summary refs log tree commit diff
path: root/gnu/packages/patches/mupdf-CVE-2016-8674.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/mupdf-CVE-2016-8674.patch')
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-8674.patch165
1 files changed, 0 insertions, 165 deletions
diff --git a/gnu/packages/patches/mupdf-CVE-2016-8674.patch b/gnu/packages/patches/mupdf-CVE-2016-8674.patch
deleted file mode 100644
index 2a35619761..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-8674.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-Fix CVE-2016-8674 (use-after-free in pdf_to_num()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674
-https://security-tracker.debian.org/tracker/CVE-2016-8674
-
-Patch adapted from upstream source repository:
-http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
-
-diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h
-index f8ef0cd..e8345b7 100644
---- a/include/mupdf/pdf/document.h
-+++ b/include/mupdf/pdf/document.h
-@@ -258,6 +258,10 @@ struct pdf_document_s
-	fz_font **type3_fonts;
-
-	pdf_resource_tables *resources;
-+
-+	int orphans_max;
-+	int orphans_count;
-+	pdf_obj **orphans;
- };
- 
- /*
-diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
-index 346a2f1..02d4119 100644
---- a/include/mupdf/pdf/object.h
-+++ b/include/mupdf/pdf/object.h
-@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
- pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev);
- void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
- void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
-+void pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val, pdf_obj **old_val);
- void pdf_dict_puts(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
- void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
- void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val);
-diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
-index f2e4551..a0d0d8e 100644
---- a/source/pdf/pdf-object.c
-+++ b/source/pdf/pdf-object.c
-@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
- 	return pdf_dict_get(ctx, obj, abbrev);
- }
- 
--void
--pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
-+static void
-+pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
- {
-+
-+	if (old_val)
-+		*old_val = NULL;
-+
- 	RESOLVE(obj);
-	if (obj >= PDF_OBJ__LIMIT)
-	{
-@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
-			{
-				pdf_obj *d = DICT(obj)->items[i].v;
-				DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
--				pdf_drop_obj(ctx, d);
-+				if (old_val)
-+					*old_val = d;
-+				else
-+					pdf_drop_obj(ctx, d);
-			}
- 		}
-		else
-@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
- }
- 
- void
-+pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
-+{
-+	pdf_dict_get_put(ctx, obj, key, val, NULL);
-+}
-+
-+void
- pdf_dict_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
- {
- 	fz_try(ctx)
--		pdf_dict_put(ctx, obj, key, val);
-+		pdf_dict_get_put(ctx, obj, key, val, NULL);
-+	fz_always(ctx)
-+		pdf_drop_obj(ctx, val);
-+	fz_catch(ctx)
-+		fz_rethrow(ctx);
-+}
-+
-+void
-+pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
-+{
-+	fz_try(ctx)
-+		pdf_dict_get_put(ctx, obj, key, val, old_val);
- 	fz_always(ctx)
- 		pdf_drop_obj(ctx, val);
- 	fz_catch(ctx)
-diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
-index fdd4648..212c8b7 100644
---- a/source/pdf/pdf-repair.c
-+++ b/source/pdf/pdf-repair.c
-@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen)
- 	}
- }
- 
-+static void
-+orphan_object(fz_context *ctx, pdf_document *doc, pdf_obj *obj)
-+{
-+	if (doc->orphans_count == doc->orphans_max)
-+	{
-+		int new_max = (doc->orphans_max ? doc->orphans_max*2 : 32);
-+
-+		fz_try(ctx)
-+		{
-+			doc->orphans = fz_resize_array(ctx, doc->orphans, new_max, sizeof(*doc->orphans));
-+			doc->orphans_max = new_max;
-+		}
-+		fz_catch(ctx)
-+		{
-+			pdf_drop_obj(ctx, obj);
-+			fz_rethrow(ctx);
-+		}
-+	}
-+	doc->orphans[doc->orphans_count++] = obj;
-+}
-+
- void
- pdf_repair_xref(fz_context *ctx, pdf_document *doc)
- {
-@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
- 			/* correct stream length for unencrypted documents */
- 			if (!encrypt && list[i].stm_len >= 0)
- 			{
-+				pdf_obj *old_obj = NULL;
-				dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen);
- 
- 				length = pdf_new_int(ctx, doc, list[i].stm_len);
--				pdf_dict_put(ctx, dict, PDF_NAME_Length, length);
--				pdf_drop_obj(ctx, length);
--
-+				pdf_dict_get_put_drop(ctx, dict, PDF_NAME_Length, length, &old_obj);
-+				if (old_obj)
-+					orphan_object(ctx, doc, old_obj);
- 				pdf_drop_obj(ctx, dict);
- 			}
- 		}
-diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 3de1cd2..6682741 100644
---- a/source/pdf/pdf-xref.c
-+++ b/source/pdf/pdf-xref.c
-@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc)
- 
-	pdf_drop_resource_tables(ctx, doc);
- 
-+	for (i = 0; i < doc->orphans_count; i++)
-+	{
-+		pdf_drop_obj(ctx, doc->orphans[i]);
-+	}
-+	fz_free(ctx, doc->orphans);
-+
-	fz_free(ctx, doc);
- }
-
--- 
-2.10.1
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-23 20:29:17 +0000