From d859ab39fea533ca7981a44842ac1a4724e87dbd Mon Sep 17 00:00:00 2001
From: Michael J Gruber <mjg@fedoraproject.org>
Date: Wed, 24 Jan 2018 09:55:14 +0100
Subject: [PATCH] CVE-2017-17858 CVE-2018-5686

---
 mupdf-1.12-CVE-2017-17858.patch | 104 ++++++++++++++++++++++++++++++++
 mupdf-1.12-CVE-2018-5686.patch  |  59 ++++++++++++++++++
 mupdf.spec                      |  11 +++-
 3 files changed, 172 insertions(+), 2 deletions(-)
 create mode 100644 mupdf-1.12-CVE-2017-17858.patch
 create mode 100644 mupdf-1.12-CVE-2018-5686.patch

diff --git a/mupdf-1.12-CVE-2017-17858.patch b/mupdf-1.12-CVE-2017-17858.patch
new file mode 100644
index 0000000..6f15ff5
--- /dev/null
+++ b/mupdf-1.12-CVE-2017-17858.patch
@@ -0,0 +1,104 @@
+From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
+Message-Id: <55c3f68d638ac1263a386e0aaa004bb6e8bde731.1516782952.git.mjg@fedoraproject.org>
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Mon, 11 Dec 2017 14:09:15 +0100
+Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
+ limit.
+
+This ensures that:
+ * xref tables with objects pointers do not grow out of bounds.
+ * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
+
+Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
+---
+ include/mupdf/pdf/object.h |  3 +++
+ source/pdf/pdf-repair.c    |  5 +----
+ source/pdf/pdf-xref.c      | 21 ++++++++++++---------
+ 3 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
+index 21ed8595..4177112b 100644
+--- a/include/mupdf/pdf/object.h
++++ b/include/mupdf/pdf/object.h
+@@ -3,6 +3,9 @@
+ 
+ typedef struct pdf_document_s pdf_document;
+ 
++/* Defined in PDF 1.7 according to Acrobat limit. */
++#define PDF_MAX_OBJECT_NUMBER 8388607
++
+ /*
+  * Dynamic objects.
+  * The same type of objects as found in PDF and PostScript.
+diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
+index ca149bd3..0c29758e 100644
+--- a/source/pdf/pdf-repair.c
++++ b/source/pdf/pdf-repair.c
+@@ -6,9 +6,6 @@
+ 
+ /* Scan file for objects and reconstruct xref table */
+ 
+-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
+-#define MAX_OBJECT_NUMBER (10 << 20)
+-
+ struct entry
+ {
+ 	int num;
+@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
+ 					break;
+ 				}
+ 
+-				if (num <= 0 || num > MAX_OBJECT_NUMBER)
++				if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
+ 				{
+ 					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+ 					goto have_next_token;
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 00586dbd..6284e70b 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 			fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
+ 		}
+ 
+-		if (ofs < 0)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
+-		if (ofs > INT64_MAX - len)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
+-
++		if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
++				|| len < 0 || len > PDF_MAX_OBJECT_NUMBER
++				|| ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
++		{
++			fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
++		}
+ 		/* broken pdfs where size in trailer undershoots entries in xref sections */
+ 		if (ofs + len > xref_len)
+ 		{
+@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
+-		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+-	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+-	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
++	if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+ 
+ 	table = pdf_xref_find_subsection(ctx, doc, i0, i1);
+ 	for (i = i0; i < i0 + i1; i++)
+@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
+ 	/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
+ 	pdf_xref_entry *entry;
+ 	int num = pdf_xref_len(ctx, doc);
++
++	if (num > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
++
+ 	entry = pdf_get_incremental_xref_entry(ctx, doc, num);
+ 	entry->type = 'f';
+ 	entry->ofs = -1;
+-- 
+2.16.1.338.gd8f744ddde
+
diff --git a/mupdf-1.12-CVE-2018-5686.patch b/mupdf-1.12-CVE-2018-5686.patch
new file mode 100644
index 0000000..1613d5b
--- /dev/null
+++ b/mupdf-1.12-CVE-2018-5686.patch
@@ -0,0 +1,59 @@
+From b70eb93f6936c03d8af52040bbca4d4a7db39079 Mon Sep 17 00:00:00 2001
+Message-Id: <b70eb93f6936c03d8af52040bbca4d4a7db39079.1516784329.git.mjg@fedoraproject.org>
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 9 Jan 2018 13:52:41 +0100
+Subject: [PATCH] Don't allow reading from a 'dead' fz_stream.
+
+Once a stream has thrown an exception or reached EOF,
+don't allow further reading.
+
+The EOF flag is reset when fz_seek is invoked.
+
+Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
+---
+ include/mupdf/fitz/stream.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/mupdf/fitz/stream.h b/include/mupdf/fitz/stream.h
+index cd26be90..790a0a83 100644
+--- a/include/mupdf/fitz/stream.h
++++ b/include/mupdf/fitz/stream.h
+@@ -335,10 +335,11 @@ static inline size_t fz_available(fz_context *ctx, fz_stream *stm, size_t max)
+ 
+ 	if (len)
+ 		return len;
++	if (stm->eof)
++		return 0;
++
+ 	fz_try(ctx)
+-	{
+ 		c = stm->next(ctx, stm, max);
+-	}
+ 	fz_catch(ctx)
+ 	{
+ 		fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
+@@ -369,10 +370,10 @@ static inline int fz_read_byte(fz_context *ctx, fz_stream *stm)
+ 
+ 	if (stm->rp != stm->wp)
+ 		return *stm->rp++;
++	if (stm->eof)
++		return EOF;
+ 	fz_try(ctx)
+-	{
+ 		c = stm->next(ctx, stm, 1);
+-	}
+ 	fz_catch(ctx)
+ 	{
+ 		fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
+@@ -398,6 +399,8 @@ static inline int fz_peek_byte(fz_context *ctx, fz_stream *stm)
+ 
+ 	if (stm->rp != stm->wp)
+ 		return *stm->rp;
++	if (stm->eof)
++		return EOF;
+ 
+ 	c = stm->next(ctx, stm, 1);
+ 	if (c != EOF)
+-- 
+2.16.1.338.gd8f744ddde
+
diff --git a/mupdf.spec b/mupdf.spec
index 9dbe684..77f1a81 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -1,6 +1,6 @@
 Name:           mupdf
 Version:        1.12.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A lightweight PDF viewer and toolkit
 Group:          Applications/Publishing
 License:        GPLv3
@@ -13,7 +13,8 @@ BuildRequires:  libjpeg-devel freetype-devel libXext-devel curl-devel
 BuildRequires:  harfbuzz-devel
 BuildRequires:  mesa-libGL-devel freeglut-devel
 Patch0:         %{name}-1.12-openjpeg.patch
-
+Patch1:         %{name}-1.12-CVE-2017-17858.patch
+Patch2:         %{name}-1.12-CVE-2018-5686.patch
 
 %description
 MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@@ -44,6 +45,8 @@ applications that use mupdf and static libraries
 %setup -q -n %{name}-%{version}-source
 rm -rf thirdparty
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
@@ -81,6 +84,10 @@ update-desktop-database &> /dev/null || :
 %{_libdir}/lib%{name}*.a
 
 %changelog
+* Wed Jan 24 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.12.0-2
+- CVE-2017-17858 (rh bz #1537952) (gs bz #698819)
+- CVE-2018-5686 (gs bz #698860)
+
 * Thu Dec 14 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.12.0-1
 - rebase to 1.12
 - follow switch from GLFW to GLUT