Commit 7b325b9c authored by Kan-Ru Chen's avatar Kan-Ru Chen

d/patches: Fix CVE-2018-6544 / CVE-2018-1000051

Closes: #891245
parent f30ba84c
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 19 Dec 2017 23:47:47 +0100
Subject: Bug 698825: Do not drop borrowed colorspaces.
Previously the borrowed colorspace was dropped when updating annotation
appearances, leading to use after free warnings from valgrind/ASAN.
---
source/pdf/pdf-appearance.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c
index 70f684f..d7a1ddd 100644
--- a/source/pdf/pdf-appearance.c
+++ b/source/pdf/pdf-appearance.c
@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_device *dev = NULL;
font_info font_rec;
fz_text *text = NULL;
- fz_colorspace *cs = NULL;
fz_matrix page_ctm;
pdf_page_transform(ctx, annot->page, NULL, &page_ctm);
@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_var(dlist);
fz_var(dev);
fz_var(text);
- fz_var(cs);
fz_try(ctx)
{
char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents));
char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA));
+ fz_colorspace *cs;
fz_point pos;
fz_rect rect;
@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_drop_display_list(ctx, dlist);
font_info_fin(ctx, &font_rec);
fz_drop_text(ctx, text);
- fz_drop_colorspace(ctx, cs);
}
fz_catch(ctx)
{
@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_device *dev = NULL;
font_info font_rec;
fz_text *text = NULL;
- fz_colorspace *cs = NULL;
fz_path *path = NULL;
fz_buffer *fzbuf = NULL;
fz_matrix page_ctm;
@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_var(dlist);
fz_var(dev);
fz_var(text);
- fz_var(cs);
fz_var(fzbuf);
fz_try(ctx)
{
@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_rect logo_bounds;
fz_matrix logo_tm;
fz_rect rect;
+ fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */
pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect);
rect = annot_rect;
@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds);
center_rect_within_rect(&logo_bounds, &rect, &logo_tm);
fz_concat(&logo_tm, &logo_tm, &page_ctm);
- cs = fz_device_rgb(ctx); /* Borrowed reference */
fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL);
get_font_info(ctx, doc, dr, da, &font_rec);
From: Kan-Ru Chen <kanru@kanru.info>
Date: Wed, 14 Mar 2018 21:18:02 +0900
Subject: CVE-2018-6544
author Sebastian Rasmussen <sebras@gmail.com>
Fri, 2 Feb 2018 00:36:14 +0900 (16:36 +0100)
Bug 698830: Avoid recursion when loading object streams objects.
If there were indirect references in the object stream dictionary and
one of those indirect references referred to an object inside the object
stream itself, mupdf would previously enter recursion only bounded by the
exception stack. After this commit the object stream is checked if it is
marked immediately after being loaded. If it is marked then we terminate
the recursion at this point, if it is not marked then mark it and
attempt to load the desired object within. We also take care to unmark
the stream object when done or upon exception.
author Sebastian Rasmussen <sebras@gmail.com>
Mon, 29 Jan 2018 10:00:48 +0900 (02:00 +0100)
Bug 698830: Don't drop unkept stream if running out of error stack.
Under normal conditions where fz_keep_stream() is called inside
fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions.
The issue comes when fz_keep_stream() has not yet been called but is
dropped in fz_catch(). This happens in the PDF from the bug when
fz_try() runs out of exception stack, and next the code in fz_catch()
runs, dropping the caller's reference to the filter chain stream!
The simplest way of fixing this it to always keep the filter chain
stream before fz_try() is called. That way fz_catch() may drop the
stream whether an exception has occurred or if the fz_try() ran out of
exception stack.
---
source/pdf/pdf-stream.c | 5 ++---
source/pdf/pdf-xref.c | 14 ++++++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
index c89da5c..c6ba7ad 100644
--- a/source/pdf/pdf-stream.c
+++ b/source/pdf/pdf-stream.c
@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_ob
*orig_gen = 0;
}
- fz_var(chain);
+ chain = fz_keep_stream(ctx, chain);
fz_try(ctx)
{
len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
- /* don't close chain when we close this filter */
- chain2 = fz_keep_stream(ctx, chain);
+ chain2 = chain;
chain = NULL;
chain = fz_open_null(ctx, chain2, len, offset);
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 00586db..6f46f4a 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1596,6 +1596,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
{
objstm = pdf_load_object(ctx, doc, num);
+ if (pdf_obj_marked(ctx, objstm))
+ fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
+ }
+ fz_catch(ctx)
+ {
+ pdf_drop_obj(ctx, objstm);
+ fz_rethrow(ctx);
+ }
+
+ fz_try(ctx)
+ {
+ pdf_mark_obj(ctx, objstm);
+
count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
@@ -1675,6 +1688,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
fz_drop_stream(ctx, stm);
fz_free(ctx, ofsbuf);
fz_free(ctx, numbuf);
+ pdf_unmark_obj(ctx, objstm);
pdf_drop_obj(ctx, objstm);
}
fz_catch(ctx)
0001-mupdf_manpage.patch 0001-mupdf_manpage.patch
0002-Fix-build-with-system-libopjnjp2.patch 0002-Fix-build-with-system-libopjnjp2.patch
0003-Sort-files-in-static-library-to-make-the-build-repro.patch 0003-Sort-files-in-static-library-to-make-the-build-repro.patch
0004-CVE-2018-1000051.patch
0005-CVE-2018-6544.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment