gnu: mupdf: Update to 1.10a.
* gnu/packages/patches/mupdf-CVE-2016-6265.patch: Delete file. * gnu/packages/patches/mupdf-CVE-2016-6525.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7504.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7505.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7506.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7563.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7564.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-8674.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-9017.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-9136.patch: Likewise. * gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: Adjust to 1.10a. * gnu/local.mk (dist_patch_DATA): Remove deleted patches. * gnu/packages/pdf.scm (mupdf): Update to 1.10a. [source]: Remove patches.
This commit is contained in:
parent
a351fc8369
commit
76bbce6af2
10
gnu/local.mk
10
gnu/local.mk
|
@ -719,16 +719,6 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/module-init-tools-moduledir.patch \
|
||||
%D%/packages/patches/mumps-build-parallelism.patch \
|
||||
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-6265.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-6525.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-7504.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-7505.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-7506.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-7563.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-7564.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-8674.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-9017.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-9136.patch \
|
||||
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
|
||||
%D%/packages/patches/musl-CVE-2016-8859.patch \
|
||||
%D%/packages/patches/mutt-store-references.patch \
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
Fix CVE-2016-6265 (use after free in pdf_load_xref()).
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
|
||||
https://security-tracker.debian.org/tracker/CVE-2016-6265
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958
|
||||
|
||||
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
||||
index 576c315..3222599 100644
|
||||
--- a/source/pdf/pdf-xref.c
|
||||
+++ b/source/pdf/pdf-xref.c
|
||||
@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
|
||||
fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
|
||||
}
|
||||
if (entry->type == 'o')
|
||||
- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
|
||||
- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
|
||||
+ {
|
||||
+ /* Read this into a local variable here, because pdf_get_xref_entry
|
||||
+ * may solidify the xref, hence invalidating "entry", meaning we
|
||||
+ * need a stashed value for the throw. */
|
||||
+ fz_off_t ofs = entry->ofs;
|
||||
+ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
|
||||
+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
|
||||
https://security-tracker.debian.org/tracker/CVE-2016-6525
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
|
||||
|
||||
diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
|
||||
index 7815b3c..6e25efa 100644
|
||||
--- a/source/pdf/pdf-shade.c
|
||||
+++ b/source/pdf/pdf-shade.c
|
||||
@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
|
||||
obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
|
||||
if (pdf_array_len(ctx, obj) >= 6)
|
||||
{
|
||||
- n = (pdf_array_len(ctx, obj) - 4) / 2;
|
||||
+ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
|
||||
shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
|
||||
shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
|
||||
shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
|
|
@ -1,99 +0,0 @@
|
|||
Fix CVE-2016-7504:
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504
|
||||
http://bugs.ghostscript.com/show_bug.cgi?id=697142
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a
|
||||
|
||||
From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Wed, 21 Sep 2016 16:01:08 +0200
|
||||
Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object.
|
||||
|
||||
Make sure to make a copy of the source pattern string.
|
||||
A case we missed when adding short and memory strings to the runtime.
|
||||
The code assumed all strings passed to it were either literal or interned.
|
||||
---
|
||||
jsgc.c | 4 +++-
|
||||
jsi.h | 1 +
|
||||
jsregexp.c | 2 +-
|
||||
jsrun.c | 8 ++++++++
|
||||
jsvalue.h | 2 +-
|
||||
5 files changed, 14 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/jsgc.c b/jsgc.c
|
||||
index 9bd6482..4f7e7dc 100644
|
||||
--- a/thirdparty/mujs/jsgc.c
|
||||
+++ b/thirdparty/mujs/jsgc.c
|
||||
@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
|
||||
{
|
||||
if (obj->head)
|
||||
