gnu: mupdf: Modify CVE-2016-8674 patch to apply to 1.9a.

The fix from upstream did not apply cleanly due to many context changes.
This was adapted by cloning mupdf 1.9a from git and fixing conflicts
after applying our patches and cherry-picking upstream commit 1e03c06.

This is a follow-up to 47a04fca99.

* gnu/packages/patches/mupdf-CVE-2016-8674.patch: Adapt to 1.9a.
This commit is contained in:
Marius Bakke 2016-10-26 06:39:34 +01:00
parent e95ae7c223
commit 39df253e2b
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
1 changed files with 42 additions and 43 deletions

View File

@ -3,17 +3,17 @@ Fix CVE-2016-8674 (use-after-free in pdf_to_num()).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674
https://security-tracker.debian.org/tracker/CVE-2016-8674 https://security-tracker.debian.org/tracker/CVE-2016-8674
Patch copied from upstream source repository: Patch adapted from upstream source repository:
http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h
index aabf05f..0078c4a 100644 index f8ef0cd..e8345b7 100644
--- a/include/mupdf/pdf/document.h --- a/include/mupdf/pdf/document.h
+++ b/include/mupdf/pdf/document.h +++ b/include/mupdf/pdf/document.h
@@ -269,6 +269,10 @@ struct pdf_document_s @@ -258,6 +258,10 @@ struct pdf_document_s
fz_hash_table *images; fz_font **type3_fonts;
fz_hash_table *fonts;
} resources; pdf_resource_tables *resources;
+ +
+ int orphans_max; + int orphans_max;
+ int orphans_count; + int orphans_count;
@ -22,10 +22,10 @@ index aabf05f..0078c4a 100644
/* /*
diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
index 5bc3dca..bf57455 100644 index 346a2f1..02d4119 100644
--- a/include/mupdf/pdf/object.h --- a/include/mupdf/pdf/object.h
+++ b/include/mupdf/pdf/object.h +++ b/include/mupdf/pdf/object.h
@@ -110,6 +110,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key); @@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev); pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev);
void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val); void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val); void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
@ -34,10 +34,10 @@ index 5bc3dca..bf57455 100644
void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val); void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val); void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val);
diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
index b4e33f3..1c19ba4 100644 index f2e4551..a0d0d8e 100644
--- a/source/pdf/pdf-object.c --- a/source/pdf/pdf-object.c
+++ b/source/pdf/pdf-object.c +++ b/source/pdf/pdf-object.c
@@ -1265,11 +1265,14 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev) @@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
return pdf_dict_get(ctx, obj, abbrev); return pdf_dict_get(ctx, obj, abbrev);
} }
@ -46,27 +46,26 @@ index b4e33f3..1c19ba4 100644
+static void +static void
+pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val) +pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
{ {
int i; +
+ if (old_val) + if (old_val)
+ *old_val = NULL; + *old_val = NULL;
+ +
RESOLVE(obj); RESOLVE(obj);
if (!OBJ_IS_DICT(obj)) if (obj >= PDF_OBJ__LIMIT)
fz_throw(ctx, FZ_ERROR_GENERIC, "not a dict (%s)", pdf_objkindstr(obj)); {
@@ -1295,7 +1298,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) @@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
{ {
pdf_obj *d = DICT(obj)->items[i].v; pdf_obj *d = DICT(obj)->items[i].v;
DICT(obj)->items[i].v = pdf_keep_obj(ctx, val); DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
- pdf_drop_obj(ctx, d); - pdf_drop_obj(ctx, d);
+ if (old_val) + if (old_val)
+ *old_val = d; + *old_val = d;
+ else + else
+ pdf_drop_obj(ctx, d); + pdf_drop_obj(ctx, d);
}
} }
} else
else @@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
@@ -1316,10 +1322,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
} }
void void
@ -96,10 +95,10 @@ index b4e33f3..1c19ba4 100644
pdf_drop_obj(ctx, val); pdf_drop_obj(ctx, val);
fz_catch(ctx) fz_catch(ctx)
diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
index 690bf15..167f609 100644 index fdd4648..212c8b7 100644
--- a/source/pdf/pdf-repair.c --- a/source/pdf/pdf-repair.c
+++ b/source/pdf/pdf-repair.c +++ b/source/pdf/pdf-repair.c
@@ -260,6 +260,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int stm_num) @@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen)
} }
} }
@ -127,12 +126,12 @@ index 690bf15..167f609 100644
void void
pdf_repair_xref(fz_context *ctx, pdf_document *doc) pdf_repair_xref(fz_context *ctx, pdf_document *doc)
{ {
@@ -528,12 +549,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc) @@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
/* correct stream length for unencrypted documents */ /* correct stream length for unencrypted documents */
if (!encrypt && list[i].stm_len >= 0) if (!encrypt && list[i].stm_len >= 0)
{ {
+ pdf_obj *old_obj = NULL; + pdf_obj *old_obj = NULL;
dict = pdf_load_object(ctx, doc, list[i].num); dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen);
length = pdf_new_int(ctx, doc, list[i].stm_len); length = pdf_new_int(ctx, doc, list[i].stm_len);
- pdf_dict_put(ctx, dict, PDF_NAME_Length, length); - pdf_dict_put(ctx, dict, PDF_NAME_Length, length);
@ -145,22 +144,22 @@ index 690bf15..167f609 100644
} }
} }
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 7d21775..0cf20d4 100644 index 3de1cd2..6682741 100644
--- a/source/pdf/pdf-xref.c --- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c
@@ -1620,6 +1620,12 @@ pdf_drop_document_imp(fz_context *ctx, pdf_document *doc) @@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc)
pdf_drop_resource_tables(ctx, doc); pdf_drop_resource_tables(ctx, doc);
+ for (i = 0; i < doc->orphans_count; i++) + for (i = 0; i < doc->orphans_count; i++)
+ { + {
+ pdf_drop_obj(ctx, doc->orphans[i]); + pdf_drop_obj(ctx, doc->orphans[i]);
+ } + }
+ fz_free(ctx, doc->orphans); + fz_free(ctx, doc->orphans);
+ +
fz_free(ctx, doc); fz_free(ctx, doc);
} }
fz_always(ctx)
-- --
2.9.1 2.10.1