From d7d23710facd789c8986de055e30792af2591f2c Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Thu, 22 Jul 2021 07:31:17 +0200 Subject: [PATCH] package/mupdf: fix CVE-2021-3407 A flaw was found in mupdf 1.18.0. Double free of object during linearization may lead to memory corruption and other potential consequences. Signed-off-by: Fabrice Fontaine Signed-off-by: Yann E. MORIN --- ...-free-of-object-during-linearization.patch | 52 +++++++++++++++++++ package/mupdf/mupdf.mk | 3 ++ 2 files changed, 55 insertions(+) create mode 100644 package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch diff --git a/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch b/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch new file mode 100644 index 0000000000..a4746961a6 --- /dev/null +++ b/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch @@ -0,0 +1,52 @@ +From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Fri, 22 Jan 2021 17:05:15 +0000 +Subject: [PATCH] Bug 703366: Fix double free of object during linearization. + +This appears to happen because we parse an illegal object from +a broken file and assign it to object 0, which is defined to +be free. + +Here, we fix the parsing code so this can't happen. + +[Retrieved from: +http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a] +Signed-off-by: Fabrice Fontaine +--- + source/pdf/pdf-parse.c | 6 ++++++ + source/pdf/pdf-xref.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c +index 7abc8c3d4..5761c3351 100644 +--- a/source/pdf/pdf-parse.c ++++ b/source/pdf/pdf-parse.c +@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); + } + gen = buf->i; ++ if (gen < 0 || gen >= 65536) ++ { ++ if (try_repair) ++ *try_repair = 1; ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); ++ } + + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_OBJ) +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 1b2bdcd59..30197b4b8 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + { + ofs = fz_tell(ctx, doc->file); + trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); ++ if (num == 0) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); + } + fz_catch(ctx) + { +-- +2.17.1 + diff --git a/package/mupdf/mupdf.mk b/package/mupdf/mupdf.mk index b481fb1eae..294cd8a61b 100644 --- a/package/mupdf/mupdf.mk +++ b/package/mupdf/mupdf.mk @@ -22,6 +22,9 @@ MUPDF_DEPENDENCIES = \ xlib_libX11 \ zlib +# 0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch +MUPDF_IGNORE_CVES += CVE-2021-3407 + # The pkg-config name for gumbo-parser is `gumbo`. MUPDF_PKG_CONFIG_PACKAGES = \ freetype2 \ -- 2.30.2