summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk4
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-17858.patch111
-rw-r--r--gnu/packages/patches/mupdf-CVE-2018-1000051.patch88
-rw-r--r--gnu/packages/patches/mupdf-CVE-2018-6544.patch109
-rw-r--r--gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch27
-rw-r--r--gnu/packages/pdf.scm12
6 files changed, 4 insertions, 347 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 7987f8ad91..d55276fb33 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -932,10 +932,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/mozjs38-tracelogger.patch		\
   %D%/packages/patches/mozjs38-version-detection.patch		\
   %D%/packages/patches/mumps-build-parallelism.patch		\
-  %D%/packages/patches/mupdf-build-with-latest-openjpeg.patch	\
-  %D%/packages/patches/mupdf-CVE-2017-17858.patch		\
-  %D%/packages/patches/mupdf-CVE-2018-6544.patch		\
-  %D%/packages/patches/mupdf-CVE-2018-1000051.patch		\
   %D%/packages/patches/mupen64plus-ui-console-notice.patch	\
   %D%/packages/patches/mupen64plus-video-z64-glew-correct-path.patch    \
   %D%/packages/patches/mutt-store-references.patch		\
diff --git a/gnu/packages/patches/mupdf-CVE-2017-17858.patch b/gnu/packages/patches/mupdf-CVE-2017-17858.patch
deleted file mode 100644
index 66df127509..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-17858.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-Fix CVE-2017-17858:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17858
-https://bugs.ghostscript.com/show_bug.cgi?id=698819
-https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731
-
-From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
-From: Sebastian Rasmussen <sebras@gmail.com>
-Date: Mon, 11 Dec 2017 14:09:15 +0100
-Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
- limit.
-
-This ensures that:
- * xref tables with objects pointers do not grow out of bounds.
- * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
----
- include/mupdf/pdf/object.h |  3 +++
- source/pdf/pdf-repair.c    |  5 +----
- source/pdf/pdf-xref.c      | 21 ++++++++++++---------
- 3 files changed, 16 insertions(+), 13 deletions(-)
-
-diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
-index 21ed8595..4177112b 100644
---- a/include/mupdf/pdf/object.h
-+++ b/include/mupdf/pdf/object.h
-@@ -3,6 +3,9 @@
- 
- typedef struct pdf_document_s pdf_document;
- 
-+/* Defined in PDF 1.7 according to Acrobat limit. */
-+#define PDF_MAX_OBJECT_NUMBER 8388607
-+
- /*
-  * Dynamic objects.
-  * The same type of objects as found in PDF and PostScript.
-diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
-index ca149bd3..0c29758e 100644
---- a/source/pdf/pdf-repair.c
-+++ b/source/pdf/pdf-repair.c
-@@ -6,9 +6,6 @@
- 
- /* Scan file for objects and reconstruct xref table */
- 
--/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
--#define MAX_OBJECT_NUMBER (10 << 20)
--
- struct entry
- {
- 	int num;
-@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
- 					break;
- 				}
- 
--				if (num <= 0 || num > MAX_OBJECT_NUMBER)
-+				if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
- 				{
- 					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
- 					goto have_next_token;
-diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 00586dbd..6284e70b 100644
---- a/source/pdf/pdf-xref.c
-+++ b/source/pdf/pdf-xref.c
-@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
- 			fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
- 		}
- 
--		if (ofs < 0)
--			fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
--		if (ofs > INT64_MAX - len)
--			fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
--
-+		if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
-+				|| len < 0 || len > PDF_MAX_OBJECT_NUMBER
-+				|| ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
-+		{
-+			fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
-+		}
- 		/* broken pdfs where size in trailer undershoots entries in xref sections */
- 		if (ofs + len > xref_len)
- 		{
-@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in
- 	pdf_xref_entry *table;
- 	int i, n;
- 
--	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
--		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
--	//if (i0 + i1 > pdf_xref_len(ctx, doc))
--	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
-+	if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
-+		fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
- 
- 	table = pdf_xref_find_subsection(ctx, doc, i0, i1);
- 	for (i = i0; i < i0 + i1; i++)
-@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
- 	/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
- 	pdf_xref_entry *entry;
- 	int num = pdf_xref_len(ctx, doc);
-+
-+	if (num > PDF_MAX_OBJECT_NUMBER)
-+		fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
-+
- 	entry = pdf_get_incremental_xref_entry(ctx, doc, num);
- 	entry->type = 'f';
- 	entry->ofs = -1;
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/mupdf-CVE-2018-1000051.patch b/gnu/packages/patches/mupdf-CVE-2018-1000051.patch
deleted file mode 100644
index bb78c46f80..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2018-1000051.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-Fix CVE-2018-1000051:
-
-https://bugs.ghostscript.com/show_bug.cgi?id=698873
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000051
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;a=commit;h=321ba1de287016b0036bf4a56ce774ad11763384
-
-From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001
-From: Sebastian Rasmussen <sebras@gmail.com>
-Date: Tue, 19 Dec 2017 23:47:47 +0100
-Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces.
