mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: mupdf: Fix CVE-2016-{6265,6525}.
* gnu/packages/patches/mupdf-CVE-2016-6265.patch, gnu/packages/patches/mupdf-CVE-2016-6525.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/pdf.scm (mupdf): Use them.
This commit is contained in:
parent
b47f7510f0
commit
6bd9a3432c
4 changed files with 55 additions and 0 deletions
|
@ -668,6 +668,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/mplayer2-theora-fix.patch \
|
||||
%D%/packages/patches/module-init-tools-moduledir.patch \
|
||||
%D%/packages/patches/mumps-build-parallelism.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-6265.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2016-6525.patch \
|
||||
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
|
||||
%D%/packages/patches/mutt-store-references.patch \
|
||||
%D%/packages/patches/mysql-fix-failing-test.patch \
|
||||
|
|
30
gnu/packages/patches/mupdf-CVE-2016-6265.patch
Normal file
30
gnu/packages/patches/mupdf-CVE-2016-6265.patch
Normal file
|
@ -0,0 +1,30 @@
|
|||
Fix CVE-2016-6265 (use after free in pdf_load_xref()).
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
|
||||
https://security-tracker.debian.org/tracker/CVE-2016-6265
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958
|
||||
|
||||
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
||||
index 576c315..3222599 100644
|
||||
--- a/source/pdf/pdf-xref.c
|
||||
+++ b/source/pdf/pdf-xref.c
|
||||
@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
|
||||
fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
|
||||
}
|
||||
if (entry->type == 'o')
|
||||
- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
|
||||
- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
|
||||
+ {
|
||||
+ /* Read this into a local variable here, because pdf_get_xref_entry
|
||||
+ * may solidify the xref, hence invalidating "entry", meaning we
|
||||
+ * need a stashed value for the throw. */
|
||||
+ fz_off_t ofs = entry->ofs;
|
||||
+ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
|
||||
+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
21
gnu/packages/patches/mupdf-CVE-2016-6525.patch
Normal file
21
gnu/packages/patches/mupdf-CVE-2016-6525.patch
Normal file
|
@ -0,0 +1,21 @@
|
|||
Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
|
||||
https://security-tracker.debian.org/tracker/CVE-2016-6525
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
|
||||
|
||||
diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
|
||||
index 7815b3c..6e25efa 100644
|
||||
--- a/source/pdf/pdf-shade.c
|
||||
+++ b/source/pdf/pdf-shade.c
|
||||
@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
|
||||
obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
|
||||
if (pdf_array_len(ctx, obj) >= 6)
|
||||
{
|
||||
- n = (pdf_array_len(ctx, obj) - 4) / 2;
|
||||
+ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
|
||||
shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
|
||||
shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
|
||||
shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
|
|
@ -474,6 +474,8 @@ (define-public mupdf
|
|||
name "-" version "-source.tar.gz"))
|
||||
(sha256
|
||||
(base32 "01n26cy41lc2fjri63s4js23ixxb4nd37aafry3hz4i4id6wd8x2"))
|
||||
(patches (search-patches "mupdf-CVE-2016-6265.patch"
|
||||
"mupdf-CVE-2016-6525.patch"))
|
||||
(modules '((guix build utils)))
|
||||
(snippet
|
||||
;; Don't build the bundled-in third party libraries.
|
||||
|
|
Loading…
Reference in a new issue