* [Buildroot] [git commit] package/mupdf: fix CVE-2021-3407
@ 2021-07-24 20:14 Yann E. MORIN
0 siblings, 0 replies; only message in thread
From: Yann E. MORIN @ 2021-07-24 20:14 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=d7d23710facd789c8986de055e30792af2591f2c
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
A flaw was found in mupdf 1.18.0. Double free of object during
linearization may lead to memory corruption and other potential
consequences.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
...ouble-free-of-object-during-linearization.patch | 52 ++++++++++++++++++++++
package/mupdf/mupdf.mk | 3 ++
2 files changed, 55 insertions(+)
diff --git a/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch b/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch
new file mode 100644
index 0000000000..a4746961a6
--- /dev/null
+++ b/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch
@@ -0,0 +1,52 @@
+From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Fri, 22 Jan 2021 17:05:15 +0000
+Subject: [PATCH] Bug 703366: Fix double free of object during linearization.
+
+This appears to happen because we parse an illegal object from
+a broken file and assign it to object 0, which is defined to
+be free.
+
+Here, we fix the parsing code so this can't happen.
+
+[Retrieved from:
+http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ source/pdf/pdf-parse.c | 6 ++++++
+ source/pdf/pdf-xref.c | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
+index 7abc8c3d4..5761c3351 100644
+--- a/source/pdf/pdf-parse.c
++++ b/source/pdf/pdf-parse.c
+@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num);
+ }
+ gen = buf->i;
++ if (gen < 0 || gen >= 65536)
++ {
++ if (try_repair)
++ *try_repair = 1;
++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen);
++ }
+
+ tok = pdf_lex(ctx, file, buf);
+ if (tok != PDF_TOK_OBJ)
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 1b2bdcd59..30197b4b8 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ {
+ ofs = fz_tell(ctx, doc->file);
+ trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL);
++ if (num == 0)
++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n");
+ }
+ fz_catch(ctx)
+ {
+--
+2.17.1
+
diff --git a/package/mupdf/mupdf.mk b/package/mupdf/mupdf.mk
index b481fb1eae..294cd8a61b 100644
--- a/package/mupdf/mupdf.mk
+++ b/package/mupdf/mupdf.mk
@@ -22,6 +22,9 @@ MUPDF_DEPENDENCIES = \
xlib_libX11 \
zlib
+# 0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch
+MUPDF_IGNORE_CVES += CVE-2021-3407
+
# The pkg-config name for gumbo-parser is `gumbo`.
MUPDF_PKG_CONFIG_PACKAGES = \
freetype2 \
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-07-24 20:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-24 20:14 [Buildroot] [git commit] package/mupdf: fix CVE-2021-3407 Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.