Received: by mail.netbsd.org (Postfix, from userid 605) id D601784D72; Sat, 6 Jul 2019 11:27:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 5BB3084D71 for ; Sat, 6 Jul 2019 11:27:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 4bn3rjDGz2rR for ; Sat, 6 Jul 2019 11:27:48 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id B5AA184D31 for ; Sat, 6 Jul 2019 11:27:48 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id A9E91FBF4; Sat, 6 Jul 2019 11:27:48 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1562412468206310" MIME-Version: 1.0 Date: Sat, 6 Jul 2019 11:27:48 +0000 From: "Leonardo Taccari" Subject: CVS commit: pkgsrc/print/mupdf To: pkgsrc-changes@NetBSD.org Reply-To: leot@netbsd.org X-Mailer: log_accum Message-Id: <20190706112748.A9E91FBF4@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1562412468206310 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: leot Date: Sat Jul 6 11:27:48 UTC 2019 Modified Files: pkgsrc/print/mupdf: Makefile distinfo Added Files: pkgsrc/print/mupdf/patches: patch-source_fitz_list-device.c Log Message: mupdf: Backport patches to address CVE-2019-13290 Bump PKGREVISION To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 pkgsrc/print/mupdf/Makefile cvs rdiff -u -r1.45 -r1.46 pkgsrc/print/mupdf/distinfo cvs rdiff -u -r0 -r1.1 \ pkgsrc/print/mupdf/patches/patch-source_fitz_list-device.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1562412468206310 Content-Disposition: inline Content-Length: 3829 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/print/mupdf/Makefile diff -u pkgsrc/print/mupdf/Makefile:1.68 pkgsrc/print/mupdf/Makefile:1.69 --- pkgsrc/print/mupdf/Makefile:1.68 Mon May 13 11:03:58 2019 +++ pkgsrc/print/mupdf/Makefile Sat Jul 6 11:27:48 2019 @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.68 2019/05/13 11:03:58 leot Exp $ +# $NetBSD: Makefile,v 1.69 2019/07/06 11:27:48 leot Exp $ DISTNAME= mupdf-1.15.0-source PKGNAME= ${DISTNAME:S/-source//} +PKGREVISION= 1 CATEGORIES= print MASTER_SITES= https://mupdf.com/downloads/archive/ Index: pkgsrc/print/mupdf/distinfo diff -u pkgsrc/print/mupdf/distinfo:1.45 pkgsrc/print/mupdf/distinfo:1.46 --- pkgsrc/print/mupdf/distinfo:1.45 Fri May 17 05:45:10 2019 +++ pkgsrc/print/mupdf/distinfo Sat Jul 6 11:27:48 2019 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.45 2019/05/17 05:45:10 wiz Exp $ +$NetBSD: distinfo,v 1.46 2019/07/06 11:27:48 leot Exp $ SHA1 (mupdf-1.15.0-source.tar.gz) = 4354a1c7245d4351ba604a4deed4a4ecf3e27492 RMD160 (mupdf-1.15.0-source.tar.gz) = 892247f12a9e85d384c6cbc6c5a394d36e783158 @@ -10,5 +10,6 @@ SHA1 (patch-ac) = 94294d03a0ad31e2e4063f SHA1 (patch-ae) = c6b113818b32cb4470e8549c00a16e0b2f364ede SHA1 (patch-platform_gl_gl-app.h) = f8682b54821a560b2ba1082bcf215eeefb549644 SHA1 (patch-platform_gl_gl-main.c) = edff1aa77c4d6af59b2eca442340606a0bae9970 +SHA1 (patch-source_fitz_list-device.c) = ea8ca9df49c16a91546ab05e8f3e57b1308c2278 SHA1 (patch-source_fitz_load-jpx.c) = 161d21bca13bb57db37807aec844c85dc5b34157 SHA1 (patch-thirdparty_mujs_Makefile) = 833e44f4e23d2a6ff61e6276feede4892feeb9bb Added files: Index: pkgsrc/print/mupdf/patches/patch-source_fitz_list-device.c diff -u /dev/null pkgsrc/print/mupdf/patches/patch-source_fitz_list-device.c:1.1 --- /dev/null Sat Jul 6 11:27:48 2019 +++ pkgsrc/print/mupdf/patches/patch-source_fitz_list-device.c Sat Jul 6 11:27:48 2019 @@ -0,0 +1,48 @@ +$NetBSD: patch-source_fitz_list-device.c,v 1.1 2019/07/06 11:27:48 leot Exp $ + +Backport commits ed19bc806809ad10c4ddce515d375581b86ede85 and +aaf794439e40a2ef544f15b50c20e657414dec7a to address CVE-2019-13290. + +Commit ed19bc806809ad10c4ddce515d375581b86ede85: +> Bug 701118: Handle appending large display list nodes. +> +> The size of the begin layer node depends on the size of the layer +> name. That name may be a string from the page's property resources, +> and is only bounded by memory when parsed by lex_string(). So the +> append_list_node() logic cannot simply double the size of the +> display list and hope that the node fits, since the node may be +> of arbitrary size. +> +> Now append_list_node() would repeatedly double the size of the +> display list until the node fits, or malloc() runs out of memory. + +Commit aaf794439e40a2ef544f15b50c20e657414dec7a: +> Bug 701118: Limit size of begin layer nodes in display list. +> +> The size of the begin layer node depends on the size of the layer +> name. That name may be a string from the page's property resources, +> and is only bounded by memory when parsed by lex_string(). The +> layer name may cause a display node to be larger than the maximum +> size allowed. This condition is now checked for. + +--- source/fitz/list-device.c.orig ++++ source/fitz/list-device.c +@@ -462,6 +462,9 @@ fz_append_display_node( + } + if (private_data != NULL) + { ++ int max = SIZE_IN_NODES(MAX_NODE_SIZE) - size; ++ if (SIZE_IN_NODES(private_data_len) > max) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Private data too large to pack into display list node"); + private_off = size; + size += SIZE_IN_NODES(private_data_len); + } +@@ -466,7 +466,7 @@ fz_append_display_node( + size += SIZE_IN_NODES(private_data_len); + } + +- if (list->len + size > list->max) ++ while (list->len + size > list->max) + { + int newsize = list->max * 2; + fz_display_node *old = list->list; --_----------=_1562412468206310--