jsG_freeproperty(J, obj->head);
|
||||
- if (obj->type == JS_CREGEXP)
|
||||
+ if (obj->type == JS_CREGEXP) {
|
||||
+ js_free(J, obj->u.r.source);
|
||||
js_regfree(obj->u.r.prog);
|
||||
+ }
|
||||
if (obj->type == JS_CITERATOR)
|
||||
jsG_freeiterator(J, obj->u.iter.head);
|
||||
if (obj->type == JS_CUSERDATA && obj->u.user.finalize)
|
||||
diff --git a/jsi.h b/jsi.h
|
||||
index 7d9f7c7..e855045 100644
|
||||
--- a/thirdparty/mujs/jsi.h
|
||||
+++ b/thirdparty/mujs/jsi.h
|
||||
@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction;
|
||||
|
||||
/* String interning */
|
||||
|
||||
+char *js_strdup(js_State *J, const char *s);
|
||||
const char *js_intern(js_State *J, const char *s);
|
||||
void jsS_dumpstrings(js_State *J);
|
||||
void jsS_freestrings(js_State *J);
|
||||
diff --git a/jsregexp.c b/jsregexp.c
|
||||
index 2a056b7..a2d5156 100644
|
||||
--- a/thirdparty/mujs/jsregexp.c
|
||||
+++ b/thirdparty/mujs/jsregexp.c
|
||||
@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
|
||||
js_syntaxerror(J, "regular expression: %s", error);
|
||||
|
||||
obj->u.r.prog = prog;
|
||||
- obj->u.r.source = pattern;
|
||||
+ obj->u.r.source = js_strdup(J, pattern);
|
||||
obj->u.r.flags = flags;
|
||||
obj->u.r.last = 0;
|
||||
js_pushobject(J, obj);
|
||||
diff --git a/jsrun.c b/jsrun.c
|
||||
index 2648c4c..ee80845 100644
|
||||
--- a/thirdparty/mujs/jsrun.c
|
||||
+++ b/thirdparty/mujs/jsrun.c
|
||||
@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size)
|
||||
return ptr;
|
||||
}
|
||||
|
||||
+char *js_strdup(js_State *J, const char *s)
|
||||
+{
|
||||
+ int n = strlen(s) + 1;
|
||||
+ char *p = js_malloc(J, n);
|
||||
+ memcpy(p, s, n);
|
||||
+ return p;
|
||||
+}
|
||||
+
|
||||
void js_free(js_State *J, void *ptr)
|
||||
{
|
||||
J->alloc(J->actx, ptr, 0);
|
||||
diff --git a/jsvalue.h b/jsvalue.h
|
||||
index 6cfbd89..8fb5016 100644
|
||||
--- a/thirdparty/mujs/jsvalue.h
|
||||
+++ b/thirdparty/mujs/jsvalue.h
|
||||
@@ -71,7 +71,7 @@ struct js_String
|
||||
struct js_Regexp
|
||||
{
|
||||
void *prog;
|
||||
- const char *source;
|
||||
+ char *source;
|
||||
unsigned short flags;
|
||||
unsigned short last;
|
||||
};
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
Fix CVE-2016-7505:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505
|
||||
http://bugs.ghostscript.com/show_bug.cgi?id=697140
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5
|
||||
|
||||
From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Wed, 21 Sep 2016 15:21:04 +0200
|
||||
Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod.
|
||||
|
||||
---
|
||||
jsdtoa.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/jsdtoa.c b/jsdtoa.c
|
||||
index 2e52368..920c1a7 100644
|
||||
--- a/thirdparty/mujs/jsdtoa.c
|
||||
+++ b/thirdparty/mujs/jsdtoa.c
|
||||
@@ -735,6 +735,7 @@ xx:
|
||||
n -= c<<b;
|
||||
*p++ = c + '0';
|
||||
(*na)++;
|
||||
+ if (*na >= Ndig) break; /* abort if overflowing */
|
||||
}
|
||||
*p = 0;
|
||||
}
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
Fix CVE-2016-7506:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506
|
||||
http://bugs.ghostscript.com/show_bug.cgi?id=697141
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a
|
||||
|
||||
From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Wed, 21 Sep 2016 16:02:11 +0200
|
||||
Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution.
|
||||
|
||||
A '$' escape at the end of the string would read past the zero terminator
|
||||
when looking for the escaped character.
|
||||
---
|
||||
jsstring.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/jsstring.c b/jsstring.c
|
||||
index 66f6a89..0209a8e 100644
|
||||
--- a/thirdparty/mujs/jsstring.c
|
||||
+++ b/thirdparty/mujs/jsstring.c
|
||||
@@ -421,6 +421,7 @@ loop:
|
||||
while (*r) {
|
||||
if (*r == '$') {
|
||||
switch (*(++r)) {
|
||||
+ case 0: --r; /* end of string; back up and fall through */
|
||||
case '$': js_putc(J, &sb, '$'); break;
|
||||
case '`': js_putm(J, &sb, source, s); break;
|
||||
case '\'': js_puts(J, &sb, s + n); break;
|
||||
@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J)
|
||||
while (*r) {
|
||||
if (*r == '$') {
|
||||
switch (*(++r)) {
|
||||
+ case 0: --r; /* end of string; back up and fall through */
|
||||
case '$': js_putc(J, &sb, '$'); break;
|
||||
case '&': js_putm(J, &sb, s, s + n); break;
|
||||
case '`': js_putm(J, &sb, source, s); break;
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
Fix CVE-2016-7563:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563
|
||||
http://bugs.ghostscript.com/show_bug.cgi?id=697136
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59
|
||||
|
||||
From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Tue, 20 Sep 2016 17:11:32 +0200
|
||||
Subject: [PATCH] Fix bug 697136.
