From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1214663-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 2770C138359
	for <garchives@archives.gentoo.org>; Tue, 13 Oct 2020 23:21:48 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5C6E0E086A;
	Tue, 13 Oct 2020 23:21:47 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 36963E086A
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Oct 2020 23:21:47 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 1927A340DB5
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Oct 2020 23:21:46 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 9348C3A4
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Oct 2020 23:21:44 +0000 (UTC)
From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" <sam@gentoo.org>
Message-ID: <1602631299.197b4aee35918341c66b38a761b111d978b00fa6.sam@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: app-text/mupdf/files/, app-text/mupdf/
X-VCS-Repository: repo/gentoo
X-VCS-Files: app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pdf-layer.c app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c app-text/mupdf/mupdf-1.18.0.ebuild
X-VCS-Directories: app-text/mupdf/ app-text/mupdf/files/
X-VCS-Committer: sam
X-VCS-Committer-Name: Sam James
X-VCS-Revision: 197b4aee35918341c66b38a761b111d978b00fa6
X-VCS-Branch: master
Date: Tue, 13 Oct 2020 23:21:44 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 71369f56-7b02-4bd3-be90-8a589d05502c
X-Archives-Hash: 1b176f58b075271ab3643bd102e7be4f

commit:     197b4aee35918341c66b38a761b111d978b00fa6
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 13 23:21:32 2020 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Oct 13 23:21:39 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=197b4aee

app-text/mupdf: add additional security patches

* Harden populate_ui against unexpected repairs [0]
* Fix overflow in fz_clear_pixmap_with_value [1]

Both patches were committed post-1.18.0 upstream.

[0] https://github.com/ArtifexSoftware/mupdf/commit/b82e9b6d6b46877e5c376.patch
[1] https://github.com/ArtifexSoftware/mupdf/commit/32e4e8b4bcbacbf92af7c.patch

Bug: https://bugs.gentoo.org/747151
Package-Manager: Portage-3.0.8, Repoman-3.0.1
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/mupdf-1.18.0-fix-oob-in-pdf-layer.c      | 102 +++++++++++++++++++++
 .../mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c   |  41 +++++++++
 app-text/mupdf/mupdf-1.18.0.ebuild                 |   3 +
 3 files changed, 146 insertions(+)

diff --git a/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pdf-layer.c b/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pdf-layer.c
new file mode 100644
index 00000000000..dc4000b4cde
--- /dev/null
+++ b/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pdf-layer.c
@@ -0,0 +1,102 @@
+From b82e9b6d6b46877e5c3763cc3bc641c66fa7eb54 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 8 Oct 2020 16:15:40 +0100
+Subject: [PATCH] Bug 701297: Harden populate_ui against unexpected repairs.
+
+We count the number of layers, and allocate space for them in
+an array. We then walk the tree reading details of those layers
+in. If we hit a problem that causes a repair while reading the
+information, the number of layers can magically increase. In
+the existing code we run off the end of the array.
+
+In the new code we watch for hitting the end of the array and
+realloc as required.
+---
+ source/pdf/pdf-layer.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
+index 177f0c947..b8e9d7cad 100644
+--- a/source/pdf/pdf-layer.c
++++ b/source/pdf/pdf-layer.c
+@@ -104,10 +104,27 @@ count_entries(fz_context *ctx, pdf_obj *obj)
+ }
+ 
+ static pdf_ocg_ui *
+-populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked)
++get_ocg_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill)
++{
++	if (fill == desc->num_ui_entries)
++	{
++		/* Number of layers changed while parsing;
++		 * probably due to a repair. */
++		int newsize = desc->num_ui_entries * 2;
++		if (newsize == 0)
++			newsize = 4; /* Arbitrary non-zero */
++		desc->ui = fz_realloc_array(ctx, desc->ui, newsize, pdf_ocg_ui);
++		desc->num_ui_entries = newsize;
++	}
++	return &desc->ui[fill];
++}
++
++static int
++populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked)
+ {
+ 	int len = pdf_array_len(ctx, order);
+ 	int i, j;
++	pdf_ocg_ui *ui;
+ 
+ 	for (i = 0; i < len; i++)
+ 	{
+@@ -118,7 +135,7 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ 				continue;
+ 
+ 			fz_try(ctx)
+-				ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
++				fill = populate_ui(ctx, desc, fill, o, depth+1, rbgroups, locked);
+ 			fz_always(ctx)
+ 				pdf_unmark_obj(ctx, o);
+ 			fz_catch(ctx)
+@@ -126,14 +143,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ 
+ 			continue;
+ 		}
+-		ui->depth = depth;
+ 		if (pdf_is_string(ctx, o))
+ 		{
++			ui = get_ocg_ui(ctx, desc, fill++);
++			ui->depth = depth;
+ 			ui->ocg = -1;
+ 			ui->name = pdf_to_str_buf(ctx, o);
+ 			ui->button_flags = PDF_LAYER_UI_LABEL;
+ 			ui->locked = 1;
+-			ui++;
+ 			continue;
+ 		}
+ 
+@@ -144,13 +161,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ 		}
+ 		if (j == desc->len)
+ 			continue; /* OCG not found in main list! Just ignore it */
++		ui = get_ocg_ui(ctx, desc, fill++);
++		ui->depth = depth;
+ 		ui->ocg = j;
+ 		ui->name = pdf_dict_get_string(ctx, o, PDF_NAME(Name), NULL);
+ 		ui->button_flags = pdf_array_contains(ctx, o, rbgroups) ? PDF_LAYER_UI_RADIOBOX : PDF_LAYER_UI_CHECKBOX;
+ 		ui->locked = pdf_array_contains(ctx, o, locked);
+-		ui++;
+ 	}
+-	return ui;
++	return fill;
+ }
+ 
+ static void
+@@ -188,7 +206,7 @@ load_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_obj *ocprops, pdf_obj *oc
+ 	desc->ui = Memento_label(fz_calloc(ctx, count, sizeof(pdf_ocg_ui)), "pdf_ocg_ui");
+ 	fz_try(ctx)
+ 	{
+-		(void)populate_ui(ctx, desc, desc->ui, order, 0, rbgroups, locked);
++		desc->num_ui_entries = populate_ui(ctx, desc, 0, order, 0, rbgroups, locked);
+ 	}
+ 	fz_catch(ctx)
+ 	{

diff --git a/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c b/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c
new file mode 100644
index 00000000000..d19f0593a11
--- /dev/null
+++ b/app-text/mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c
@@ -0,0 +1,41 @@
+From 32e4e8b4bcbacbf92af7c88337efae21986d9603 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 8 Oct 2020 18:10:28 +0100
+Subject: [PATCH] Bug 702958: Fix overflow in fz_clear_pixmap_with_value.
+
+---
+ source/fitz/pixmap.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index 66873d214..80d8bb62f 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -555,7 +555,8 @@ void
+ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+ {
+ 	unsigned char *s;
+-	int w, h, n, stride, len;
++	int w, h, n;
++	ptrdiff_t stride, len;
+ 	int alpha = pix->alpha;
+ 
+ 	w = pix->w;
+@@ -572,7 +573,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+ 
+ 	n = pix->n;
+ 	stride = pix->stride;
+-	len = w * n;
++	len = (ptrdiff_t)w * n;
+ 
+ 	s = pix->samples;
+ 	if (value == 255 || !alpha)
+@@ -584,7 +585,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+ 		}
+ 		while (h--)
+ 		{
+-			memset(s, value, (unsigned int)len);
++			memset(s, value, len);
+ 			s += stride;
+ 		}
+ 	}

diff --git a/app-text/mupdf/mupdf-1.18.0.ebuild b/app-text/mupdf/mupdf-1.18.0.ebuild
index 05c1261e442..c7cab5a41c8 100644
--- a/app-text/mupdf/mupdf-1.18.0.ebuild
+++ b/app-text/mupdf/mupdf-1.18.0.ebuild
@@ -49,6 +49,9 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-1.15-openssl-x11.patch
 	# General cross fixes from Debian (refreshed)
 	"${FILESDIR}"/${PN}-1.18.0-cross-fixes.patch
+	# Additional security patches post-1.18.0
+	"${FILESDIR}"/${P}-fix-oob-in-pdf-layer.c
+	"${FILESDIR}"/${P}-fix-oob-in-pixmap.c
 )
 
 src_prepare() {