-
-Previously the borrowed colorspace was dropped when updating annotation
-appearances, leading to use after free warnings from valgrind/ASAN.
----
- source/pdf/pdf-appearance.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c
-index 70f684f4..d7a1dddd 100644
---- a/source/pdf/pdf-appearance.c
-+++ b/source/pdf/pdf-appearance.c
-@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
- 	fz_device *dev = NULL;
- 	font_info font_rec;
- 	fz_text *text = NULL;
--	fz_colorspace *cs = NULL;
- 	fz_matrix page_ctm;
- 
- 	pdf_page_transform(ctx, annot->page, NULL, &page_ctm);
-@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
- 	fz_var(dlist);
- 	fz_var(dev);
- 	fz_var(text);
--	fz_var(cs);
- 	fz_try(ctx)
- 	{
- 		char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents));
- 		char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA));
-+		fz_colorspace *cs;
- 		fz_point pos;
- 		fz_rect rect;
- 
-@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
- 		fz_drop_display_list(ctx, dlist);
- 		font_info_fin(ctx, &font_rec);
- 		fz_drop_text(ctx, text);
--		fz_drop_colorspace(ctx, cs);
- 	}
- 	fz_catch(ctx)
- 	{
-@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
- 	fz_device *dev = NULL;
- 	font_info font_rec;
- 	fz_text *text = NULL;
--	fz_colorspace *cs = NULL;
- 	fz_path *path = NULL;
- 	fz_buffer *fzbuf = NULL;
- 	fz_matrix page_ctm;
-@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
- 	fz_var(dlist);
- 	fz_var(dev);
- 	fz_var(text);
--	fz_var(cs);
- 	fz_var(fzbuf);
- 	fz_try(ctx)
- 	{
-@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
- 		fz_rect logo_bounds;
- 		fz_matrix logo_tm;
- 		fz_rect rect;
-+		fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */
- 
- 		pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect);
- 		rect = annot_rect;
-@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
- 		fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds);
- 		center_rect_within_rect(&logo_bounds, &rect, &logo_tm);
- 		fz_concat(&logo_tm, &logo_tm, &page_ctm);
--		cs = fz_device_rgb(ctx); /* Borrowed reference */
- 		fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL);
- 
- 		get_font_info(ctx, doc, dr, da, &font_rec);
--- 
-2.16.3
-
diff --git a/gnu/packages/patches/mupdf-CVE-2018-6544.patch b/gnu/packages/patches/mupdf-CVE-2018-6544.patch
deleted file mode 100644
index b2c8f849f3..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2018-6544.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-Fix CVE-2018-6544:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6544
-https://bugs.ghostscript.com/show_bug.cgi?id=698830
-https://bugs.ghostscript.com/show_bug.cgi?id=698965 
-
-Patches copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d
-https://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89
-
-From b03def134988da8c800adac1a38a41a1f09a1d89 Mon Sep 17 00:00:00 2001
-From: Sebastian Rasmussen <sebras@gmail.com>
-Date: Thu, 1 Feb 2018 16:36:14 +0100
-Subject: [PATCH] Bug 698830: Avoid recursion when loading object streams
- objects.
-
-If there were indirect references in the object stream dictionary and
-one of those indirect references referred to an object inside the object
-stream itself, mupdf would previously enter recursion only bounded by the
-exception stack. After this commit the object stream is checked if it is
-marked immediately after being loaded. If it is marked then we terminate
-the recursion at this point, if it is not marked then mark it and
-attempt to load the desired object within. We also take care to unmark
-the stream object when done or upon exception.