|
||||
|
||||
We were unconditionally reading the next character if we encountered
|
||||
a '*' in a multi-line comment; possibly reading past the end of
|
||||
the input.
|
||||
---
|
||||
jslex.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/jslex.c b/jslex.c
|
||||
index 7b80800..cbd0eeb 100644
|
||||
--- a/thirdparty/mujs/jslex.c
|
||||
+++ b/thirdparty/mujs/jslex.c
|
||||
@@ -225,7 +225,8 @@ static int lexcomment(js_State *J)
|
||||
if (jsY_accept(J, '/'))
|
||||
return 0;
|
||||
}
|
||||
- jsY_next(J);
|
||||
+ else
|
||||
+ jsY_next(J);
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
Fix CVE-2016-7564:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564
|
||||
http://bugs.ghostscript.com/show_bug.cgi?id=697137
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8
|
||||
|
||||
From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Tue, 20 Sep 2016 17:19:06 +0200
|
||||
Subject: [PATCH] Fix bug 697137: off by one in string length calculation.
|
||||
|
||||
We were not allocating space for the terminating zero byte.
|
||||
---
|
||||
jsfunction.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/jsfunction.c b/jsfunction.c
|
||||
index 8b5b18e..28f7aa7 100644
|
||||
--- a/thirdparty/mujs/jsfunction.c
|
||||
+++ b/thirdparty/mujs/jsfunction.c
|
||||
@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J)
|
||||
n += strlen(F->name);
|
||||
for (i = 0; i < F->numparams; ++i)
|
||||
n += strlen(F->vartab[i]) + 1;
|
||||
- s = js_malloc(J, n);
|
||||
+ s = js_malloc(J, n + 1);
|
||||
strcpy(s, "function ");
|
||||
strcat(s, F->name);
|
||||
strcat(s, "(");
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -1,165 +0,0 @@
|
|||
Fix CVE-2016-8674 (use-after-free in pdf_to_num()).
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674
|
||||
https://security-tracker.debian.org/tracker/CVE-2016-8674
|
||||
|
||||
Patch adapted from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
|
||||
|
||||
diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h
|
||||
index f8ef0cd..e8345b7 100644
|
||||
--- a/include/mupdf/pdf/document.h
|
||||
+++ b/include/mupdf/pdf/document.h
|
||||
@@ -258,6 +258,10 @@ struct pdf_document_s
|
||||
fz_font **type3_fonts;
|
||||
|
||||
pdf_resource_tables *resources;
|
||||
+
|
||||
+ int orphans_max;
|
||||
+ int orphans_count;
|
||||
+ pdf_obj **orphans;
|
||||
};
|
||||
|
||||
/*
|
||||
diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
|
||||
index 346a2f1..02d4119 100644
|
||||
--- a/include/mupdf/pdf/object.h
|
||||
+++ b/include/mupdf/pdf/object.h
|
||||
@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
|
||||
pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev);
|
||||
void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
|
||||
void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
|
||||
+void pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val, pdf_obj **old_val);
|
||||
void pdf_dict_puts(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
|
||||
void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
|
||||
void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val);
|
||||
diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
|
||||
index f2e4551..a0d0d8e 100644
|
||||
--- a/source/pdf/pdf-object.c
|
||||
+++ b/source/pdf/pdf-object.c
|
||||
@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
|
||||
return pdf_dict_get(ctx, obj, abbrev);
|
||||
}
|
||||
|
||||
-void
|
||||
-pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
|
||||
+static void
|
||||
+pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
|
||||
{
|
||||
+
|
||||
+ if (old_val)
|
||||
+ *old_val = NULL;
|
||||
+
|
||||
