gnu: mupdf: Update to 1.11.

Also delete two stray patches that were added in
92ae98e2a0 and lost in a subsequent merge
(mupdf/fixed was already gone at e90e0fad1b).

* gnu/packages/patches/mupdf-CVE-2017-5896.patch,
gnu/packages/patches/mupdf-CVE-2017-5991.patch,
gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch,
gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: Adjust.
* gnu/packages/pdf.scm (mupdf): Update to 1.11.
[source]: Remove mujs patches. Adjust snippet to source rename.
This commit is contained in:
Marius Bakke 2017-04-14 11:52:11 +02:00
parent f46eb986c2
commit e5da4d8b40
No known key found for this signature in database
GPG key ID: A2A06DF2A33A54FA
7 changed files with 11 additions and 407 deletions

View file

@ -785,10 +785,6 @@ dist_patch_DATA = \
%D%/packages/patches/multiqc-fix-git-subprocess-error.patch \
%D%/packages/patches/mumps-build-parallelism.patch \
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \
%D%/packages/patches/mupdf-CVE-2017-5896.patch \
%D%/packages/patches/mupdf-CVE-2017-5991.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/musl-CVE-2016-8859.patch \
%D%/packages/patches/mutt-store-references.patch \

View file

@ -1,63 +0,0 @@
Fix CVE-2017-5896:
https://bugs.ghostscript.com/show_bug.cgi?id=697515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
http://www.openwall.com/lists/oss-security/2017/02/10/1
https://security-tracker.debian.org/tracker/CVE-2017-5896
https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/
Patch lifted from upstream source repository:
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 9 Feb 2017 07:12:16 -0800
Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
Pointer arithmetic for final special case was going wrong.
---
source/fitz/pixmap.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
index a8317127..f1291dc2 100644
--- a/source/fitz/pixmap.c
+++ b/source/fitz/pixmap.c
@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
"ldr r4, [r13,#4*22] @ r4 = divXY \n"
"ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
+ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
"18: @ \n"
"mov r14,#0 @ r14= v = 0 \n"
"sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
"mul r14,r4, r14 @ r14= v *= divX \n"
"mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
"strb r14,[r9], #1 @ *d++ = r14 \n"
- "sub r0, r0, r8 @ s -= back2 \n"
+ "sub r0, r0, r8 @ s -= back4 \n"
"subs r5, r5, #1 @ n-- \n"
"bgt 18b @ } \n"
"21: @ \n"
@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
x += f;
if (x > 0)
{
+ int back4 = x * n - 1;
div = x * y;
for (nn = n; nn > 0; nn--)
{
@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
s -= back5;
}
*d++ = v / div;
- s -= back2;
+ s -= back4;
}
}
}
--
2.12.0

View file

@ -1,101 +0,0 @@
Fix CVE-2017-5991:
https://bugs.ghostscript.com/show_bug.cgi?id=697500
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
https://security-tracker.debian.org/tracker/CVE-2017-5991
Patch lifted from upstream source repository:
http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465
From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Thu, 9 Feb 2017 15:49:15 +0000
Subject: [PATCH] Bug 697500: Fix NULL ptr access.
Cope better with errors during rendering - avoid letting the
gstate stack get out of sync.
This avoids us ever getting into the situation of popping
a clip when we should be popping a mask or a group. This was
causing an unexpected case in the painting.
---
source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
index a3ea895d..f1eac8d3 100644
--- a/source/pdf/pdf-op-run.c
+++ b/source/pdf/pdf-op-run.c
@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
pdf_run_processor *pr = (pdf_run_processor *)proc;
pdf_gstate *gstate = NULL;
int oldtop = 0;
+ int oldbot = -1;
fz_matrix local_transform = *transform;
softmask_save softmask = { NULL };
int gparent_save;
@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
fz_var(cleanup_state);
fz_var(gstate);
fz_var(oldtop);
+ fz_var(oldbot);
gparent_save = pr->gparent;
pr->gparent = pr->gtop;
+ oldtop = pr->gtop;
fz_try(ctx)
{
pdf_gsave(ctx, pr);
gstate = pr->gstate + pr->gtop;
- oldtop = pr->gtop;
pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
doc = pdf_get_bound_document(ctx, xobj->obj);
+ oldbot = pr->gbot;
+ pr->gbot = pr->gtop;
+
pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
}
fz_always(ctx)
{
+ /* Undo any gstate mismatches due to the pdf_process_contents call */
+ if (oldbot != -1)
+ {
+ while (pr->gtop > pr->gbot)
+ {
+ pdf_grestore(ctx, pr);
+ }
+ pr->gbot = oldbot;
+ }
+
if (cleanup_state >= 3)
- pdf_grestore(ctx, pr); /* Remove the clippath */
+ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
/* wrap up transparency stacks */
if (transparency)
@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
pr->gstate[pr->gparent].ctm = gparent_save_ctm;
pr->gparent = gparent_save;
- if (gstate)
- {
- while (oldtop < pr->gtop)
- pdf_grestore(ctx, pr);
-
+ while (oldtop < pr->gtop)
pdf_grestore(ctx, pr);
- }
pdf_unmark_obj(ctx, xobj->obj);
}
--
2.12.0

