Fix CVE-2017-5896: https://bugs.ghostscript.com/show_bug.cgi?id=697515 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896 http://www.openwall.com/lists/oss-security/2017/02/10/1 https://security-tracker.debian.org/tracker/CVE-2017-5896 https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/ Patch lifted from upstream source repository: http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Thu, 9 Feb 2017 07:12:16 -0800 Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap Pointer arithmetic for final special case was going wrong. --- source/fitz/pixmap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c index a8317127..f1291dc2 100644 --- a/source/fitz/pixmap.c +++ b/source/fitz/pixmap.c @@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor, "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n" "ldr r4, [r13,#4*22] @ r4 = divXY \n" "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n" + "ldr r8, [r13,#4*17] @ r8 = back4 \n" "18: @ \n" "mov r14,#0 @ r14= v = 0 \n" "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n" @@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor, "mul r14,r4, r14 @ r14= v *= divX \n" "mov r14,r14,LSR #16 @ r14= v >>= 16 \n" "strb r14,[r9], #1 @ *d++ = r14 \n" - "sub r0, r0, r8 @ s -= back2 \n" + "sub r0, r0, r8 @ s -= back4 \n" "subs r5, r5, #1 @ n-- \n" "bgt 18b @ } \n" "21: @ \n" @@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor) x += f; if (x > 0) { + int back4 = x * n - 1; div = x * y; for (nn = n; nn > 0; nn--) { @@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor) s -= back5; } *d++ = v / div; - s -= back2; + s -= back4; } } } -- 2.12.0