RESOLVE(obj);
|
||||
if (obj >= PDF_OBJ__LIMIT)
|
||||
{
|
||||
@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
|
||||
{
|
||||
pdf_obj *d = DICT(obj)->items[i].v;
|
||||
DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
|
||||
- pdf_drop_obj(ctx, d);
|
||||
+ if (old_val)
|
||||
+ *old_val = d;
|
||||
+ else
|
||||
+ pdf_drop_obj(ctx, d);
|
||||
}
|
||||
}
|
||||
else
|
||||
@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
|
||||
}
|
||||
|
||||
void
|
||||
+pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
|
||||
+{
|
||||
+ pdf_dict_get_put(ctx, obj, key, val, NULL);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
pdf_dict_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
|
||||
{
|
||||
fz_try(ctx)
|
||||
- pdf_dict_put(ctx, obj, key, val);
|
||||
+ pdf_dict_get_put(ctx, obj, key, val, NULL);
|
||||
+ fz_always(ctx)
|
||||
+ pdf_drop_obj(ctx, val);
|
||||
+ fz_catch(ctx)
|
||||
+ fz_rethrow(ctx);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
|
||||
+{
|
||||
+ fz_try(ctx)
|
||||
+ pdf_dict_get_put(ctx, obj, key, val, old_val);
|
||||
fz_always(ctx)
|
||||
pdf_drop_obj(ctx, val);
|
||||
fz_catch(ctx)
|
||||
diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
|
||||
index fdd4648..212c8b7 100644
|
||||
--- a/source/pdf/pdf-repair.c
|
||||
+++ b/source/pdf/pdf-repair.c
|
||||
@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen)
|
||||
}
|
||||
}
|
||||
|
||||
+static void
|
||||
+orphan_object(fz_context *ctx, pdf_document *doc, pdf_obj *obj)
|
||||
+{
|
||||
+ if (doc->orphans_count == doc->orphans_max)
|
||||
+ {
|
||||
+ int new_max = (doc->orphans_max ? doc->orphans_max*2 : 32);
|
||||
+
|
||||
+ fz_try(ctx)
|
||||
+ {
|
||||
+ doc->orphans = fz_resize_array(ctx, doc->orphans, new_max, sizeof(*doc->orphans));
|
||||
+ doc->orphans_max = new_max;
|
||||
+ }
|
||||
+ fz_catch(ctx)
|
||||
+ {
|
||||
+ pdf_drop_obj(ctx, obj);
|
||||
+ fz_rethrow(ctx);
|
||||
+ }
|
||||
+ }
|
||||
+ doc->orphans[doc->orphans_count++] = obj;
|
||||
+}
|
||||
+
|
||||
void
|
||||
pdf_repair_xref(fz_context *ctx, pdf_document *doc)
|
||||
{
|
||||
@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
|
||||
/* correct stream length for unencrypted documents */
|
||||
if (!encrypt && list[i].stm_len >= 0)
|
||||
{
|
||||
+ pdf_obj *old_obj = NULL;
|
||||
dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen);
|
||||
|
||||
length = pdf_new_int(ctx, doc, list[i].stm_len);
|
||||
- pdf_dict_put(ctx, dict, PDF_NAME_Length, length);
|
||||
- pdf_drop_obj(ctx, length);
|
||||
-
|
||||
+ pdf_dict_get_put_drop(ctx, dict, PDF_NAME_Length, length, &old_obj);
|
||||
+ if (old_obj)
|
||||
+ orphan_object(ctx, doc, old_obj);
|
||||
pdf_drop_obj(ctx, dict);
|
||||
}
|
||||
}
|
||||
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
||||
index 3de1cd2..6682741 100644
|
||||
--- a/source/pdf/pdf-xref.c
|
||||
+++ b/source/pdf/pdf-xref.c
|
||||
@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc)
|
||||
|
||||
pdf_drop_resource_tables(ctx, doc);
|
||||
|
||||
+ for (i = 0; i < doc->orphans_count; i++)
|
||||
+ {
|
||||
+ pdf_drop_obj(ctx, doc->orphans[i]);
|
||||
+ }
|
||||
+ fz_free(ctx, doc->orphans);
|
||||
+
|
||||
fz_free(ctx, doc);
|
||||
}
|
||||
|
||||
--
|
||||
2.10.1
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
Fix CVE-2016-9017:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107
|
||||
http://bugs.ghostscript.com/show_bug.cgi?id=697171
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767
|
||||
|
||||
From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Tue, 25 Oct 2016 14:08:27 +0200
|
||||
Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump.
