diff options
| -rw-r--r-- | gnu/packages/patches/mupdf-CVE-2016-8674.patch | 83 |
1 files changed, 41 insertions, 42 deletions
diff --git a/gnu/packages/patches/mupdf-CVE-2016-8674.patch b/gnu/packages/patches/mupdf-CVE-2016-8674.patch index 62e4a0237a..2a35619761 100644 --- a/gnu/packages/patches/mupdf-CVE-2016-8674.patch +++ b/gnu/packages/patches/mupdf-CVE-2016-8674.patch @@ -3,17 +3,17 @@ Fix CVE-2016-8674 (use-after-free in pdf_to_num()). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674 https://security-tracker.debian.org/tracker/CVE-2016-8674 -Patch copied from upstream source repository: +Patch adapted from upstream source repository: http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h -index aabf05f..0078c4a 100644 +index f8ef0cd..e8345b7 100644 --- a/include/mupdf/pdf/document.h +++ b/include/mupdf/pdf/document.h -@@ -269,6 +269,10 @@ struct pdf_document_s - fz_hash_table *images; - fz_hash_table *fonts; - } resources; +@@ -258,6 +258,10 @@ struct pdf_document_s + fz_font **type3_fonts; + + pdf_resource_tables *resources; + + int orphans_max; + int orphans_count; @@ -22,10 +22,10 @@ index aabf05f..0078c4a 100644 /* diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h -index 5bc3dca..bf57455 100644 +index 346a2f1..02d4119 100644 --- a/include/mupdf/pdf/object.h +++ b/include/mupdf/pdf/object.h -@@ -110,6 +110,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key); +@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key); pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev); void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val); void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val); @@ -34,10 +34,10 @@ index 5bc3dca..bf57455 100644 void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val); void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val); diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c -index b4e33f3..1c19ba4 100644 +index f2e4551..a0d0d8e 100644 --- a/source/pdf/pdf-object.c +++ b/source/pdf/pdf-object.c -@@ -1265,11 +1265,14 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev) +@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev) return pdf_dict_get(ctx, obj, abbrev); } @@ -46,27 +46,26 @@ index b4e33f3..1c19ba4 100644 +static void +pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val) { - int i; - ++ + if (old_val) + *old_val = NULL; + RESOLVE(obj); - if (!OBJ_IS_DICT(obj)) - fz_throw(ctx, FZ_ERROR_GENERIC, "not a dict (%s)", pdf_objkindstr(obj)); -@@ -1295,7 +1298,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) - { - pdf_obj *d = DICT(obj)->items[i].v; - DICT(obj)->items[i].v = pdf_keep_obj(ctx, val); -- pdf_drop_obj(ctx, d); -+ if (old_val) -+ *old_val = d; -+ else -+ pdf_drop_obj(ctx, d); + if (obj >= PDF_OBJ__LIMIT) + { +@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) + { + pdf_obj *d = DICT(obj)->items[i].v; + DICT(obj)->items[i].v = pdf_keep_obj(ctx, val); +- pdf_drop_obj(ctx, d); ++ if (old_val) ++ *old_val = d; ++ else ++ pdf_drop_obj(ctx, d); + } } - } - else -@@ -1316,10 +1322,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) + else +@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) } void @@ -96,10 +95,10 @@ index b4e33f3..1c19ba4 100644 pdf_drop_obj(ctx, val); fz_catch(ctx) diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c -index 690bf15..167f609 100644 +index fdd4648..212c8b7 100644 --- a/source/pdf/pdf-repair.c +++ b/source/pdf/pdf-repair.c -@@ -260,6 +260,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int stm_num) +@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen) } } @@ -127,12 +126,12 @@ index 690bf15..167f609 100644 void pdf_repair_xref(fz_context *ctx, pdf_document *doc) { -@@ -528,12 +549,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc) +@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc) /* correct stream length for unencrypted documents */ if (!encrypt && list[i].stm_len >= 0) { + pdf_obj *old_obj = NULL; - dict = pdf_load_object(ctx, doc, list[i].num); + dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen); length = pdf_new_int(ctx, doc, list[i].stm_len); - pdf_dict_put(ctx, dict, PDF_NAME_Length, length); @@ -145,22 +144,22 @@ index 690bf15..167f609 100644 } } diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c -index 7d21775..0cf20d4 100644 +index 3de1cd2..6682741 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c -@@ -1620,6 +1620,12 @@ pdf_drop_document_imp(fz_context *ctx, pdf_document *doc) +@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc) - pdf_drop_resource_tables(ctx, doc); + pdf_drop_resource_tables(ctx, doc); -+ for (i = 0; i < doc->orphans_count; i++) -+ { -+ pdf_drop_obj(ctx, doc->orphans[i]); -+ } -+ fz_free(ctx, doc->orphans); ++ for (i = 0; i < doc->orphans_count; i++) ++ { ++ pdf_drop_obj(ctx, doc->orphans[i]); ++ } ++ fz_free(ctx, doc->orphans); + - fz_free(ctx, doc); - } - fz_always(ctx) + fz_free(ctx, doc); + } + -- -2.9.1 +2.10.1 |