rpms
/
mupdf
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE-2017-17858 CVE-2018-5686

Browse Source
epel9
Michael J Gruber 7 years ago
parent 1d0b5ef41d
commit d859ab39fe
3 changed files with 172 additions and 2 deletions
Show Stats Download Patch File Download Diff File

104
mupdf-1.12-CVE-2017-17858.patch
Unescape View File

@ -0,0 +1,104 @@
From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
Message-Id: <55c3f68d638ac1263a386e0aaa004bb6e8bde731.1516782952.git.mjg@fedoraproject.org>
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 11 Dec 2017 14:09:15 +0100
Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
limit.
This ensures that:
* xref tables with objects pointers do not grow out of bounds.
* other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
---
include/mupdf/pdf/object.h | 3 +++
source/pdf/pdf-repair.c | 5 +----
source/pdf/pdf-xref.c | 21 ++++++++++++---------
3 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
index 21ed8595..4177112b 100644
--- a/include/mupdf/pdf/object.h
+++ b/include/mupdf/pdf/object.h
@@ -3,6 +3,9 @@
typedef struct pdf_document_s pdf_document;
+/* Defined in PDF 1.7 according to Acrobat limit. */
+#define PDF_MAX_OBJECT_NUMBER 8388607
+
/*
* Dynamic objects.
* The same type of objects as found in PDF and PostScript.
diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
index ca149bd3..0c29758e 100644
--- a/source/pdf/pdf-repair.c
+++ b/source/pdf/pdf-repair.c
@@ -6,9 +6,6 @@
/* Scan file for objects and reconstruct xref table */
-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
-#define MAX_OBJECT_NUMBER (10 << 20)
-
struct entry
{
int num;
@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
break;
}
- if (num <= 0 || num > MAX_OBJECT_NUMBER)
+ if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
{
fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
goto have_next_token;
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 00586dbd..6284e70b 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
}
- if (ofs < 0)
- fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
- if (ofs > INT64_MAX - len)
- fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
-
+ if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
+ || len < 0 || len > PDF_MAX_OBJECT_NUMBER
+ || ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
+ {
+ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+ }
/* broken pdfs where size in trailer undershoots entries in xref sections */
if (ofs + len > xref_len)
{
@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in
pdf_xref_entry *table;
int i, n;
- if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
- fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
- //if (i0 + i1 > pdf_xref_len(ctx, doc))
- // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
+ if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
table = pdf_xref_find_subsection(ctx, doc, i0, i1);
for (i = i0; i < i0 + i1; i++)
@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
pdf_xref_entry *entry;
int num = pdf_xref_len(ctx, doc);
+
+ if (num > PDF_MAX_OBJECT_NUMBER)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
+
entry = pdf_get_incremental_xref_entry(ctx, doc, num);
entry->type = 'f';
entry->ofs = -1;
--
2.16.1.338.gd8f744ddde

59
mupdf-1.12-CVE-2018-5686.patch
Unescape View File

@ -0,0 +1,59 @@
From b70eb93f6936c03d8af52040bbca4d4a7db39079 Mon Sep 17 00:00:00 2001
Message-Id: <b70eb93f6936c03d8af52040bbca4d4a7db39079.1516784329.git.mjg@fedoraproject.org>
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 9 Jan 2018 13:52:41 +0100
Subject: [PATCH] Don't allow reading from a 'dead' fz_stream.
Once a stream has thrown an exception or reached EOF,
don't allow further reading.
The EOF flag is reset when fz_seek is invoked.
Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
---
include/mupdf/fitz/stream.h | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/include/mupdf/fitz/stream.h b/include/mupdf/fitz/stream.h
index cd26be90..790a0a83 100644
--- a/include/mupdf/fitz/stream.h
+++ b/include/mupdf/fitz/stream.h
@@ -335,10 +335,11 @@ static inline size_t fz_available(fz_context *ctx, fz_stream *stm, size_t max)
if (len)
return len;
+ if (stm->eof)
+ return 0;
+
fz_try(ctx)
- {
c = stm->next(ctx, stm, max);
- }
fz_catch(ctx)
{
fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
@@ -369,10 +370,10 @@ static inline int fz_read_byte(fz_context *ctx, fz_stream *stm)
if (stm->rp != stm->wp)
return *stm->rp++;
+ if (stm->eof)
+ return EOF;
fz_try(ctx)
- {
c = stm->next(ctx, stm, 1);
- }
fz_catch(ctx)
{
fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
@@ -398,6 +399,8 @@ static inline int fz_peek_byte(fz_context *ctx, fz_stream *stm)
if (stm->rp != stm->wp)
return *stm->rp;
+ if (stm->eof)
+ return EOF;
c = stm->next(ctx, stm, 1);
if (c != EOF)
--
2.16.1.338.gd8f744ddde

11
mupdf.spec
Unescape View File

@ -1,6 +1,6 @@
Name: mupdf Name: mupdf
Version: 1.12.0 Version: 1.12.0
Release: 1%{?dist} Release: 2%{?dist}
Summary: A lightweight PDF viewer and toolkit Summary: A lightweight PDF viewer and toolkit
Group: Applications/Publishing Group: Applications/Publishing
License: GPLv3 License: GPLv3
@ -13,7 +13,8 @@ BuildRequires: libjpeg-devel freetype-devel libXext-devel curl-devel
BuildRequires: harfbuzz-devel BuildRequires: harfbuzz-devel
BuildRequires: mesa-libGL-devel freeglut-devel BuildRequires: mesa-libGL-devel freeglut-devel
Patch0: %{name}-1.12-openjpeg.patch Patch0: %{name}-1.12-openjpeg.patch
Patch1: %{name}-1.12-CVE-2017-17858.patch
Patch2: %{name}-1.12-CVE-2018-5686.patch
%description %description
MuPDF is a lightweight PDF viewer and toolkit written in portable C. MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@ -44,6 +45,8 @@ applications that use mupdf and static libraries
%setup -q -n %{name}-%{version}-source %setup -q -n %{name}-%{version}-source
rm -rf thirdparty rm -rf thirdparty
%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p1
%build %build
export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK" export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
@ -81,6 +84,10 @@ update-desktop-database &> /dev/null || :
%{_libdir}/lib%{name}*.a %{_libdir}/lib%{name}*.a
%changelog %changelog
* Wed Jan 24 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.12.0-2
- CVE-2017-17858 (rh bz #1537952) (gs bz #698819)
- CVE-2018-5686 (gs bz #698860)
* Thu Dec 14 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.12.0-1 * Thu Dec 14 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.12.0-1
- rebase to 1.12 - rebase to 1.12
- follow switch from GLFW to GLUT - follow switch from GLFW to GLUT

Write Preview
Loading…
Cancel
Save