From da88d59031aba424c15c9a66fd954f5ebab39e9d Mon Sep 17 00:00:00 2001
From: Michael J Gruber <mjg@fedoraproject.org>
Date: Wed, 14 Feb 2018 14:36:29 +0100
Subject: [PATCH] CVE-2018-6187

---
 mupdf-1.12-CVE-2018-6187.patch | 78 ++++++++++++++++++++++++++++++++++
 mupdf.spec                     |  7 ++-
 2 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 mupdf-1.12-CVE-2018-6187.patch

diff --git a/mupdf-1.12-CVE-2018-6187.patch b/mupdf-1.12-CVE-2018-6187.patch
new file mode 100644
index 0000000..76cae84
--- /dev/null
+++ b/mupdf-1.12-CVE-2018-6187.patch
@@ -0,0 +1,78 @@
+From 6ba8c036e9a2147156a426550d97144d16f4cd02 Mon Sep 17 00:00:00 2001
+Message-Id: <6ba8c036e9a2147156a426550d97144d16f4cd02.1518615186.git.mjg@fedoraproject.org>
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Mon, 29 Jan 2018 23:40:19 +0100
+Subject: [PATCH] Bug 698908: Resize object use and renumbering lists after
+ repair.
+
+Previously repair might end up increasing xref_len, but the lists
+were not correspodingly expanded, leading to ASAN complaints.
+
+Signed-off-by: Michael J Gruber <mjg@fedoraproject.org>
+---
+ source/pdf/pdf-write.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/source/pdf/pdf-write.c b/source/pdf/pdf-write.c
+index 9fcdbf0a..beb49252 100644
+--- a/source/pdf/pdf-write.c
++++ b/source/pdf/pdf-write.c
+@@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_state *opts, int num)
+ {
+ 	int i;
+ 
+-	num++;
++	/* objects are numbered 0..num and maybe two additional objects for linearization */
++	num += 3;
+ 	opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list));
+ 	opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list));
+ 	opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list));
+@@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *ctx, pdf_document *doc)
+ {
+ 	pdf_obj *obj;
+ 	int num;
+-	int xref_len = pdf_xref_len(ctx, doc);
+ 
+-	for (num = 0; num < xref_len; num++)
++	/* xref_len may change due to repair, so check it every iteration */
++	for (num = 0; num < pdf_xref_len(ctx, doc); num++)
+ 	{
+ 		if (pdf_get_xref_entry(ctx, doc, num)->type == 'o')
+ 		{
+@@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_context *ctx, pdf_document *doc, const pdf
+ 	opts->continue_on_error = in_opts->continue_on_error;
+ 	opts->errors = in_opts->errors;
+ 
+-	expand_lists(ctx, opts, xref_len + 3);
++	expand_lists(ctx, opts, xref_len);
+ }
+ 
+ /* Free the resources held by the dynamic write options */
+@@ -2892,6 +2893,8 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
+ 		{
+ 			pdf_ensure_solid_xref(ctx, doc, xref_len);
+ 			preloadobjstms(ctx, doc);
++			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 		}
+ 
+ 		/* Sweep & mark objects from the trailer */
+@@ -2900,6 +2903,7 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
+ 		else
+ 		{
+ 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 			for (num = 0; num < xref_len; num++)
+ 				opts->use_list[num] = 1;
+ 		}
+@@ -2920,6 +2924,7 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
+ 		if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental)
+ 		{
+ 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 			while (xref_len > 0 && !opts->use_list[xref_len-1])
+ 				xref_len--;
+ 		}
+-- 
+2.16.1.312.g365a692731
+
diff --git a/mupdf.spec b/mupdf.spec
index f449db2..76ed031 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -1,6 +1,6 @@
 Name:           mupdf
 Version:        1.12.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A lightweight PDF viewer and toolkit
 Group:          Applications/Publishing
 License:        GPLv3
@@ -15,6 +15,7 @@ BuildRequires:  mesa-libGL-devel freeglut-devel
 Patch0:         %{name}-1.12-openjpeg.patch
 Patch1:         %{name}-1.12-CVE-2017-17858.patch
 Patch2:         %{name}-1.12-CVE-2018-5686.patch
+Patch3:         %{name}-1.12-CVE-2018-6187.patch
 
 %description
 MuPDF is a lightweight PDF viewer and toolkit written in portable C.
@@ -47,6 +48,7 @@ rm -rf thirdparty
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
@@ -87,6 +89,9 @@ update-desktop-database &> /dev/null || :
 * Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.12.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
+* Tue Feb 06 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.12.0-4
+- CVE-2018-6187 (rh bz #1538432 #1538433) (gs bz #698908)
+
 * Wed Jan 24 2018 Michael J Gruber <mjg@fedoraproject.org> - 1.12.0-2
 - CVE-2017-17858 (rh bz #1537952) (gs bz #698819)
 - CVE-2018-5686 (gs bz #698860)