aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKevin Daudt <kdaudt@alpinelinux.org>2021-05-17 18:00:36 +0000
committerKevin Daudt <kdaudt@alpinelinux.org>2021-05-17 18:00:36 +0000
commitad5f60841037d8df5203d4164c4929d6bd0a286f (patch)
tree9c09f375f65e0f4d0a71b59096b0fabc0393c0ef
parent79cd9084cf21b00a5229a3085d97e6447e74a629 (diff)
community/mupdf: use local patches
Patches on github are not stable. The index hashes can change, causing the checksums to mismatch.
-rw-r--r--community/mupdf/APKBUILD16
-rw-r--r--community/mupdf/CVE-2021-3407.patch45
-rw-r--r--community/mupdf/bug-fix-overflow.patch41
-rw-r--r--community/mupdf/harden-pupulate-ui-against-unexpecter-repairs.patch102
4 files changed, 197 insertions, 7 deletions
diff --git a/community/mupdf/APKBUILD b/community/mupdf/APKBUILD
index 9daad1dc89d..ccb3cc961f2 100644
--- a/community/mupdf/APKBUILD
+++ b/community/mupdf/APKBUILD
@@ -29,9 +29,9 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
options="!check"
source="https://mupdf.com/downloads/archive/mupdf-$pkgver-source.tar.xz
shared-lib.patch
- https://github.com/ArtifexSoftware/mupdf/commit/32e4e8b4bcbacbf92af7c.patch
- https://github.com/ArtifexSoftware/mupdf/commit/b82e9b6d6b46877e5c376.patch
- CVE-2021-3407.patch::https://github.com/ArtifexSoftware/mupdf/commit/cee7cefc610d42fd383b3c80c12cbc675443176a.patch
+ bug-fix-overflow.patch
+ harden-pupulate-ui-against-unexpecter-repairs.patch
+ CVE-2021-3407.patch
"
# FIXME: shared linking of /usr/lib/libmupdf.so.0
@@ -111,8 +111,10 @@ _tools() {
"$subpkgdir"/usr/bin/
}
-sha512sums="7551f18b9bac6e2dc1cf073741cbc975ce3a16dc7e37c9d5a58254c67bf2c07bb36185d6585e435d4126f3ae351f67d7432d19a986c9b47b15105ca43db0edb8 mupdf-1.18.0-source.tar.xz
+sha512sums="
+7551f18b9bac6e2dc1cf073741cbc975ce3a16dc7e37c9d5a58254c67bf2c07bb36185d6585e435d4126f3ae351f67d7432d19a986c9b47b15105ca43db0edb8 mupdf-1.18.0-source.tar.xz
a87c52da91b0fe14c952dc1f83f4492cf1d31d135fc66bc6fb5dcce622af8c740248e10392d7cdba7409373b81e24744aafd46dc1fe5fdfcc54c77555e27420c shared-lib.patch
-1d836c1a3f37c21ed349da799d5cb0c57d3fc275a632a42343cda81aae76394273c06230fc9c22a6d5366498b51a057d5a11797376a4b2af96b937618ba31e11 32e4e8b4bcbacbf92af7c.patch
-91620d0d429d2f4068e1834ec9466d9e9f9bfb363fba33247636e38651196580a89bd36785e42b31328070c42bd2210585ddabea8a0a970d72e7066e61804d6c b82e9b6d6b46877e5c376.patch
-67f5af701b2ea6a91346feaf6d12a91201af8d346a2cbc112503ada09f414dc13673a6b6f57e9ca03d20191e14f1e3fe46f484e2079b37a76e0be4249396f563 CVE-2021-3407.patch"
+811530c31c8af252b4fb4c9658d6378d004535bbf837e74c8538ff740bd3c8c293e050e05acb8745064cc82b7f514006323718933544623fd0abe245c5c27ff4 bug-fix-overflow.patch
+c7870dec59c935f4d0a147a155583c8725ccccc72b1df8b26d0ba1a8c3062d000a386b6021b40d16ebd9936f396b1d2a1a5c4849642248a3fb32d4d8ca32268b harden-pupulate-ui-against-unexpecter-repairs.patch
+4751a9ecb01063197c190a04efd51a0e62cd8bc59acda1dc75e04e35fd7640d825f6ebd51b92a2f458384a671eb9c5a56452f2185a820d26eae722996c187149 CVE-2021-3407.patch
+"
diff --git a/community/mupdf/CVE-2021-3407.patch b/community/mupdf/CVE-2021-3407.patch
new file mode 100644
index 00000000000..b5161ef566c
--- /dev/null
+++ b/community/mupdf/CVE-2021-3407.patch
@@ -0,0 +1,45 @@
+From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Fri, 22 Jan 2021 17:05:15 +0000
+Subject: [PATCH] Bug 703366: Fix double free of object during linearization.
+
+This appears to happen because we parse an illegal object from
+a broken file and assign it to object 0, which is defined to
+be free.
+
+Here, we fix the parsing code so this can't happen.
