j...@wxcvbn.org (Jeremie Courreges-Anglas) writes: > As noticed by stsp@, other projects have published fixes for mupdf CVEs. > Here's a backport of those fixes for -current.
Committed. Here's a similar diff that should apply to both 5.9 and 6.0. Build reports / oks welcome. Index: Makefile =================================================================== RCS file: /cvs/ports/textproc/mupdf/Makefile,v retrieving revision 1.62 diff -u -p -r1.62 Makefile --- Makefile 28 Jan 2016 01:42:20 -0000 1.62 +++ Makefile 27 Aug 2016 21:14:58 -0000 @@ -8,7 +8,7 @@ COMMENT = graphic library, pdf parser, v V = 1.8 DISTNAME = mupdf-$V-source PKGNAME = mupdf-$V -REVISION = 2 +REVISION = 3 CATEGORIES = textproc x11 Index: patches/patch-source_pdf_pdf-shade_c =================================================================== RCS file: patches/patch-source_pdf_pdf-shade_c diff -N patches/patch-source_pdf_pdf-shade_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-source_pdf_pdf-shade_c 27 Aug 2016 21:14:58 -0000 @@ -0,0 +1,17 @@ +$OpenBSD: patch-source_pdf_pdf-shade_c,v 1.1 2016/08/27 20:58:48 jca Exp $ + + CVE-2016-6525 + + http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e;hp=fa1936405b6a84e5c9bb440912c23d532772f958 + +--- source/pdf/pdf-shade.c.orig Sat Aug 27 13:03:30 2016 ++++ source/pdf/pdf-shade.c Sat Aug 27 13:04:17 2016 +@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *do + obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode); + if (pdf_array_len(ctx, obj) >= 6) + { +- n = (pdf_array_len(ctx, obj) - 4) / 2; ++ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2); + shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0)); + shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1)); + shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2)); Index: patches/patch-source_pdf_pdf-xref_c =================================================================== RCS file: patches/patch-source_pdf_pdf-xref_c diff -N patches/patch-source_pdf_pdf-xref_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-source_pdf_pdf-xref_c 27 Aug 2016 21:14:58 -0000 @@ -0,0 +1,25 @@ +$OpenBSD: patch-source_pdf_pdf-xref_c,v 1.1 2016/08/27 20:58:48 jca Exp $ + + CVE-2016-6265 + + http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=fa1936405b6a84e5c9bb440912c23d532772f958 + +--- source/pdf/pdf-xref.c.orig Sat Aug 27 13:05:41 2016 ++++ source/pdf/pdf-xref.c Sat Aug 27 13:06:53 2016 +@@ -1199,8 +1199,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_ + fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i); + } + if (entry->type == 'o') +- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n') +- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i); ++ { ++ /* Read this into a local variable here, because pdf_get_xref_entry ++ * may solidify the xref, hence invalidating "entry", meaning we ++ * need a stashed value for the throw. */ ++ fz_off_t ofs = entry->ofs; ++ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n') ++ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i); ++ } + } + } + -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
