|\| pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')`
			`+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);`
			`+ }`
			`}`
			`}`