me
/
guix
Archived
1
0
Fork 0

gnu: mupdf: Update to 1.13.0.

* gnu/packages/pdf.scm (mupdf): Update to 1.13.0.
[source]: Remove patches.
* gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch,
gnu/packages/patches/mupdf-CVE-2017-17858.patch,
gnu/packages/patches/mupdf-CVE-2018-6544.patch,
gnu/packages/patches/mupdf-CVE-2018-1000051.patch: Remove files.
* gnu/local.mk (dist_patch_DATA): Remove them.
master
Efraim Flashner 2018-05-14 12:04:30 +03:00
parent 563ab27bd4
commit 2b79c6833d
No known key found for this signature in database
GPG Key ID: 41AAE7DCCA3D8351
6 changed files with 4 additions and 347 deletions

View File

@ -932,10 +932,6 @@ dist_patch_DATA = \
%D%/packages/patches/mozjs38-tracelogger.patch \
%D%/packages/patches/mozjs38-version-detection.patch \
%D%/packages/patches/mumps-build-parallelism.patch \
%D%/packages/patches/mupdf-build-with-latest-openjpeg.patch \
%D%/packages/patches/mupdf-CVE-2017-17858.patch \
%D%/packages/patches/mupdf-CVE-2018-6544.patch \
%D%/packages/patches/mupdf-CVE-2018-1000051.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/mupen64plus-video-z64-glew-correct-path.patch \
%D%/packages/patches/mutt-store-references.patch \

View File

@ -1,111 +0,0 @@
Fix CVE-2017-17858:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17858
https://bugs.ghostscript.com/show_bug.cgi?id=698819
https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md
Patch copied from upstream source repository:
https://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731
From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 11 Dec 2017 14:09:15 +0100
Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
limit.
This ensures that:
* xref tables with objects pointers do not grow out of bounds.
* other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
---
include/mupdf/pdf/object.h | 3 +++
source/pdf/pdf-repair.c | 5 +----
source/pdf/pdf-xref.c | 21 ++++++++++++---------
3 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
index 21ed8595..4177112b 100644
--- a/include/mupdf/pdf/object.h
+++ b/include/mupdf/pdf/object.h
@@ -3,6 +3,9 @@
typedef struct pdf_document_s pdf_document;
+/* Defined in PDF 1.7 according to Acrobat limit. */
+#define PDF_MAX_OBJECT_NUMBER 8388607
+
/*
* Dynamic objects.
* The same type of objects as found in PDF and PostScript.
diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
index ca149bd3..0c29758e 100644
--- a/source/pdf/pdf-repair.c
+++ b/source/pdf/pdf-repair.c
@@ -6,9 +6,6 @@
/* Scan file for objects and reconstruct xref table */
-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
-#define MAX_OBJECT_NUMBER (10 << 20)
-
struct entry
{
int num;
@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
break;
}
- if (num <= 0 || num > MAX_OBJECT_NUMBER)
+ if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
{
fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
goto have_next_token;
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 00586dbd..6284e70b 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
}
- if (ofs < 0)
- fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
- if (ofs > INT64_MAX - len)
- fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
-
+ if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
+ || len < 0 || len > PDF_MAX_OBJECT_NUMBER
+ || ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
+ {
+ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+ }
/* broken pdfs where size in trailer undershoots entries in xref sections */
if (ofs + len > xref_len)
{
@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in
pdf_xref_entry *table;
int i, n;
- if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
- fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
- //if (i0 + i1 > pdf_xref_len(ctx, doc))
- // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
+ if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
table = pdf_xref_find_subsection(ctx, doc, i0, i1);
for (i = i0; i < i0 + i1; i++)
@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
pdf_xref_entry *entry;
int num = pdf_xref_len(ctx, doc);
+
+ if (num > PDF_MAX_OBJECT_NUMBER)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
+
entry = pdf_get_incremental_xref_entry(ctx, doc, num);
entry->type = 'f';
entry->ofs = -1;
--
2.16.1

View File

@ -1,88 +0,0 @@
Fix CVE-2018-1000051:
https://bugs.ghostscript.com/show_bug.cgi?id=698873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000051
Patch copied from upstream source repository:
https://git.ghostscript.com/?p=mupdf.git;a=commit;h=321ba1de287016b0036bf4a56ce774ad11763384
From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 19 Dec 2017 23:47:47 +0100
Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces.
Previously the borrowed colorspace was dropped when updating annotation
appearances, leading to use after free warnings from valgrind/ASAN.
---
source/pdf/pdf-appearance.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c
index 70f684f4..d7a1dddd 100644
--- a/source/pdf/pdf-appearance.c
+++ b/source/pdf/pdf-appearance.c
@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_device *dev = NULL;
font_info font_rec;
fz_text *text = NULL;
- fz_colorspace *cs = NULL;
fz_matrix page_ctm;
pdf_page_transform(ctx, annot->page, NULL, &page_ctm);
@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_var(dlist);
fz_var(dev);
fz_var(text);
- fz_var(cs);
fz_try(ctx)
{
char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents));
char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA));
+ fz_colorspace *cs;
fz_point pos;
fz_rect rect;
@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_drop_display_list(ctx, dlist);
font_info_fin(ctx, &font_rec);
fz_drop_text(ctx, text);
- fz_drop_colorspace(ctx, cs);
}
fz_catch(ctx)
{
@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_device *dev = NULL;
font_info font_rec;
fz_text *text = NULL;
- fz_colorspace *cs = NULL;
fz_path *path = NULL;
fz_buffer *fzbuf = NULL;
fz_matrix page_ctm;
@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_var(dlist);
fz_var(dev);
fz_var(text);
- fz_var(cs);
fz_var(fzbuf);
fz_try(ctx)
{
@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_rect logo_bounds;
fz_matrix logo_tm;
fz_rect rect;
+ fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */
pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect);
rect = annot_rect;
@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds);
center_rect_within_rect(&logo_bounds, &rect, &logo_tm);
fz_concat(&logo_tm, &logo_tm, &page_ctm);
- cs = fz_device_rgb(ctx); /* Borrowed reference */
fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL);
get_font_info(ctx, doc, dr, da, &font_rec);
--
2.16.3