View file

@ -13,17 +13,15 @@ diff --git a/source/fitz/load-jpx.c b/source/fitz/load-jpx.c
index 6b92e5c..72dea50 100644
--- a/source/fitz/load-jpx.c
+++ b/source/fitz/load-jpx.c
@@ -1,13 +1,5 @@
#include "mupdf/fitz.h"
@@ -444,11 +444,6 @@
#else /* HAVE_LURATECH */
-/* Without the definition of OPJ_STATIC, compilation fails on windows
- * due to the use of __stdcall. We believe it is required on some
- * linux toolchains too. */
-#define OPJ_STATIC
-#ifndef _MSC_VER
-#define OPJ_HAVE_INTTYPES_H
-#if !defined(_WIN32) && !defined(_WIN64)
-#define OPJ_HAVE_STDINT_H
-#endif
-
#include <openjpeg.h>
#define USE_JPIP
static void fz_opj_error_callback(const char *msg, void *client_data)
#include <openjpeg.h>

View file

@ -1,188 +0,0 @@
Fix CVE-2016-10132:
https://bugs.ghostscript.com/show_bug.cgi?id=697381
http://seclists.org/oss-sec/2017/q1/74
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132
Patch lifted from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569
From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor@ccxvii.net>
Date: Fri, 2 Dec 2016 14:56:20 -0500
Subject: [PATCH] Fix 697381: check allocation when compiling regular
expressions.
Also use allocator callback function.
---
thirdparty/mujs/jsgc.c | 2 +-
thirdparty/mujs/jsregexp.c | 2 +-
thirdparty/mujs/jsstate.c | 6 ------
thirdparty/mujs/regexp.c | 45 +++++++++++++++++++++++++++++++++++----------
thirdparty/mujs/regexp.h | 7 +++++++
5 files changed, 44 insertions(+), 18 deletions(-)
diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c
index 4f7e7dc..f80111e 100644
--- a/thirdparty/mujs/jsgc.c
+++ b/thirdparty/mujs/jsgc.c
@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
jsG_freeproperty(J, obj->head);
if (obj->type == JS_CREGEXP) {
js_free(J, obj->u.r.source);
- js_regfree(obj->u.r.prog);
+ js_regfreex(J->alloc, J->actx, obj->u.r.prog);
}
if (obj->type == JS_CITERATOR)
jsG_freeiterator(J, obj->u.iter.head);
diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c
index a2d5156..7b09c06 100644
--- a/thirdparty/mujs/jsregexp.c
+++ b/thirdparty/mujs/jsregexp.c
@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
if (flags & JS_REGEXP_I) opts |= REG_ICASE;
if (flags & JS_REGEXP_M) opts |= REG_NEWLINE;
- prog = js_regcomp(pattern, opts, &error);
+ prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error);
if (!prog)
js_syntaxerror(J, "regular expression: %s", error);
diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c
index 638cab3..fd5bcf6 100644
--- a/thirdparty/mujs/jsstate.c
+++ b/thirdparty/mujs/jsstate.c
@@ -9,12 +9,6 @@
static void *js_defaultalloc(void *actx, void *ptr, int size)
{
- if (size == 0) {
- free(ptr);
- return NULL;
- }
- if (!ptr)
- return malloc((size_t)size);
return realloc(ptr, (size_t)size);
}
diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c
index 9852be2..01c18a3 100644
--- a/thirdparty/mujs/regexp.c
+++ b/thirdparty/mujs/regexp.c
@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog)
}
#endif
-Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
+Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
+ const char *pattern, int cflags, const char **errorp)
{
struct cstate g;
Renode *node;
Reinst *split, *jump;
int i;
- g.prog = malloc(sizeof (Reprog));
- g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2);
+ g.pstart = NULL;
+ g.prog = NULL;
if (setjmp(g.kaboom)) {
if (errorp) *errorp = g.error;
- free(g.pstart);
- free(g.prog);
+ alloc(ctx, g.pstart, 0);
+ alloc(ctx, g.prog, 0);
return NULL;
}
+ g.prog = alloc(ctx, NULL, sizeof (Reprog));
+ if (!g.prog)
+ die(&g, "cannot allocate regular expression");
+ g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) * 2);
+ if (!g.pstart)
+ die(&g, "cannot allocate regular expression parse list");
+
g.source = pattern;
g.ncclass = 0;
g.nsub = 1;
@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
die(&g, "syntax error");
g.prog->nsub = g.nsub;
- g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof (Reinst));
+ g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * sizeof (Reinst));
+ if (!g.prog->start)
+ die(&g, "cannot allocate regular expression instruction list");
split = emit(g.prog, I_SPLIT);
split->x = split + 3;
@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
dumpprog(g.prog);
#endif
- free(g.pstart);
+ alloc(ctx, g.pstart, 0);
if (errorp) *errorp = NULL;
return g.prog;
}
-void regfree(Reprog *prog)
+void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog *prog)
{
if (prog) {
- free(prog->start);
- free(prog);
+ alloc(ctx, prog->start, 0);
+ alloc(ctx, prog, 0);
}
}
+static void *default_alloc(void *ctx, void *p, int n)
+{
+ return realloc(p, (size_t)n);
+}
+
+Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
+{
+ return regcompx(default_alloc, NULL, pattern, cflags, errorp);
+}
+
+void regfree(Reprog *prog)
+{
+ regfreex(default_alloc, NULL, prog);
+}
+
/* Match */
static int isnewline(int c)
diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h
index 4bb4615..6bb73e8 100644
--- a/thirdparty/mujs/regexp.h
+++ b/thirdparty/mujs/regexp.h
@@ -1,6 +1,8 @@
#ifndef regexp_h
#define regexp_h
+#define regcompx js_regcompx
+#define regfreex js_regfreex
#define regcomp js_regcomp
#define regexec js_regexec
#define regfree js_regfree
@@ -8,6 +10,11 @@
typedef struct Reprog Reprog;
typedef struct Resub Resub;
+Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
+ const char *pattern, int cflags, const char **errorp);
+void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
+ Reprog *prog);
+
Reprog *regcomp(const char *pattern, int cflags, const char **errorp);
int regexec(Reprog *prog, const char *string, Resub *sub, int eflags);
void regfree(Reprog *prog);
--
2.9.1