+---
+ source/pdf/pdf-parse.c | 6 ++++++
+ source/pdf/pdf-xref.c | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
+index 7abc8c3d41..5761c33517 100644
+--- a/source/pdf/pdf-parse.c
++++ b/source/pdf/pdf-parse.c
+@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num);
+ }
+ gen = buf->i;
++ if (gen < 0 || gen >= 65536)
++ {
++ if (try_repair)
++ *try_repair = 1;
++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen);
++ }
+
+ tok = pdf_lex(ctx, file, buf);
+ if (tok != PDF_TOK_OBJ)
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 1b2bdcd59d..30197b4b85 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ {
+ ofs = fz_tell(ctx, doc->file);
+ trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL);
++ if (num == 0)
++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n");
+ }
+ fz_catch(ctx)
+ {
diff --git a/community/mupdf/bug-fix-overflow.patch b/community/mupdf/bug-fix-overflow.patch
new file mode 100644
index 00000000000..acca0275d3b
--- /dev/null
+++ b/community/mupdf/bug-fix-overflow.patch
@@ -0,0 +1,41 @@
+From 32e4e8b4bcbacbf92af7c88337efae21986d9603 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 8 Oct 2020 18:10:28 +0100
+Subject: [PATCH] Bug 702958: Fix overflow in fz_clear_pixmap_with_value.
+
+---
+ source/fitz/pixmap.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index 66873d2146..80d8bb62fa 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -555,7 +555,8 @@ void
+ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+ {
+ unsigned char *s;
+- int w, h, n, stride, len;
++ int w, h, n;
++ ptrdiff_t stride, len;
+ int alpha = pix->alpha;
+
+ w = pix->w;
+@@ -572,7 +573,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+
+ n = pix->n;
+ stride = pix->stride;
+- len = w * n;
++ len = (ptrdiff_t)w * n;
+
+ s = pix->samples;
+ if (value == 255 || !alpha)
+@@ -584,7 +585,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+ }
+ while (h--)
+ {
+- memset(s, value, (unsigned int)len);
++ memset(s, value, len);
+ s += stride;
+ }
+ }
diff --git a/community/mupdf/harden-pupulate-ui-against-unexpecter-repairs.patch b/community/mupdf/harden-pupulate-ui-against-unexpecter-repairs.patch
new file mode 100644
index 00000000000..890a9390672
--- /dev/null
+++ b/community/mupdf/harden-pupulate-ui-against-unexpecter-repairs.patch
@@ -0,0 +1,102 @@
+From b82e9b6d6b46877e5c3763cc3bc641c66fa7eb54 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 8 Oct 2020 16:15:40 +0100
+Subject: [PATCH] Bug 701297: Harden populate_ui against unexpected repairs.
+
+We count the number of layers, and allocate space for them in
+an array. We then walk the tree reading details of those layers
+in. If we hit a problem that causes a repair while reading the
+information, the number of layers can magically increase. In
+the existing code we run off the end of the array.
+
+In the new code we watch for hitting the end of the array and
+realloc as required.
+---
+ source/pdf/pdf-layer.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
+index 177f0c9476..b8e9d7cad0 100644
+--- a/source/pdf/pdf-layer.c
++++ b/source/pdf/pdf-layer.c
+@@ -104,10 +104,27 @@ count_entries(fz_context *ctx, pdf_obj *obj)
+ }
+
+ static pdf_ocg_ui *
+-populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked)
++get_ocg_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill)
++{
++ if (fill == desc->num_ui_entries)
++ {
++ /* Number of layers changed while parsing;
++ * probably due to a repair. */
++ int newsize = desc->num_ui_entries * 2;
++ if (newsize == 0)
++ newsize = 4; /* Arbitrary non-zero */
++ desc->ui = fz_realloc_array(ctx, desc->ui, newsize, pdf_ocg_ui);
++ desc->num_ui_entries = newsize;
++ }
++ return &desc->ui[fill];
++}
++
++static int
++populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked)
+ {
+ int len = pdf_array_len(ctx, order);
+ int i, j;
++ pdf_ocg_ui *ui;
+
+ for (i = 0; i < len; i++)
+ {
+@@ -118,7 +135,7 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ continue;
+
+ fz_try(ctx)
+- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
++ fill = populate_ui(ctx, desc, fill, o, depth+1, rbgroups, locked);
+ fz_always(ctx)
+ pdf_unmark_obj(ctx, o);
+ fz_catch(ctx)
+@@ -126,14 +143,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+
+ continue;
+ }
+- ui->depth = depth;
+ if (pdf_is_string(ctx, o))
+ {
++ ui = get_ocg_ui(ctx, desc, fill++);
++ ui->depth = depth;
+ ui->ocg = -1;
+ ui->name = pdf_to_str_buf(ctx, o);
+ ui->button_flags = PDF_LAYER_UI_LABEL;
+ ui->locked = 1;
+- ui++;
+ continue;
+ }
+
+@@ -144,13 +161,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ }
+ if (j == desc->len)
+ continue; /* OCG not found in main list! Just ignore it */
++ ui = get_ocg_ui(ctx, desc, fill++);
++ ui->depth = depth;
+ ui->ocg = j;
+ ui->name = pdf_dict_get_string(ctx, o, PDF_NAME(Name), NULL);
+ ui->button_flags = pdf_array_contains(ctx, o, rbgroups) ? PDF_LAYER_UI_RADIOBOX : PDF_LAYER_UI_CHECKBOX;
+ ui->locked = pdf_array_contains(ctx, o, locked);
+- ui++;
+ }
+- return ui;
++ return fill;
+ }
+
+ static void
+@@ -188,7 +206,7 @@ load_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_obj *ocprops, pdf_obj *oc
+ desc->ui = Memento_label(fz_calloc(ctx, count, sizeof(pdf_ocg_ui)), "pdf_ocg_ui");
+ fz_try(ctx)
+ {
+- (void)populate_ui(ctx, desc, desc->ui, order, 0, rbgroups, locked);
++ desc->num_ui_entries = populate_ui(ctx, desc, 0, order, 0, rbgroups, locked);
+ }
+ fz_catch(ctx)
+ {