Bug#832031: mupdf: diff for NMU version 1.9a+ds1-1.1

Salvatore Bonaccorso Mon, 01 Aug 2016 05:45:33 -0700

Control: tags 832031 + patch
Control: tags 832031 + pending

Dear maintainer,


I've prepared an NMU for mupdf (versioned as 1.9a+ds1-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru mupdf-1.9a+ds1/debian/changelog mupdf-1.9a+ds1/debian/changelog
--- mupdf-1.9a+ds1/debian/changelog	2016-07-06 20:02:07.000000000 +0200
+++ mupdf-1.9a+ds1/debian/changelog	2016-08-01 14:17:57.000000000 +0200
@@ -1,3 +1,11 @@
+mupdf (1.9a+ds1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-6265: Use after free vulnerability in pdf_xref.c
+    (Closes: #832031)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Mon, 01 Aug 2016 14:17:20 +0200
+
 mupdf (1.9a+ds1-1) unstable; urgency=medium
 
   * New upstream release (Closes: #819101)
diff -Nru mupdf-1.9a+ds1/debian/patches/0006-CVE-2016-6265.patch mupdf-1.9a+ds1/debian/patches/0006-CVE-2016-6265.patch
--- mupdf-1.9a+ds1/debian/patches/0006-CVE-2016-6265.patch	1970-01-01 01:00:00.000000000 +0100
+++ mupdf-1.9a+ds1/debian/patches/0006-CVE-2016-6265.patch	2016-08-01 14:17:57.000000000 +0200
@@ -0,0 +1,36 @@
+From fa1936405b6a84e5c9bb440912c23d532772f958 Mon Sep 17 00:00:00 2001
+From: Robin Watts <robin.wa...@artifex.com>
+Date: Thu, 21 Jul 2016 15:39:11 +0100
+Subject: [PATCH] Bug 696941: Fix use after free.
+
+The file is HORRIBLY corrupt, and triggers Sophos to think it's
+PDF malware (which it isn't). It does however trigger a use
+after free, worked around here.
+---
+ source/pdf/pdf-xref.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 576c315..3222599 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 				fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
+ 		}
+ 		if (entry->type == 'o')
+-			if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
+-				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
++		{
++			/* Read this into a local variable here, because pdf_get_xref_entry
++			 * may solidify the xref, hence invalidating "entry", meaning we
++			 * need a stashed value for the throw. */
++			fz_off_t ofs = entry->ofs;
++			if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
++				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
++		}
+ 	}
+ }
+ 
+-- 
+2.9.1
+
diff -Nru mupdf-1.9a+ds1/debian/patches/series mupdf-1.9a+ds1/debian/patches/series
--- mupdf-1.9a+ds1/debian/patches/series	2016-07-06 19:33:00.000000000 +0200
+++ mupdf-1.9a+ds1/debian/patches/series	2016-08-01 14:17:57.000000000 +0200
@@ -3,3 +3,4 @@
 0003-Fix-build-with-libopenjp2.patch
 0004-Fix-build-with-system-gl-and-glfw.patch
 0005-Don-t-communicate-via-tty.patch
+0006-CVE-2016-6265.patch

Bug#832031: mupdf: diff for NMU version 1.9a+ds1-1.1

Reply via email to