Hello community, here is the log from the commit of package mupdf for openSUSE:Factory checked in at 2014-02-18 14:45:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mupdf (Old) and /work/SRC/openSUSE:Factory/.mupdf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mupdf" Changes: -------- --- /work/SRC/openSUSE:Factory/mupdf/mupdf.changes 2014-01-06 17:45:42.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mupdf.new/mupdf.changes 2014-02-18 14:45:21.000000000 +0100 @@ -1,0 +2,6 @@ +Fri Feb 14 10:04:23 UTC 2014 - g...@opensuse.org + +- add mupdf-fix-array-overflow.patch in order to fix a stack-based + buffer overflow in xps_parse_color() (bnc#863975) + +------------------------------------------------------------------- New: ---- mupdf-fix-array-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mupdf.spec ++++++ --- /var/tmp/diff_new_pack.Fmb1ZT/_old 2014-02-18 14:45:22.000000000 +0100 +++ /var/tmp/diff_new_pack.Fmb1ZT/_new 2014-02-18 14:45:22.000000000 +0100 @@ -29,6 +29,8 @@ Source2: mupdf.png # PATCH-FIX-OPENSUSE mupdf-fix-openjpeg2.patch g...@opensuse.org -- Fix cflags, libs of openjpeg2 on openSUSE Patch0: mupdf-fix-openjpeg2.patch +# PATCH-FIX-UPSTREAM mupdf-fix-array-overflow.patch http://bugs.ghostscript.com/show_bug.cgi?id=694957 bnc#863975 g...@opensuse.org -- Fix stack-based buffer overflow in xps_parse_color() +Patch1: mupdf-fix-array-overflow.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -73,6 +75,7 @@ rm -rf thirdparty %patch0 -p1 +%patch1 -p1 mkdir docs/examples for src in docs/*.c; do ++++++ mupdf-fix-array-overflow.patch ++++++ From: Simon Bünzli <zen...@gmail.com> Date: Thu, 16 Jan 2014 21:04:51 +0000 (+0100) Subject: Bug 694957: fix stack buffer overflow in xps_parse_color X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=60dabde18d7fe12b19da8b509bdfee9cc886aafc Bug 694957: fix stack buffer overflow in xps_parse_color xps_parse_color happily reads more than FZ_MAX_COLORS values out of a ContextColor array which overflows the passed in samples array. Limiting the number of allowed samples to FZ_MAX_COLORS and make sure to use that constant for all callers fixes the problem. Thanks to Jean-Jamil Khalifé for reporting and investigating the issue and providing a sample exploit file. --- diff --git a/source/xps/xps-common.c b/source/xps/xps-common.c index b780f42..32a30ba 100644 --- a/source/xps/xps-common.c +++ b/source/xps/xps-common.c @@ -89,7 +89,7 @@ xps_begin_opacity(xps_document *doc, const fz_matrix *ctm, const fz_rect *area, if (scb_color_att) { fz_colorspace *colorspace; - float samples[32]; + float samples[FZ_MAX_COLORS]; xps_parse_color(doc, base_uri, scb_color_att, &colorspace, samples); opacity = opacity * samples[0]; } @@ -208,12 +208,13 @@ void xps_parse_color(xps_document *doc, char *base_uri, char *string, fz_colorspace **csp, float *samples) { + fz_context *ctx = doc->ctx; char *p; int i, n; char buf[1024]; char *profile; - *csp = fz_device_rgb(doc->ctx); + *csp = fz_device_rgb(ctx); samples[0] = 1; samples[1] = 0; @@ -259,7 +260,7 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string, profile = strchr(buf, ' '); if (!profile) { - fz_warn(doc->ctx, "cannot find icc profile uri in '%s'", string); + fz_warn(ctx, "cannot find icc profile uri in '%s'", string); return; } @@ -267,12 +268,17 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string, p = strchr(profile, ' '); if (!p) { - fz_warn(doc->ctx, "cannot find component values in '%s'", profile); + fz_warn(ctx, "cannot find component values in '%s'", profile); return; } *p++ = 0; n = count_commas(p) + 1; + if (n > FZ_MAX_COLORS) + { + fz_warn(ctx, "ignoring %d color components (max %d allowed)", n - FZ_MAX_COLORS, FZ_MAX_COLORS); + n = FZ_MAX_COLORS; + } i = 0; while (i < n) { @@ -292,10 +298,10 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string, /* TODO: load ICC profile */ switch (n) { - case 2: *csp = fz_device_gray(doc->ctx); break; - case 4: *csp = fz_device_rgb(doc->ctx); break; - case 5: *csp = fz_device_cmyk(doc->ctx); break; - default: *csp = fz_device_gray(doc->ctx); break; + case 2: *csp = fz_device_gray(ctx); break; + case 4: *csp = fz_device_rgb(ctx); break; + case 5: *csp = fz_device_cmyk(ctx); break; + default: *csp = fz_device_gray(ctx); break; } } } diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c index b26e18d..e621257 100644 --- a/source/xps/xps-glyphs.c +++ b/source/xps/xps-glyphs.c @@ -590,7 +590,7 @@ xps_parse_glyphs(xps_document *doc, const fz_matrix *ctm, if (fill_att) { - float samples[32]; + float samples[FZ_MAX_COLORS]; fz_colorspace *colorspace; xps_parse_color(doc, base_uri, fill_att, &colorspace, samples); diff --git a/source/xps/xps-gradient.c b/source/xps/xps-gradient.c index 7d03f89..76188e9 100644 --- a/source/xps/xps-gradient.c +++ b/source/xps/xps-gradient.c @@ -39,7 +39,7 @@ xps_parse_gradient_stops(xps_document *doc, char *base_uri, fz_xml *node, struct stop *stops, int maxcount) { fz_colorspace *colorspace; - float sample[8]; + float sample[FZ_MAX_COLORS]; float rgb[3]; int before, after; int count; diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c index b97ee17..ea84a81 100644 --- a/source/xps/xps-path.c +++ b/source/xps/xps-path.c @@ -826,7 +826,7 @@ xps_parse_path(xps_document *doc, const fz_matrix *ctm, char *base_uri, xps_reso fz_stroke_state *stroke = NULL; fz_matrix transform; - float samples[32]; + float samples[FZ_MAX_COLORS]; fz_colorspace *colorspace; fz_path *path = NULL; fz_path *stroke_path = NULL; -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org