pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/print/mupdf mupdf: Backport patches to address CVE-201...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/a0e37283a5b1
branches:  trunk
changeset: 336051:a0e37283a5b1
user:      leot <leot%pkgsrc.org@localhost>
date:      Sat Jul 06 11:27:48 2019 +0000

description:
mupdf: Backport patches to address CVE-2019-13290

Bump PKGREVISION

diffstat:

 print/mupdf/Makefile                                |   3 +-
 print/mupdf/distinfo                                |   3 +-
 print/mupdf/patches/patch-source_fitz_list-device.c |  48 +++++++++++++++++++++
 3 files changed, 52 insertions(+), 2 deletions(-)

diffs (81 lines):

diff -r 5e74b6c3996c -r a0e37283a5b1 print/mupdf/Makefile
--- a/print/mupdf/Makefile      Sat Jul 06 09:48:43 2019 +0000
+++ b/print/mupdf/Makefile      Sat Jul 06 11:27:48 2019 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.68 2019/05/13 11:03:58 leot Exp $
+# $NetBSD: Makefile,v 1.69 2019/07/06 11:27:48 leot Exp $
 
 DISTNAME=      mupdf-1.15.0-source
 PKGNAME=       ${DISTNAME:S/-source//}
+PKGREVISION=   1
 CATEGORIES=    print
 MASTER_SITES=  https://mupdf.com/downloads/archive/
 
diff -r 5e74b6c3996c -r a0e37283a5b1 print/mupdf/distinfo
--- a/print/mupdf/distinfo      Sat Jul 06 09:48:43 2019 +0000
+++ b/print/mupdf/distinfo      Sat Jul 06 11:27:48 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2019/05/17 05:45:10 wiz Exp $
+$NetBSD: distinfo,v 1.46 2019/07/06 11:27:48 leot Exp $
 
 SHA1 (mupdf-1.15.0-source.tar.gz) = 4354a1c7245d4351ba604a4deed4a4ecf3e27492
 RMD160 (mupdf-1.15.0-source.tar.gz) = 892247f12a9e85d384c6cbc6c5a394d36e783158
@@ -10,5 +10,6 @@
 SHA1 (patch-ae) = c6b113818b32cb4470e8549c00a16e0b2f364ede
 SHA1 (patch-platform_gl_gl-app.h) = f8682b54821a560b2ba1082bcf215eeefb549644
 SHA1 (patch-platform_gl_gl-main.c) = edff1aa77c4d6af59b2eca442340606a0bae9970
+SHA1 (patch-source_fitz_list-device.c) = ea8ca9df49c16a91546ab05e8f3e57b1308c2278
 SHA1 (patch-source_fitz_load-jpx.c) = 161d21bca13bb57db37807aec844c85dc5b34157
 SHA1 (patch-thirdparty_mujs_Makefile) = 833e44f4e23d2a6ff61e6276feede4892feeb9bb
diff -r 5e74b6c3996c -r a0e37283a5b1 print/mupdf/patches/patch-source_fitz_list-device.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/mupdf/patches/patch-source_fitz_list-device.c       Sat Jul 06 11:27:48 2019 +0000
@@ -0,0 +1,48 @@
+$NetBSD: patch-source_fitz_list-device.c,v 1.1 2019/07/06 11:27:48 leot Exp $
+
+Backport commits ed19bc806809ad10c4ddce515d375581b86ede85 and
+aaf794439e40a2ef544f15b50c20e657414dec7a to address CVE-2019-13290.
+
+Commit ed19bc806809ad10c4ddce515d375581b86ede85:
+> Bug 701118: Handle appending large display list nodes.
+> 
+> The size of the begin layer node depends on the size of the layer
+> name. That name may be a string from the page's property resources,
+> and is only bounded by memory when parsed by lex_string(). So the
+> append_list_node() logic cannot simply double the size of the
+> display list and hope that the node fits, since the node may be
+> of arbitrary size.
+> 
+> Now append_list_node() would repeatedly double the size of the
+> display list until the node fits, or malloc() runs out of memory.
+
+Commit aaf794439e40a2ef544f15b50c20e657414dec7a:
+> Bug 701118: Limit size of begin layer nodes in display list.
+> 
+> The size of the begin layer node depends on the size of the layer
+> name. That name may be a string from the page's property resources,
+> and is only bounded by memory when parsed by lex_string(). The
+> layer name may cause a display node to be larger than the maximum
+> size allowed. This condition is now checked for.
+
+--- source/fitz/list-device.c.orig
++++ source/fitz/list-device.c
+@@ -462,6 +462,9 @@ fz_append_display_node(
+       }
+       if (private_data != NULL)
+       {
++              int max = SIZE_IN_NODES(MAX_NODE_SIZE) - size;
++              if (SIZE_IN_NODES(private_data_len) > max)
++                      fz_throw(ctx, FZ_ERROR_GENERIC, "Private data too large to pack into display list node");
+               private_off = size;
+               size += SIZE_IN_NODES(private_data_len);
+       }
+@@ -466,7 +466,7 @@ fz_append_display_node(
+               size += SIZE_IN_NODES(private_data_len);
+       }
+ 
+-      if (list->len + size > list->max)
++      while (list->len + size > list->max)
+       {
+               int newsize = list->max * 2;
+               fz_display_node *old = list->list;



Home | Main Index | Thread Index | Old Index