----
- source/pdf/pdf-xref.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 723b543c..ed09094c 100644
---- a/source/pdf/pdf-xref.c
-+++ b/source/pdf/pdf-xref.c
-@@ -1576,6 +1576,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
- 	{
- 		objstm = pdf_load_object(ctx, doc, num);
- 
-+		if (pdf_obj_marked(ctx, objstm))
-+			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
-+	}
-+	fz_catch(ctx)
-+	{
-+		pdf_drop_obj(ctx, objstm);
-+		fz_rethrow(ctx);
-+	}
-+
-+	fz_try(ctx)
-+	{
-+		pdf_mark_obj(ctx, objstm);
-+
- 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
- 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
- 
-@@ -1655,6 +1668,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
- 		fz_drop_stream(ctx, stm);
- 		fz_free(ctx, ofsbuf);
- 		fz_free(ctx, numbuf);
-+		pdf_unmark_obj(ctx, objstm);
- 		pdf_drop_obj(ctx, objstm);
- 	}
- 	fz_catch(ctx)
--- 
-2.16.3
-
-From 26527eef77b3e51c2258c8e40845bfbc015e405d Mon Sep 17 00:00:00 2001
-From: Sebastian Rasmussen <sebras@gmail.com>
-Date: Mon, 29 Jan 2018 02:00:48 +0100
-Subject: [PATCH] Bug 698830: Don't drop unkept stream if running out of error
- stack.
-
-Under normal conditions where fz_keep_stream() is called inside
-fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions.
-The issue comes when fz_keep_stream() has not yet been called but is
-dropped in fz_catch(). This happens in the PDF from the bug when
-fz_try() runs out of exception stack, and next the code in fz_catch()
-runs, dropping the caller's reference to the filter chain stream!
-
-The simplest way of fixing this it to always keep the filter chain
-stream before fz_try() is called. That way fz_catch() may drop the
-stream whether an exception has occurred or if the fz_try() ran out of
-exception stack.
----
- source/pdf/pdf-stream.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
-index c89da5c4..c6ba7ad3 100644
---- a/source/pdf/pdf-stream.c
-+++ b/source/pdf/pdf-stream.c
-@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_ob
- 		*orig_gen = 0;
- 	}
- 
--	fz_var(chain);
-+	chain = fz_keep_stream(ctx, chain);
- 
- 	fz_try(ctx)
- 	{
- 		len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
- 
--		/* don't close chain when we close this filter */
--		chain2 = fz_keep_stream(ctx, chain);
-+		chain2 = chain;
- 		chain = NULL;
- 		chain = fz_open_null(ctx, chain2, len, offset);
- 
--- 
-2.16.3
-
diff --git a/gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch b/gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch
deleted file mode 100644
index d5c9c60242..0000000000
--- a/gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Make it possible to build MuPDF with OpenJPEG 2.3, which is the latest
-release series and contains many important bug fixes.
-
-Patch adapted from Debian:
-
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745246
-
-And related to this upstream commit:
-
-http://git.ghostscript.com/?p=mupdf.git;a=commit;h=f88bfe2e62dbadb96d4f52d7aa025f0a516078da
-
-diff --git a/source/fitz/load-jpx.c b/source/fitz/load-jpx.c
-index 65699ba..ea84778 100644
---- a/source/fitz/load-jpx.c
-+++ b/source/fitz/load-jpx.c
-@@ -445,11 +445,6 @@ fz_load_jpx_info(fz_context *ctx, const unsigned char *data, size_t size, int *w
- 
- #else /* HAVE_LURATECH */
- 
--#define OPJ_STATIC
--#define OPJ_HAVE_INTTYPES_H
--#if !defined(_MSC_VER) || _MSC_VER >= 1600
--#define OPJ_HAVE_STDINT_H
--#endif
- #define USE_JPIP
- 
- #include <openjpeg.h>
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 9e5af5f011..fd494739c3 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2016 Nils Gillmann <ng0@n0.is>
-;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
@@ -597,21 +597,17 @@ extracting content or merging files.")
 (define-public mupdf
   (package
     (name "mupdf")
-    (version "1.12.0")
+    (version "1.13.0")
     (source
       (origin
         (method url-fetch)
         (uri (string-append "https://mupdf.com/downloads/archive/"
                             name "-" version "-source.tar.xz"))
-        (patches (search-patches "mupdf-build-with-latest-openjpeg.patch"
-                                 "mupdf-CVE-2017-17858.patch"
-                                 "mupdf-CVE-2018-6544.patch"
-                                 "mupdf-CVE-2018-1000051.patch"))
         (sha256
          (base32
-          "0b9j0gqbc3jhmx87r6idcsh8lnb30840c3hyx6dk2gdjqqh3hysp"))
+          "0129k92bav692l6lyw10ryldx7h2f9khjpgnp3f3n4fdsph9hrkl"))
         (modules '((guix build utils)))
-        (snippet '(delete-file-recursively "thirdparty"))))
+        (snippet '(begin (delete-file-recursively "thirdparty") #t))))
     (build-system gnu-build-system)
     (inputs
       `(("curl" ,curl)