|
||||
|
||||
---
|
||||
jscompile.h | 2 +-
|
||||
jsdump.c | 1 +
|
||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/jscompile.h b/jscompile.h
|
||||
index 802cc9e..3054d13 100644
|
||||
--- a/thirdparty/mujs/jscompile.h
|
||||
+++ b/thirdparty/mujs/jscompile.h
|
||||
@@ -21,7 +21,7 @@ enum js_OpCode
|
||||
|
||||
OP_NEWARRAY,
|
||||
OP_NEWOBJECT,
|
||||
- OP_NEWREGEXP,
|
||||
+ OP_NEWREGEXP, /* -S,opts- <regexp> */
|
||||
|
||||
OP_UNDEF,
|
||||
OP_NULL,
|
||||
diff --git a/jsdump.c b/jsdump.c
|
||||
index 1c51c29..37ad88c 100644
|
||||
--- a/thirdparty/mujs/jsdump.c
|
||||
+++ b/thirdparty/mujs/jsdump.c
|
||||
@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F)
|
||||
case OP_INITVAR:
|
||||
case OP_DEFVAR:
|
||||
case OP_GETVAR:
|
||||
+ case OP_HASVAR:
|
||||
case OP_SETVAR:
|
||||
case OP_DELVAR:
|
||||
case OP_GETPROP_S:
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
Fix CVE-2016-9136:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136
|
||||
http://bugs.ghostscript.com/show_bug.cgi?id=697244
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89
|
||||
From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Mon, 31 Oct 2016 13:05:37 +0100
|
||||
Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of
|
||||
input.
|
||||
|
||||
---
|
||||
jslex.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/jslex.c b/jslex.c
|
||||
index cbd0eeb..aaafdac 100644
|
||||
--- a/thirdparty/mujs/jslex.c
|
||||
+++ b/thirdparty/mujs/jslex.c
|
||||
@@ -377,6 +377,7 @@ static int lexescape(js_State *J)
|
||||
return 0;
|
||||
|
||||
switch (J->lexchar) {
|
||||
+ case 0: jsY_error(J, "unterminated escape sequence");
|
||||
case 'u':
|
||||
jsY_next(J);
|
||||
if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); }
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -27,12 +27,3 @@ index 6b92e5c..72dea50 100644
|
|||
#include <openjpeg.h>
|
||||
|
||||
static void fz_opj_error_callback(const char *msg, void *client_data)
|
||||
@@ -117,7 +109,7 @@ fz_load_jpx(fz_context *ctx, unsigned char *data, int size, fz_colorspace *defcs
|
||||
opj_stream_set_read_function(stream, fz_opj_stream_read);
|
||||
opj_stream_set_skip_function(stream, fz_opj_stream_skip);
|
||||
opj_stream_set_seek_function(stream, fz_opj_stream_seek);
|
||||
- opj_stream_set_user_data(stream, &sb);
|
||||
+ opj_stream_set_user_data(stream, &sb, NULL);
|
||||
/* Set the length to avoid an assert */
|
||||
opj_stream_set_user_data_length(stream, size);
|
||||
|
||||
|
|
|
@ -479,7 +479,7 @@ extracting content or merging files.")
|
|||
(define-public mupdf
|
||||
(package
|
||||
(name "mupdf")
|
||||
(version "1.9a")
|
||||
(version "1.10a")
|
||||
(source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
|
@ -487,18 +487,8 @@ extracting content or merging files.")
|
|||
name "-" version "-source.tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"1k64pdapyj8a336jw3j61fhn0rp4q6az7d0dqp9r5n3d9rgwa5c0"))
|
||||
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
|
||||
"mupdf-CVE-2016-6265.patch"
|
||||
"mupdf-CVE-2016-6525.patch"
|
||||
"mupdf-CVE-2016-7504.patch"
|
||||
"mupdf-CVE-2016-7505.patch"
|
||||
"mupdf-CVE-2016-7506.patch"
|
||||
"mupdf-CVE-2016-7563.patch"
|
||||
"mupdf-CVE-2016-7564.patch"
|
||||
"mupdf-CVE-2016-8674.patch"
|
||||
"mupdf-CVE-2016-9017.patch"
|
||||
"mupdf-CVE-2016-9136.patch"))
|
||||
"0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a"))
|
||||
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"))
|
||||
(modules '((guix build utils)))
|
||||
(snippet
|
||||
;; Delete all the bundled libraries except for mujs, which is
|
||||
|
|
Loading…
Reference in New Issue