Commit d60d42f7 authored by Kan-Ru Chen's avatar Kan-Ru Chen

d/patches: import upstream fixes for various bugs

Fixes CVE-2018-18662, CVE-2019-6131, CVE-2019-6130

Closes: #912013, #918970, #918971
parent 676ebc04
From: Tor Andersson <tor.andersson@artifex.com>
Date: Mon, 5 Nov 2018 17:49:09 +0100
Subject: [PATCH] Fix 700043: Don't assume a font is t3 just because
fz_outline_glyph fails.
Origin: https://bugs.ghostscript.com/show_bug.cgi?id=700043
---
source/fitz/svg-device.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/source/fitz/svg-device.c b/source/fitz/svg-device.c
index d0d9f50..59bea97 100644
--- a/source/fitz/svg-device.c
+++ b/source/fitz/svg-device.c
@@ -471,27 +471,28 @@ svg_dev_text_span_as_paths_defs(fz_context *ctx, fz_device *dev, fz_text_span *s
/* Need to send this one */
fz_rect rect;
fz_path *path;
- path = fz_outline_glyph(ctx, span->font, gid, fz_identity);
- if (path)
+ out = start_def(ctx, sdev);
+ fz_write_printf(ctx, out, "<symbol id=\"font_%x_%x\">\n", fnt->id, gid);
+ if (fz_font_ft_face(ctx, span->font))
{
- rect = fz_bound_path(ctx, path, NULL, fz_identity);
- shift.e = -rect.x0;
- shift.f = -rect.y0;
- fz_transform_path(ctx, path, shift);
- out = start_def(ctx, sdev);
- fz_write_printf(ctx, out, "<symbol id=\"font_%x_%x\">\n", fnt->id, gid);
- fz_write_printf(ctx, out, "<path");
- svg_dev_path(ctx, sdev, path);
- fz_write_printf(ctx, out, "/>\n");
- fz_drop_path(ctx, path);
+ path = fz_outline_glyph(ctx, span->font, gid, fz_identity);
+ if (path)
+ {
+ rect = fz_bound_path(ctx, path, NULL, fz_identity);
+ shift.e = -rect.x0;
+ shift.f = -rect.y0;
+ fz_transform_path(ctx, path, shift);
+ fz_write_printf(ctx, out, "<path");
+ svg_dev_path(ctx, sdev, path);
+ fz_write_printf(ctx, out, "/>\n");
+ fz_drop_path(ctx, path);
+ }
}
- else
+ else if (fz_font_t3_procs(ctx, span->font))
{
rect = fz_bound_glyph(ctx, span->font, gid, fz_identity);
shift.e = -rect.x0;
shift.f = -rect.y0;
- out = start_def(ctx, sdev);
- fz_write_printf(ctx, out, "<symbol id=\"font_%x_%x\">\n", fnt->id, gid);
fz_run_t3_glyph(ctx, span->font, gid, shift, dev);
}
fz_write_printf(ctx, out, "</symbol>\n");
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 8 Jan 2019 11:44:59 +0100
Subject: [PATCH] Bug 700442: Add a recursion depth check to prevent infinite
recursion.
Origin: https://bugs.ghostscript.com/show_bug.cgi?id=700442
---
source/svg/svg-run.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/source/svg/svg-run.c b/source/svg/svg-run.c
index 9429786..a117e2b 100644
--- a/source/svg/svg-run.c
+++ b/source/svg/svg-run.c
@@ -10,12 +10,15 @@
#define DEF_HEIGHT 792
#define DEF_FONTSIZE 12
+#define MAX_USE_DEPTH 100
+
typedef struct svg_state_s svg_state;
struct svg_state_s
{
fz_matrix transform;
fz_stroke_state stroke;
+ int use_depth;
float viewport_w, viewport_h;
float viewbox_w, viewbox_h, viewbox_size;
@@ -1032,6 +1035,12 @@ svg_run_use(fz_context *ctx, fz_device *dev, svg_document *doc, fz_xml *root, co
float x = 0;
float y = 0;
+ if (++local_state.use_depth > MAX_USE_DEPTH)
+ {
+ fz_warn(ctx, "svg: too much recursion");
+ return;
+ }
+
svg_parse_common(ctx, doc, root, &local_state);
if (x_att) x = svg_parse_length(x_att, local_state.viewbox_w, local_state.fontsize);
if (y_att) y = svg_parse_length(y_att, local_state.viewbox_h, local_state.fontsize);
@@ -1164,6 +1173,7 @@ svg_run_document(fz_context *ctx, svg_document *doc, fz_xml *root, fz_device *de
/* Initial graphics state */
state.transform = ctm;
state.stroke = fz_default_stroke_state;
+ state.use_depth = 0;
state.viewport_w = DEF_WIDTH;
state.viewport_h = DEF_HEIGHT;
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Wed, 26 Sep 2018 03:31:05 +0800
Subject: [PATCH] Throw when page number is out of range.
Other code depends on this and does not handle
a page pointer being NULL well.
Origin: https://bugs.ghostscript.com/show_bug.cgi?id=700446
---
source/cbz/mucbz.c | 2 +-
source/cbz/muimg.c | 2 +-
source/svg/svg-doc.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/source/cbz/mucbz.c b/source/cbz/mucbz.c
index 5cbdf0c..3aef043 100644
--- a/source/cbz/mucbz.c
+++ b/source/cbz/mucbz.c
@@ -181,7 +181,7 @@ cbz_load_page(fz_context *ctx, fz_document *doc_, int number)
fz_buffer *buf = NULL;
if (number < 0 || number >= doc->page_count)
- return NULL;
+ fz_throw(ctx, FZ_ERROR_GENERIC, "cannot load page %d", number);
fz_var(page);
diff --git a/source/cbz/muimg.c b/source/cbz/muimg.c
index b54371f..fb07530 100644
--- a/source/cbz/muimg.c
+++ b/source/cbz/muimg.c
@@ -82,7 +82,7 @@ img_load_page(fz_context *ctx, fz_document *doc_, int number)
img_page *page = NULL;
if (number < 0 || number >= doc->page_count)
- return NULL;
+ fz_throw(ctx, FZ_ERROR_GENERIC, "cannot load page %d", number);
fz_var(pixmap);
fz_var(image);
diff --git a/source/svg/svg-doc.c b/source/svg/svg-doc.c
index 112368c..8ac20cb 100644
--- a/source/svg/svg-doc.c
+++ b/source/svg/svg-doc.c
@@ -55,7 +55,7 @@ svg_load_page(fz_context *ctx, fz_document *doc_, int number)
svg_page *page;
if (number != 0)
- return NULL;
+ fz_throw(ctx, FZ_ERROR_GENERIC, "cannot find page %d", number);
page = fz_new_derived_page(ctx, svg_page);
page->super.bound_page = svg_bound_page;
...@@ -5,3 +5,6 @@ ...@@ -5,3 +5,6 @@
0005-MuPDF-crossbuild-use-host-cc-for-utils.patch 0005-MuPDF-crossbuild-use-host-cc-for-utils.patch
0006-Allow-disabling-objcopy.patch 0006-Allow-disabling-objcopy.patch
0007-typographical-and-formatting-fixes-to-the-manual.patch 0007-typographical-and-formatting-fixes-to-the-manual.patch
0008-PATCH-Fix-700043-Don-t-assume-a-font-is-t3-just-beca.patch
0009-PATCH-Bug-700442-Add-a-recursion-depth-check-to-prev.patch
0010-PATCH-Throw-when-page-number-is-out-of-range.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment