[Buildroot] [PATCH 1/1] package/mupdf: fix CVE-2021-3407

* [Buildroot] [PATCH 1/1] package/mupdf: fix CVE-2021-3407
@ 2021-07-22  5:31 Fabrice Fontaine
  2021-07-24 20:15 ` Yann E. MORIN
  0 siblings, 1 reply; 2+ messages in thread
From: Fabrice Fontaine @ 2021-07-22  5:31 UTC (permalink / raw)
  To: buildroot; +Cc: Raphaël Mélotte, Fabrice Fontaine

A flaw was found in mupdf 1.18.0. Double free of object during
linearization may lead to memory corruption and other potential
consequences.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...-free-of-object-during-linearization.patch | 52 +++++++++++++++++++
 package/mupdf/mupdf.mk                        |  3 ++
 2 files changed, 55 insertions(+)
 create mode 100644 package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch

diff --git a/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch b/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch
new file mode 100644
index 0000000000..a4746961a6
--- /dev/null
+++ b/package/mupdf/0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch
@@ -0,0 +1,52 @@
+From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Fri, 22 Jan 2021 17:05:15 +0000
+Subject: [PATCH] Bug 703366: Fix double free of object during linearization.
+
+This appears to happen because we parse an illegal object from
+a broken file and assign it to object 0, which is defined to
+be free.
+
+Here, we fix the parsing code so this can't happen.
+
+[Retrieved from:
+http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ source/pdf/pdf-parse.c | 6 ++++++
+ source/pdf/pdf-xref.c  | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
+index 7abc8c3d4..5761c3351 100644
+--- a/source/pdf/pdf-parse.c
++++ b/source/pdf/pdf-parse.c
+@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
+ 		fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num);
+ 	}
+ 	gen = buf->i;
++	if (gen < 0 || gen >= 65536)
++	{
++		if (try_repair)
++			*try_repair = 1;
++		fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen);
++	}
+ 
+ 	tok = pdf_lex(ctx, file, buf);
+ 	if (tok != PDF_TOK_OBJ)
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 1b2bdcd59..30197b4b8 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 	{
+ 		ofs = fz_tell(ctx, doc->file);
+ 		trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL);
++		if (num == 0)
++			fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n");
+ 	}
+ 	fz_catch(ctx)
+ 	{
+-- 
+2.17.1
+
diff --git a/package/mupdf/mupdf.mk b/package/mupdf/mupdf.mk
index b481fb1eae..294cd8a61b 100644
--- a/package/mupdf/mupdf.mk
+++ b/package/mupdf/mupdf.mk
@@ -22,6 +22,9 @@ MUPDF_DEPENDENCIES = \
 	xlib_libX11 \
 	zlib
 
+# 0001-Bug-703366-Fix-double-free-of-object-during-linearization.patch
+MUPDF_IGNORE_CVES += CVE-2021-3407
+
 # The pkg-config name for gumbo-parser is `gumbo`.
 MUPDF_PKG_CONFIG_PACKAGES = \
 	freetype2 \
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 2+ messages in thread