Skip to content
Snippets Groups Projects
Commit f636832b authored by Kevin Daudt's avatar Kevin Daudt 💻
Browse files

community/mupdf: use local patches

Patches on github are not stable. The index hashes can change, causing
the checksums to mismatch.
parent 186624c8
No related merge requests found
......@@ -29,9 +29,9 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
options="!check"
source="https://mupdf.com/downloads/archive/mupdf-$pkgver-source.tar.xz
shared-lib.patch
https://github.com/ArtifexSoftware/mupdf/commit/32e4e8b4bcbacbf92af7c.patch
https://github.com/ArtifexSoftware/mupdf/commit/b82e9b6d6b46877e5c376.patch
CVE-2021-3407.patch::https://github.com/ArtifexSoftware/mupdf/commit/cee7cefc610d42fd383b3c80c12cbc675443176a.patch
bug-fix-overflow.patch
harden-pupulate-ui-against-unexpecter-repairs.patch
CVE-2021-3407.patch
"
# FIXME: shared linking of /usr/lib/libmupdf.so.0
......@@ -111,8 +111,10 @@ _tools() {
"$subpkgdir"/usr/bin/
}
sha512sums="7551f18b9bac6e2dc1cf073741cbc975ce3a16dc7e37c9d5a58254c67bf2c07bb36185d6585e435d4126f3ae351f67d7432d19a986c9b47b15105ca43db0edb8 mupdf-1.18.0-source.tar.xz
sha512sums="
7551f18b9bac6e2dc1cf073741cbc975ce3a16dc7e37c9d5a58254c67bf2c07bb36185d6585e435d4126f3ae351f67d7432d19a986c9b47b15105ca43db0edb8 mupdf-1.18.0-source.tar.xz
a87c52da91b0fe14c952dc1f83f4492cf1d31d135fc66bc6fb5dcce622af8c740248e10392d7cdba7409373b81e24744aafd46dc1fe5fdfcc54c77555e27420c shared-lib.patch
1d836c1a3f37c21ed349da799d5cb0c57d3fc275a632a42343cda81aae76394273c06230fc9c22a6d5366498b51a057d5a11797376a4b2af96b937618ba31e11 32e4e8b4bcbacbf92af7c.patch
91620d0d429d2f4068e1834ec9466d9e9f9bfb363fba33247636e38651196580a89bd36785e42b31328070c42bd2210585ddabea8a0a970d72e7066e61804d6c b82e9b6d6b46877e5c376.patch
67f5af701b2ea6a91346feaf6d12a91201af8d346a2cbc112503ada09f414dc13673a6b6f57e9ca03d20191e14f1e3fe46f484e2079b37a76e0be4249396f563 CVE-2021-3407.patch"
811530c31c8af252b4fb4c9658d6378d004535bbf837e74c8538ff740bd3c8c293e050e05acb8745064cc82b7f514006323718933544623fd0abe245c5c27ff4 bug-fix-overflow.patch
c7870dec59c935f4d0a147a155583c8725ccccc72b1df8b26d0ba1a8c3062d000a386b6021b40d16ebd9936f396b1d2a1a5c4849642248a3fb32d4d8ca32268b harden-pupulate-ui-against-unexpecter-repairs.patch
4751a9ecb01063197c190a04efd51a0e62cd8bc59acda1dc75e04e35fd7640d825f6ebd51b92a2f458384a671eb9c5a56452f2185a820d26eae722996c187149 CVE-2021-3407.patch
"
From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Fri, 22 Jan 2021 17:05:15 +0000
Subject: [PATCH] Bug 703366: Fix double free of object during linearization.
This appears to happen because we parse an illegal object from
a broken file and assign it to object 0, which is defined to
be free.
Here, we fix the parsing code so this can't happen.
---
source/pdf/pdf-parse.c | 6 ++++++
source/pdf/pdf-xref.c | 2 ++
2 files changed, 8 insertions(+)
diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
index 7abc8c3d41..5761c33517 100644
--- a/source/pdf/pdf-parse.c
+++ b/source/pdf/pdf-parse.c
@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num);
}
gen = buf->i;
+ if (gen < 0 || gen >= 65536)
+ {
+ if (try_repair)
+ *try_repair = 1;
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen);
+ }
tok = pdf_lex(ctx, file, buf);
if (tok != PDF_TOK_OBJ)
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 1b2bdcd59d..30197b4b85 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
{
ofs = fz_tell(ctx, doc->file);
trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL);
+ if (num == 0)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n");
}
fz_catch(ctx)
{
From 32e4e8b4bcbacbf92af7c88337efae21986d9603 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 8 Oct 2020 18:10:28 +0100
Subject: [PATCH] Bug 702958: Fix overflow in fz_clear_pixmap_with_value.