View file

@ -1,36 +0,0 @@
Fix CVE-2016-10133:
https://bugs.ghostscript.com/show_bug.cgi?id=697401
http://seclists.org/oss-sec/2017/q1/74
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133
Patch lifted from upstream source repository:
https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24
From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@gmail.com>
Date: Thu, 12 Jan 2017 14:47:01 +0100
Subject: [PATCH] Fix 697401: Error when dropping extra arguments to
lightweight functions.
---
thirdparty/mujs/jsrun.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c
index ee80845..782a6f9 100644
--- a/thirdparty/mujs/jsrun.c
+++ b/thirdparty/mujs/jsrun.c
@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen
jsR_savescope(J, scope);
if (n > F->numparams) {
- js_pop(J, F->numparams - n);
+ js_pop(J, n - F->numparams);
n = F->numparams;
}
for (i = n; i < F->varlen; ++i)
--
2.9.1

View file

@ -531,7 +531,7 @@ (define-public podofo
(define-public mupdf
(package
(name "mupdf")
(version "1.10a")
(version "1.11")
(source
(origin
(method url-fetch)
@ -539,10 +539,8 @@ (define-public mupdf
name "-" version "-source.tar.gz"))
(sha256
(base32
"0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a"))
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
"mupdf-mujs-CVE-2016-10132.patch"
"mupdf-mujs-CVE-2016-10133.patch"))
"02phamcchgsmvjnb3ir7r5sssvx9fcrscn297z73b82n1jl79510"))
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"))
(modules '((guix build utils)))
(snippet
;; Delete all the bundled libraries except for mujs, which is
@ -554,7 +552,7 @@ (define-public mupdf
"thirdparty/glfw"
"thirdparty/harfbuzz"
"thirdparty/jbig2dec"
"thirdparty/jpeg"
"thirdparty/libjpeg"
"thirdparty/openjpeg"
"thirdparty/zlib")))))
(build-system gnu-build-system)