View File

@ -1,109 +0,0 @@
Fix CVE-2018-6544:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6544
https://bugs.ghostscript.com/show_bug.cgi?id=698830
https://bugs.ghostscript.com/show_bug.cgi?id=698965
Patches copied from upstream source repository:
https://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d
https://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89
From b03def134988da8c800adac1a38a41a1f09a1d89 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Thu, 1 Feb 2018 16:36:14 +0100
Subject: [PATCH] Bug 698830: Avoid recursion when loading object streams
objects.
If there were indirect references in the object stream dictionary and
one of those indirect references referred to an object inside the object
stream itself, mupdf would previously enter recursion only bounded by the
exception stack. After this commit the object stream is checked if it is
marked immediately after being loaded. If it is marked then we terminate
the recursion at this point, if it is not marked then mark it and
attempt to load the desired object within. We also take care to unmark
the stream object when done or upon exception.
---
source/pdf/pdf-xref.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 723b543c..ed09094c 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1576,6 +1576,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
{
objstm = pdf_load_object(ctx, doc, num);
+ if (pdf_obj_marked(ctx, objstm))
+ fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
+ }
+ fz_catch(ctx)
+ {
+ pdf_drop_obj(ctx, objstm);
+ fz_rethrow(ctx);
+ }
+
+ fz_try(ctx)
+ {
+ pdf_mark_obj(ctx, objstm);
+
count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
@@ -1655,6 +1668,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
fz_drop_stream(ctx, stm);
fz_free(ctx, ofsbuf);
fz_free(ctx, numbuf);
+ pdf_unmark_obj(ctx, objstm);
pdf_drop_obj(ctx, objstm);
}
fz_catch(ctx)
--
2.16.3
From 26527eef77b3e51c2258c8e40845bfbc015e405d Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 29 Jan 2018 02:00:48 +0100
Subject: [PATCH] Bug 698830: Don't drop unkept stream if running out of error
stack.
Under normal conditions where fz_keep_stream() is called inside
fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions.
The issue comes when fz_keep_stream() has not yet been called but is
dropped in fz_catch(). This happens in the PDF from the bug when
fz_try() runs out of exception stack, and next the code in fz_catch()
runs, dropping the caller's reference to the filter chain stream!
The simplest way of fixing this it to always keep the filter chain
stream before fz_try() is called. That way fz_catch() may drop the
stream whether an exception has occurred or if the fz_try() ran out of
exception stack.
---
source/pdf/pdf-stream.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
index c89da5c4..c6ba7ad3 100644
--- a/source/pdf/pdf-stream.c
+++ b/source/pdf/pdf-stream.c
@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_ob
*orig_gen = 0;
}
- fz_var(chain);
+ chain = fz_keep_stream(ctx, chain);
fz_try(ctx)
{
len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
- /* don't close chain when we close this filter */
- chain2 = fz_keep_stream(ctx, chain);
+ chain2 = chain;
chain = NULL;
chain = fz_open_null(ctx, chain2, len, offset);
--
2.16.3

View File

@ -1,27 +0,0 @@
Make it possible to build MuPDF with OpenJPEG 2.3, which is the latest
release series and contains many important bug fixes.
Patch adapted from Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745246
And related to this upstream commit:
http://git.ghostscript.com/?p=mupdf.git;a=commit;h=f88bfe2e62dbadb96d4f52d7aa025f0a516078da
diff --git a/source/fitz/load-jpx.c b/source/fitz/load-jpx.c
index 65699ba..ea84778 100644
--- a/source/fitz/load-jpx.c
+++ b/source/fitz/load-jpx.c
@@ -445,11 +445,6 @@ fz_load_jpx_info(fz_context *ctx, const unsigned char *data, size_t size, int *w
#else /* HAVE_LURATECH */
-#define OPJ_STATIC
-#define OPJ_HAVE_INTTYPES_H
-#if !defined(_MSC_VER) || _MSC_VER >= 1600
-#define OPJ_HAVE_STDINT_H
-#endif
#define USE_JPIP
#include <openjpeg.h>

View File

@ -5,7 +5,7 @@
;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
;;; Copyright © 2016 Nils Gillmann <ng0@n0.is>
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016, 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
@ -597,21 +597,17 @@ extracting content or merging files.")
(define-public mupdf
(package
(name "mupdf")
(version "1.12.0")
(version "1.13.0")
(source
(origin
(method url-fetch)
(uri (string-append "https://mupdf.com/downloads/archive/"
name "-" version "-source.tar.xz"))
(patches (search-patches "mupdf-build-with-latest-openjpeg.patch"
"mupdf-CVE-2017-17858.patch"
"mupdf-CVE-2018-6544.patch"
"mupdf-CVE-2018-1000051.patch"))
(sha256
(base32
"0b9j0gqbc3jhmx87r6idcsh8lnb30840c3hyx6dk2gdjqqh3hysp"))
"0129k92bav692l6lyw10ryldx7h2f9khjpgnp3f3n4fdsph9hrkl"))
(modules '((guix build utils)))
(snippet '(delete-file-recursively "thirdparty"))))
(snippet '(begin (delete-file-recursively "thirdparty") #t))))
(build-system gnu-build-system)
(inputs
`(("curl" ,curl)