---
source/fitz/pixmap.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
index 66873d2146..80d8bb62fa 100644
--- a/source/fitz/pixmap.c
+++ b/source/fitz/pixmap.c
@@ -555,7 +555,8 @@ void
fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
{
unsigned char *s;
- int w, h, n, stride, len;
+ int w, h, n;
+ ptrdiff_t stride, len;
int alpha = pix->alpha;
w = pix->w;
@@ -572,7 +573,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
n = pix->n;
stride = pix->stride;
- len = w * n;
+ len = (ptrdiff_t)w * n;
s = pix->samples;
if (value == 255 || !alpha)
@@ -584,7 +585,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
}
while (h--)
{
- memset(s, value, (unsigned int)len);
+ memset(s, value, len);
s += stride;
}
}
From b82e9b6d6b46877e5c3763cc3bc641c66fa7eb54 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 8 Oct 2020 16:15:40 +0100
Subject: [PATCH] Bug 701297: Harden populate_ui against unexpected repairs.
We count the number of layers, and allocate space for them in
an array. We then walk the tree reading details of those layers
in. If we hit a problem that causes a repair while reading the
information, the number of layers can magically increase. In
the existing code we run off the end of the array.
In the new code we watch for hitting the end of the array and
realloc as required.
---
source/pdf/pdf-layer.c | 32 +++++++++++++++++++++++++-------
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
index 177f0c9476..b8e9d7cad0 100644
--- a/source/pdf/pdf-layer.c
+++ b/source/pdf/pdf-layer.c
@@ -104,10 +104,27 @@ count_entries(fz_context *ctx, pdf_obj *obj)
}
static pdf_ocg_ui *
-populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked)
+get_ocg_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill)
+{
+ if (fill == desc->num_ui_entries)
+ {
+ /* Number of layers changed while parsing;
+ * probably due to a repair. */
+ int newsize = desc->num_ui_entries * 2;
+ if (newsize == 0)
+ newsize = 4; /* Arbitrary non-zero */
+ desc->ui = fz_realloc_array(ctx, desc->ui, newsize, pdf_ocg_ui);
+ desc->num_ui_entries = newsize;
+ }
+ return &desc->ui[fill];
+}
+
+static int
+populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked)
{
int len = pdf_array_len(ctx, order);
int i, j;
+ pdf_ocg_ui *ui;
for (i = 0; i < len; i++)
{
@@ -118,7 +135,7 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
continue;
fz_try(ctx)
- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
+ fill = populate_ui(ctx, desc, fill, o, depth+1, rbgroups, locked);
fz_always(ctx)
pdf_unmark_obj(ctx, o);
fz_catch(ctx)
@@ -126,14 +143,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
continue;
}
- ui->depth = depth;
if (pdf_is_string(ctx, o))
{
+ ui = get_ocg_ui(ctx, desc, fill++);
+ ui->depth = depth;
ui->ocg = -1;
ui->name = pdf_to_str_buf(ctx, o);
ui->button_flags = PDF_LAYER_UI_LABEL;
ui->locked = 1;
- ui++;
continue;
}
@@ -144,13 +161,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
}
if (j == desc->len)
continue; /* OCG not found in main list! Just ignore it */
+ ui = get_ocg_ui(ctx, desc, fill++);
+ ui->depth = depth;
ui->ocg = j;
ui->name = pdf_dict_get_string(ctx, o, PDF_NAME(Name), NULL);
ui->button_flags = pdf_array_contains(ctx, o, rbgroups) ? PDF_LAYER_UI_RADIOBOX : PDF_LAYER_UI_CHECKBOX;
ui->locked = pdf_array_contains(ctx, o, locked);
- ui++;
}
- return ui;
+ return fill;
}
static void
@@ -188,7 +206,7 @@ load_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_obj *ocprops, pdf_obj *oc
desc->ui = Memento_label(fz_calloc(ctx, count, sizeof(pdf_ocg_ui)), "pdf_ocg_ui");
fz_try(ctx)
{
- (void)populate_ui(ctx, desc, desc->ui, order, 0, rbgroups, locked);
+ desc->num_ui_entries = populate_ui(ctx, desc, 0, order, 0, rbgroups, locked);
}
fz_catch(ctx)
{
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment