From cf0035cae3a07cdedf8a79cb523105b67581d126 Mon Sep 17 00:00:00 2001
From: Michael J Gruber <mjg@fedoraproject.org>
Date: Thu, 15 Nov 2018 10:05:50 +0100
Subject: [PATCH] bz #1626481 #1626484

---
 mupdf-CVE-2018-16648.patch | 48 ++++++++++++++++++++++++++++++++++++++
 mupdf.spec                 |  7 +++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 mupdf-CVE-2018-16648.patch

diff --git a/mupdf-CVE-2018-16648.patch b/mupdf-CVE-2018-16648.patch
new file mode 100644
index 0000000..54f64b6
--- /dev/null
+++ b/mupdf-CVE-2018-16648.patch
@@ -0,0 +1,48 @@
+From 38f883fe129a5e89306252a4676eaaf4bc968824 Mon Sep 17 00:00:00 2001
+Message-Id: <38f883fe129a5e89306252a4676eaaf4bc968824.1542272532.git.mjg@fedoraproject.org>
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 22 Oct 2018 17:16:35 +0200
+Subject: [PATCH] Fix text used as clip mask in pdfwrite device.
+
+Push the clip state, and pass the correct text rendering mode state.
+---
+ source/pdf/pdf-device.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
+index 4dd729b8..427e3b38 100644
+--- a/source/pdf/pdf-device.c
++++ b/source/pdf/pdf-device.c
+@@ -734,9 +734,13 @@ pdf_dev_clip_text(fz_context *ctx, fz_device *dev, const fz_text *text, fz_matri
+ {
+ 	pdf_device *pdev = (pdf_device*)dev;
+ 	fz_text_span *span;
++
++	pdf_dev_end_text(ctx, pdev);
++	pdf_dev_push(ctx, pdev);
++
+ 	for (span = text->head; span; span = span->next)
+ 	{
+-		pdf_dev_begin_text(ctx, pdev, span->trm, 0);
++		pdf_dev_begin_text(ctx, pdev, span->trm, 7);
+ 		pdf_dev_ctm(ctx, pdev, ctm);
+ 		pdf_dev_font(ctx, pdev, span->font);
+ 		pdf_dev_text_span(ctx, pdev, span);
+@@ -748,9 +752,13 @@ pdf_dev_clip_stroke_text(fz_context *ctx, fz_device *dev, const fz_text *text, c
+ {
+ 	pdf_device *pdev = (pdf_device*)dev;
+ 	fz_text_span *span;
++
++	pdf_dev_end_text(ctx, pdev);
++	pdf_dev_push(ctx, pdev);
++
+ 	for (span = text->head; span; span = span->next)
+ 	{
+-		pdf_dev_begin_text(ctx, pdev, span->trm, 0);
++		pdf_dev_begin_text(ctx, pdev, span->trm, 7);
+ 		pdf_dev_font(ctx, pdev, span->font);
+ 		pdf_dev_ctm(ctx, pdev, ctm);
+ 		pdf_dev_text_span(ctx, pdev, span);
+-- 
+2.19.1.1238.g4b45f61cc0
+
diff --git a/mupdf.spec b/mupdf.spec
index 6c97667..c1384e1 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -1,6 +1,6 @@
 Name:           mupdf
 Version:        1.14.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A lightweight PDF viewer and toolkit
 Group:          Applications/Publishing
 License:        AGPLv3+
@@ -24,6 +24,7 @@ Provides:       bundled(freeglut-devel) = 3.0.0
 Provides:       bundled(mujs-devel) = 1.0.5
 Patch0:         0001-fix-build-on-big-endian.patch
 Patch1:         mupdf-CVE-2018-16647.patch
+Patch2:         mupdf-CVE-2018-16648.patch
 
 %description
 MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@@ -58,6 +59,7 @@ do
 done
 %patch0 -p1 -d thirdparty/lcms2
 %patch1 -p1
+%patch2 -p1
 echo > user.make "\
   USE_SYSTEM_FREETYPE := yes
   USE_SYSTEM_HARFBUZZ := yes
@@ -111,6 +113,9 @@ update-desktop-database &> /dev/null || :
 %{_libdir}/lib%{name}*.a
 
 %changelog
+* Thu Nov 15 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.14.0-3
+- bz #1626481 #1626484
+
 * Thu Nov 15 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.14.0-2
 - bz #1626483 #1626484