rpms
/
mupdf
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix buffer overflow in pdf-layer.c (#1439643)

Browse Source
epel9
Pavel Zhukov 8 years ago
parent 71ac78f599
commit 20aa2225f8
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File

44
mupdf-bz1439643.patch
Unescape View File

@ -0,0 +1,44 @@
commit 2590fed7a355a421f062ebd4293df892800fa7ac
Author: Sebastian Rasmussen <sebras@gmail.com>
Date: Thu Dec 1 17:15:27 2016 -0500
Bug 697400: Mark visited objects when counting OCG layer entries.
diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
index 3296b6c..fc29c9d 100644
--- a/source/pdf/pdf-layer.c
+++ b/source/pdf/pdf-layer.c
@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
for (i = 0; i < len; i++)
{
pdf_obj *o = pdf_array_get(ctx, obj, i);
- count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+ if (pdf_mark_obj(ctx, o))
+ continue;
+ fz_try(ctx)
+ count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+ fz_always(ctx)
+ pdf_unmark_obj(ctx, o);
+ fz_catch(ctx)
+ fz_rethrow(ctx);
}
return count;
}
@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
pdf_obj *o = pdf_array_get(ctx, order, i);
if (pdf_is_array(ctx, o))
{
- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+ if (pdf_mark_obj(ctx, o))
+ continue;
+
+ fz_try(ctx)
+ ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+ fz_always(ctx)
+ pdf_unmark_obj(ctx, o);
+ fz_catch(ctx)
+ fz_rethrow(ctx);
+
continue;
}
ui->depth = depth;

8
mupdf.spec
Unescape View File

@ -1,6 +1,6 @@
Name: mupdf Name: mupdf
Version: 1.10a Version: 1.10a
Release: 4%{?dist} Release: 5%{?dist}
Summary: A lightweight PDF viewer and toolkit Summary: A lightweight PDF viewer and toolkit
Group: Applications/Publishing Group: Applications/Publishing
License: GPLv3 License: GPLv3
@ -15,6 +15,8 @@ Patch0: %{name}-1.10a-openjpeg.patch
## https://bugzilla.redhat.com/show_bug.cgi?id=1425338 ## https://bugzilla.redhat.com/show_bug.cgi?id=1425338
Patch1: %{name}-Bug-697500-Fix-NULL-ptr-access.patch Patch1: %{name}-Bug-697500-Fix-NULL-ptr-access.patch
Patch2: %{name}-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch Patch2: %{name}-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch
Patch3: %{name}-bz1439643.patch
%description %description
MuPDF is a lightweight PDF viewer and toolkit written in portable C. MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@ -47,6 +49,7 @@ rm -rf thirdparty
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%build %build
export CFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK" export CFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
@ -84,6 +87,9 @@ update-desktop-database &> /dev/null || :
%{_libdir}/lib%{name}*.a %{_libdir}/lib%{name}*.a
%changelog %changelog
* Thu Apr 6 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-5
- Fix stack consumption CVE (#1439643)
* Thu Mar 2 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-4 * Thu Mar 2 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-4
- fix buffer overflow (#1425338) - fix buffer overflow (#1425338)

Write Preview
Loading…
Cancel
Save