Re: [PATCH] gnu: mupdf: Fix CVE-2016-8674.

[Marius Bakke <mbakke@fastmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 771 bytes --]

Kei Kebreau <kei@openmailbox.org> writes:

> Is it frowned upon to revert that commit on its own (it's the third to
> last commit as I write this), or should I attempt to patch on top of it?

I've modified the patch to apply to 1.9a, but it was far from trivial
due to many context changes in upstream git. The attached patch makes
mupdf build at least, and viewing PDF still works...

The interdiff is rather unintelligible, so to verify this you should
compare the final patch with the 1.9a sources.

Ideally we should try and reproduce this vulnerability (and others!)
after applying this patch, but I don't know how to use AFL.

Another option is to simply package up the git version, as there appears
to be no users of mupdf in the tree.

WDYT, is this patch safe?


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 454 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-mupdf-Modify-CVE-2016-8674-patch-to-apply-to-1.9.patch --]
[-- Type: text/x-patch, Size: 6295 bytes --]

From c51f44edf3293aae323eded49dcba750f54607cb Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 26 Oct 2016 06:39:34 +0100
Subject: [PATCH] gnu: mupdf: Modify CVE-2016-8674 patch to apply to 1.9a.

The fix from upstream did not apply cleanly due to many context changes.
This was adapted by cloning mupdf 1.9a from git and fixing conflicts
after applying our patches and cherry-picking upstream commit 1e03c06.

* gnu/packages/patches/mupdf-CVE-2016-8674.patch: Adapt to 1.9a.
---
 gnu/packages/patches/mupdf-CVE-2016-8674.patch | 83 +++++++++++++-------------
 1 file changed, 41 insertions(+), 42 deletions(-)

diff --git a/gnu/packages/patches/mupdf-CVE-2016-8674.patch b/gnu/packages/patches/mupdf-CVE-2016-8674.patch
index 62e4a02..2a35619 100644
--- a/gnu/packages/patches/mupdf-CVE-2016-8674.patch
+++ b/gnu/packages/patches/mupdf-CVE-2016-8674.patch
@@ -3,17 +3,17 @@ Fix CVE-2016-8674 (use-after-free in pdf_to_num()).
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674
 https://security-tracker.debian.org/tracker/CVE-2016-8674
 
-Patch copied from upstream source repository:
+Patch adapted from upstream source repository:
 http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
 
 diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h
-index aabf05f..0078c4a 100644
+index f8ef0cd..e8345b7 100644
 --- a/include/mupdf/pdf/document.h
 +++ b/include/mupdf/pdf/document.h
-@@ -269,6 +269,10 @@ struct pdf_document_s
- 		fz_hash_table *images;
- 		fz_hash_table *fonts;
- 	} resources;
+@@ -258,6 +258,10 @@ struct pdf_document_s
+	fz_font **type3_fonts;
+
+	pdf_resource_tables *resources;
 +
 +	int orphans_max;
 +	int orphans_count;
@@ -22,10 +22,10 @@ index aabf05f..0078c4a 100644
  
  /*
 diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
-index 5bc3dca..bf57455 100644
+index 346a2f1..02d4119 100644
 --- a/include/mupdf/pdf/object.h
 +++ b/include/mupdf/pdf/object.h
-@@ -110,6 +110,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
+@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
  pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev);
  void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
  void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
@@ -34,10 +34,10 @@ index 5bc3dca..bf57455 100644
  void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
  void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val);
 diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
-index b4e33f3..1c19ba4 100644
+index f2e4551..a0d0d8e 100644
 --- a/source/pdf/pdf-object.c
 +++ b/source/pdf/pdf-object.c
-@@ -1265,11 +1265,14 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
+@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
  	return pdf_dict_get(ctx, obj, abbrev);
  }
  
@@ -46,27 +46,26 @@ index b4e33f3..1c19ba4 100644
 +static void
 +pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
  {
- 	int i;
- 
++
 +	if (old_val)
 +		*old_val = NULL;
 +
  	RESOLVE(obj);
- 	if (!OBJ_IS_DICT(obj))
- 		fz_throw(ctx, FZ_ERROR_GENERIC, "not a dict (%s)", pdf_objkindstr(obj));
-@@ -1295,7 +1298,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
- 		{
- 			pdf_obj *d = DICT(obj)->items[i].v;
- 			DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
--			pdf_drop_obj(ctx, d);
-+			if (old_val)
-+				*old_val = d;
-+			else
-+				pdf_drop_obj(ctx, d);
+	if (obj >= PDF_OBJ__LIMIT)
+	{
+@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
+			{
+				pdf_obj *d = DICT(obj)->items[i].v;
+				DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
+-				pdf_drop_obj(ctx, d);
++				if (old_val)
++					*old_val = d;
++				else
++					pdf_drop_obj(ctx, d);
+			}
  		}
- 	}
- 	else
-@@ -1316,10 +1322,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
+		else
+@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
  }
  
  void
@@ -96,10 +95,10 @@ index b4e33f3..1c19ba4 100644
  		pdf_drop_obj(ctx, val);
  	fz_catch(ctx)
 diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
-index 690bf15..167f609 100644
+index fdd4648..212c8b7 100644
 --- a/source/pdf/pdf-repair.c
 +++ b/source/pdf/pdf-repair.c
-@@ -260,6 +260,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int stm_num)
+@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen)
  	}
  }
  
@@ -127,12 +126,12 @@ index 690bf15..167f609 100644
  void
  pdf_repair_xref(fz_context *ctx, pdf_document *doc)
  {
-@@ -528,12 +549,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
+@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
  			/* correct stream length for unencrypted documents */
  			if (!encrypt && list[i].stm_len >= 0)
  			{
 +				pdf_obj *old_obj = NULL;
- 				dict = pdf_load_object(ctx, doc, list[i].num);
+				dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen);
  
  				length = pdf_new_int(ctx, doc, list[i].stm_len);
 -				pdf_dict_put(ctx, dict, PDF_NAME_Length, length);
@@ -145,22 +144,22 @@ index 690bf15..167f609 100644
  			}
  		}
 diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 7d21775..0cf20d4 100644
+index 3de1cd2..6682741 100644
 --- a/source/pdf/pdf-xref.c
 +++ b/source/pdf/pdf-xref.c
-@@ -1620,6 +1620,12 @@ pdf_drop_document_imp(fz_context *ctx, pdf_document *doc)
+@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc)
  
- 		pdf_drop_resource_tables(ctx, doc);
+	pdf_drop_resource_tables(ctx, doc);
  
-+		for (i = 0; i < doc->orphans_count; i++)
-+		{
-+			pdf_drop_obj(ctx, doc->orphans[i]);
-+		}
-+		fz_free(ctx, doc->orphans);
++	for (i = 0; i < doc->orphans_count; i++)
++	{
++		pdf_drop_obj(ctx, doc->orphans[i]);
++	}
++	fz_free(ctx, doc->orphans);
 +
- 		fz_free(ctx, doc);
- 	}
- 	fz_always(ctx)
+	fz_free(ctx, doc);
+ }
+
 -- 
-2.9.1
+2.10.1
 
-- 
2.10.1