Control: tags 971595 + patch Control: tags 971595 + pending
Dear maintainer, I've prepared an NMU for mupdf (versioned as 1.17.0+ds1-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru mupdf-1.17.0+ds1/debian/changelog mupdf-1.17.0+ds1/debian/changelog --- mupdf-1.17.0+ds1/debian/changelog 2020-08-06 14:48:09.000000000 +0200 +++ mupdf-1.17.0+ds1/debian/changelog 2020-11-03 21:09:06.000000000 +0100 @@ -1,3 +1,11 @@ +mupdf (1.17.0+ds1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Detect/avoid overflow when calculating sizes of pixmaps (CVE-2020-26519) + (Closes: #971595) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 03 Nov 2020 21:09:06 +0100 + mupdf (1.17.0+ds1-1) unstable; urgency=medium [ Bastian Germann ] diff -Nru mupdf-1.17.0+ds1/debian/patches/0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch mupdf-1.17.0+ds1/debian/patches/0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch --- mupdf-1.17.0+ds1/debian/patches/0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch 1970-01-01 01:00:00.000000000 +0100 +++ mupdf-1.17.0+ds1/debian/patches/0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch 2020-11-03 21:09:06.000000000 +0100 @@ -0,0 +1,50 @@ +From: Robin Watts <robin.wa...@artifex.com> +Date: Fri, 25 Sep 2020 13:19:48 +0100 +Subject: Bug 702857: Detect/avoid overflow when calculating sizes of pixmaps. +Origin: https://git.ghostscript.com/?p=mupdf.git;a=commit;h=af1e390a2c7abceb32676ec684cd1dbb92907ce8 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=702937 +Bug-Debian: https://bugs.debian.org/971595 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-26519 + +Throw an error when trying to allocate an overly large pixmap. +--- + source/fitz/pixmap.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c +index f847a747323e..66873d214628 100644 +--- a/source/fitz/pixmap.c ++++ b/source/fitz/pixmap.c +@@ -76,12 +76,12 @@ fz_new_pixmap_with_data(fz_context *ctx, fz_colorspace *colorspace, int w, int h + } + + pix->samples = samples; +- if (!samples) ++ if (!samples && pix->h > 0 && pix->w > 0) + { + fz_try(ctx) + { +- if (pix->stride - 1 > INT_MAX / pix->n) +- fz_throw(ctx, FZ_ERROR_GENERIC, "overly wide image"); ++ if (pix->stride > INT_MAX / pix->h) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Overly large image"); + pix->samples = Memento_label(fz_malloc(ctx, pix->h * pix->stride), "pixmap_data"); + } + fz_catch(ctx) +@@ -102,8 +102,12 @@ fz_new_pixmap(fz_context *ctx, fz_colorspace *colorspace, int w, int h, fz_separ + { + int stride; + int s = fz_count_active_separations(ctx, seps); ++ int n; + if (!colorspace && s == 0) alpha = 1; +- stride = (fz_colorspace_n(ctx, colorspace) + s + alpha) * w; ++ n = fz_colorspace_n(ctx, colorspace) + s + alpha; ++ if (w > INT_MAX / n) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Overly wide image"); ++ stride = n * w; + return fz_new_pixmap_with_data(ctx, colorspace, w, h, seps, alpha, stride, NULL); + } + +-- +2.29.1 + diff -Nru mupdf-1.17.0+ds1/debian/patches/series mupdf-1.17.0+ds1/debian/patches/series --- mupdf-1.17.0+ds1/debian/patches/series 2020-08-06 01:22:24.000000000 +0200 +++ mupdf-1.17.0+ds1/debian/patches/series 2020-11-03 21:09:06.000000000 +0100 @@ -7,3 +7,4 @@ 0007-mupdf-x11-does-not-need-to-link-to-libcrypto.patch 0008-Build-mupdf-without-executable-stack.patch 0010-Prevent-thirdparty-archive-build.patch +0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch
