[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#855356: unblock: mupdf/1.9a+ds1-3

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mupdf

Security fixes

   * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
   * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()

unblock mupdf/1.9a+ds1-3

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru mupdf-1.9a+ds1/debian/changelog mupdf-1.9a+ds1/debian/changelog
--- mupdf-1.9a+ds1/debian/changelog	2016-11-15 00:07:55.000000000 +0800
+++ mupdf-1.9a+ds1/debian/changelog	2017-02-16 23:43:55.000000000 +0800
@@ -1,3 +1,10 @@
+mupdf (1.9a+ds1-3) unstable; urgency=high
+
+  * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
+  * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()
+
+ -- Kan-Ru Chen (陳侃如) <koster@debian.org>  Thu, 16 Feb 2017 23:43:55 +0800
+
 mupdf (1.9a+ds1-2) unstable; urgency=medium
 
   * Acknowledge NMU.
diff -Nru mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch
--- mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch	2016-11-14 23:56:43.000000000 +0800
+++ mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch	2017-02-16 23:43:55.000000000 +0800
@@ -1,10 +1,6 @@
-From: Kan-Ru Chen <koster@debian.org>
-Date: Mon, 14 Nov 2016 23:55:28 +0800
-Subject: CVE-2016-8674
-
 From: Robin Watts <robin.watts@artifex.com>
 Date: Thu, 22 Sep 2016 13:44:45 +0100
-Subject: [PATCH] Bug 697015: Avoid object references vanishing during repair.
+Subject: Bug 697015: Avoid object references vanishing during repair.
 
 A PDF repair can be triggered 'just in time', when we encounter
 a problem in the file. The idea is that this can happen without
diff -Nru mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch
--- mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch	1970-01-01 08:00:00.000000000 +0800
+++ mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch	2017-02-16 23:43:55.000000000 +0800
@@ -0,0 +1,47 @@
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index 6897fe3..66eb2b2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1420,6 +1420,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ 	"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ 	"ldr	r4, [r13,#4*22]		@ r4 = divXY			\n"
+ 	"ldr	r5, [r13,#4*11]		@ for (nn = n; nn > 0; n--) {	\n"
++	"ldr	r8, [r13,#4*17]		@ r8 = back4			\n"
+ 	"18:				@				\n"
+ 	"mov	r14,#0			@ r14= v = 0			\n"
+ 	"sub	r5, r5, r1, LSL #8	@ for (xx = x; xx > 0; x--) {	\n"
+@@ -1436,7 +1437,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ 	"mul	r14,r4, r14		@ r14= v *= divX		\n"
+ 	"mov	r14,r14,LSR #16		@ r14= v >>= 16			\n"
+ 	"strb	r14,[r9], #1		@ *d++ = r14			\n"
+-	"sub	r0, r0, r8		@ s -= back2			\n"
++	"sub	r0, r0, r8		@ s -= back4			\n"
+ 	"subs	r5, r5, #1		@ n--				\n"
+ 	"bgt	18b			@ }				\n"
+ 	"21:				@				\n"
+@@ -1562,6 +1563,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ 		x += f;
+ 		if (x > 0)
+ 		{
++			int back4 = x * n - 1;
+ 			div = x * y;
+ 			for (nn = n; nn > 0; nn--)
+ 			{
+@@ -1576,7 +1578,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ 					s -= back5;
+ 				}
+ 				*d++ = v / div;
+-				s -= back2;
++				s -= back4;
+ 			}
+ 		}
+ 	}
diff -Nru mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch
--- mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch	1970-01-01 08:00:00.000000000 +0800
+++ mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch	2017-02-16 23:43:55.000000000 +0800
@@ -0,0 +1,84 @@
+From: Robin Watts <robin.watts@artifex.com>
+Date: Thu, 16 Feb 2017 23:28:37 +0800
+Subject: Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index 593afe2..9c0d0c8 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1201,6 +1201,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 	pdf_run_processor *pr = (pdf_run_processor *)proc;
+ 	pdf_gstate *gstate = NULL;
+ 	int oldtop = 0;
++	int oldbot = -1;
+ 	fz_matrix local_transform = *transform;
+ 	softmask_save softmask = { NULL };
+ 	int gparent_save;
+@@ -1216,6 +1217,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 	fz_var(cleanup_state);
+ 	fz_var(gstate);
+ 	fz_var(oldtop);
++	fz_var(oldbot);
+ 
+ 	gparent_save = pr->gparent;
+ 	pr->gparent = pr->gtop;
+@@ -1225,7 +1227,6 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 		pdf_gsave(ctx, pr);
+ 
+ 		gstate = pr->gstate + pr->gtop;
+-		oldtop = pr->gtop;
+ 
+ 		/* apply xobject's transform matrix */
+ 		fz_concat(&local_transform, &xobj->matrix, &local_transform);
+@@ -1276,12 +1277,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 		if (!resources)
+ 			resources = page_resources;
+ 
++		oldbot = pr->gbot;
++		pr->gbot = pr->gtop;
++
+ 		pdf_process_contents(ctx, (pdf_processor*)pr, xobj->document, resources, xobj->contents, NULL);
+ 	}
+ 	fz_always(ctx)
+ 	{
++		/* Undo any gstate mismatches due to the pdf_process_contents call */
++		if (oldbot != -1)
++		{
++			while (pr->gtop > pr->gbot)
++			{
++				pdf_grestore(ctx, pr);
++			}
++			pr->gbot = oldbot;
++		}
++
+ 		if (cleanup_state >= 3)
+-			pdf_grestore(ctx, pr); /* Remove the clippath */
++			pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
+ 
+ 		/* wrap up transparency stacks */
+ 		if (xobj->transparency)
+@@ -1315,13 +1329,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 		pr->gstate[pr->gparent].ctm = gparent_save_ctm;
+ 		pr->gparent = gparent_save;
+ 
+-		if (gstate)
+-		{
+-			while (oldtop < pr->gtop)
+-				pdf_grestore(ctx, pr);
+-
++		while (oldtop < pr->gtop)
+ 			pdf_grestore(ctx, pr);
+-		}
+ 
+ 		pdf_unmark_obj(ctx, xobj->me);
+ 	}
diff -Nru mupdf-1.9a+ds1/debian/patches/series mupdf-1.9a+ds1/debian/patches/series
--- mupdf-1.9a+ds1/debian/patches/series	2016-11-14 23:56:43.000000000 +0800
+++ mupdf-1.9a+ds1/debian/patches/series	2017-02-16 23:43:55.000000000 +0800
@@ -6,3 +6,5 @@
 0006-CVE-2016-6265.patch
 0007-CVE-2016-6525.patch
 0008-CVE-2016-8674.patch
+0009-CVE-2017-5896.patch
+0010-CVE-2017-5991.patch

Attachment: mupdf_1.9a+ds1-3.debdiff.sig
Description: Binary data

Reply to: