Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1486805945211060"
MIME-Version: 1.0
Date: Sat, 11 Feb 2017 09:39:05 +0000
From: "Leonardo Taccari" <leot@netbsd.org>
Subject: CVS commit: pkgsrc/print/mupdf
To: pkgsrc-changes@NetBSD.org
Reply-To: leot@netbsd.org
Message-Id: <20170211093905.EFF27FBE3@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1486805945211060
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	leot
Date:		Sat Feb 11 09:39:05 UTC 2017

Modified Files:
	pkgsrc/print/mupdf: Makefile distinfo
Added Files:
	pkgsrc/print/mupdf/patches: patch-source_fitz_pixmap.c
	    patch-source_tools_mudraw.c

Log Message:
Backport security fixes for upstream bugs 697514 and 697515 (CVE-2017-5896) to

PKGREVISON++


To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 pkgsrc/print/mupdf/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/print/mupdf/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/print/mupdf/patches/patch-source_fitz_pixmap.c \
    pkgsrc/print/mupdf/patches/patch-source_tools_mudraw.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1486805945211060
Content-Disposition: inline
Content-Length: 4349
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/print/mupdf/Makefile
diff -u pkgsrc/print/mupdf/Makefile:1.45 pkgsrc/print/mupdf/Makefile:1.46
--- pkgsrc/print/mupdf/Makefile:1.45	Mon Feb  6 13:54:48 2017
+++ pkgsrc/print/mupdf/Makefile	Sat Feb 11 09:39:05 2017
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.45 2017/02/06 13:54:48 wiz Exp $
+# $NetBSD: Makefile,v 1.46 2017/02/11 09:39:05 leot Exp $
 
 DISTNAME=	mupdf-1.10a-source
 PKGNAME=	${DISTNAME:S/-source//}
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	print
 MASTER_SITES=	http://mupdf.com/downloads/archive/
 

Index: pkgsrc/print/mupdf/distinfo
diff -u pkgsrc/print/mupdf/distinfo:1.30 pkgsrc/print/mupdf/distinfo:1.31
--- pkgsrc/print/mupdf/distinfo:1.30	Mon Jan 30 14:06:05 2017
+++ pkgsrc/print/mupdf/distinfo	Sat Feb 11 09:39:05 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2017/01/30 14:06:05 leot Exp $
+$NetBSD: distinfo,v 1.31 2017/02/11 09:39:05 leot Exp $
 
 SHA1 (mupdf-1.10a-source.tar.gz) = 1c3a6e1d4406912004b8e2c09435199e6b425191
 RMD160 (mupdf-1.10a-source.tar.gz) = bfb482681c6804db8a0fd9ec46b16ac6f9fffdf2
@@ -9,6 +9,8 @@ SHA1 (patch-ab) = 7bee583086078359ce04ea
 SHA1 (patch-ac) = d75afe8b05b85d042dc1baeaf8a9988f2e60338a
 SHA1 (patch-ae) = c6b113818b32cb4470e8549c00a16e0b2f364ede
 SHA1 (patch-source_fitz_load-jpx.c) = fbe6814536d37835a4daa5bb90b1f6cf8698f807
+SHA1 (patch-source_fitz_pixmap.c) = d0b3e44780fd64381424e367e5233ce1013dc974
+SHA1 (patch-source_tools_mudraw.c) = 99b827e39767559a8d5b6b380f0bbb100f5125e7
 SHA1 (patch-thirdparty_mujs_Makefile) = f1da7cdf2c9e2e4bbac3e80ef486204a39b27e34
 SHA1 (patch-thirdparty_mujs_jsdate.c) = 020fcb9d1e77bd7ba10943070673d53bbcee573b
 SHA1 (patch-thirdparty_mujs_jsrun.c) = 79f730436b1f67780468c10096d3dbfb5e14d5a5

Added files:

Index: pkgsrc/print/mupdf/patches/patch-source_fitz_pixmap.c
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-source_fitz_pixmap.c:1.1
--- /dev/null	Sat Feb 11 09:39:05 2017
+++ pkgsrc/print/mupdf/patches/patch-source_fitz_pixmap.c	Sat Feb 11 09:39:05 2017
@@ -0,0 +1,44 @@
+$NetBSD: patch-source_fitz_pixmap.c,v 1.1 2017/02/11 09:39:05 leot Exp $
+
+Backport a fix from upstream for CVE-2017-5896:
+
+bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+
+--- source/fitz/pixmap.c.orig
++++ source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ 	"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ 	"ldr	r4, [r13,#4*22]		@ r4 = divXY			\n"
+ 	"ldr	r5, [r13,#4*11]		@ for (nn = n; nn > 0; n--) {	\n"
++	"ldr	r8, [r13,#4*17]		@ r8 = back4			\n"
+ 	"18:				@				\n"
+ 	"mov	r14,#0			@ r14= v = 0			\n"
+ 	"sub	r5, r5, r1, LSL #8	@ for (xx = x; xx > 0; x--) {	\n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ 	"mul	r14,r4, r14		@ r14= v *= divX		\n"
+ 	"mov	r14,r14,LSR #16		@ r14= v >>= 16			\n"
+ 	"strb	r14,[r9], #1		@ *d++ = r14			\n"
+-	"sub	r0, r0, r8		@ s -= back2			\n"
++	"sub	r0, r0, r8		@ s -= back4			\n"
+ 	"subs	r5, r5, #1		@ n--				\n"
+ 	"bgt	18b			@ }				\n"
+ 	"21:				@				\n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ 		x += f;
+ 		if (x > 0)
+ 		{
++			int back4 = x * n - 1;
+ 			div = x * y;
+ 			for (nn = n; nn > 0; nn--)
+ 			{
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ 					s -= back5;
+ 				}
+ 				*d++ = v / div;
+-				s -= back2;
++				s -= back4;
+ 			}
+ 		}
+ 	}
Index: pkgsrc/print/mupdf/patches/patch-source_tools_mudraw.c
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-source_tools_mudraw.c:1.1
--- /dev/null	Sat Feb 11 09:39:05 2017
+++ pkgsrc/print/mupdf/patches/patch-source_tools_mudraw.c	Sat Feb 11 09:39:05 2017
@@ -0,0 +1,17 @@
+$NetBSD: patch-source_tools_mudraw.c,v 1.1 2017/02/11 09:39:05 leot Exp $
+
+Backport a fix from upstream for bug 697514:
+
+Bug 697514: Write SVG output to stdout if no output specified.
+
+--- source/tools/mudraw.c.orig
++++ source/tools/mudraw.c
+@@ -578,7 +578,7 @@ static void dodrawpage(fz_context *ctx, fz_page *page, fz_display_list *list, in
+ 		char buf[512];
+ 		fz_output *out;
+ 
+-		if (!strcmp(output, "-"))
++		if (!output || !strcmp(output, "-"))
+ 			out = fz_stdout(ctx);
+ 		else
+ 		{


--_----------=_1486805945211060--