From 4b6d7eae729f9f3ed6d8bbe2b7de4cc5873c97a2 Mon Sep 17 00:00:00 2001
From: B. Watson
Date: Tue, 25 Feb 2014 08:02:21 +0700
Subject: office/mupdf: Fixed CVE-2014-2013.

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
---
 office/mupdf/mupdf.SlackBuild                  | 21 ++++++++-
 office/mupdf/xps_parse_color_overflow_fix.diff | 60 ++++++++++++++++++++++++++
 2 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 office/mupdf/xps_parse_color_overflow_fix.diff

(limited to 'office/mupdf')

diff --git a/office/mupdf/mupdf.SlackBuild b/office/mupdf/mupdf.SlackBuild
index e7d9d94b86..f7e98c4bdb 100644
--- a/office/mupdf/mupdf.SlackBuild
+++ b/office/mupdf/mupdf.SlackBuild
@@ -17,9 +17,23 @@
 # - Updated README & slack-desc to mention XPS and CBZ
 # - Fix the man pages slightly
 
+# Modified 20140224 by B. Watson (yalhcru@gmail.com):
+# - backported security fix for CVE-2014-2013. I will be upgrading this
+#   build to mupdf-1.3, but it'll take more work than I currently have
+#   time for:
+#   + mupdf's internals have changed, will have to redo my patches
+#   + it depends on openjpeg 2.0 which SBo hasn't got yet. 2.0 uses an
+#     incompatible API, so an openjpeg 2.0 SlackBuild would require
+#     updates for everything that depends on it.
+#   + zathura-pdf-mupdf will need updating (mupdf's API has changed)
+#   + probably all the other zathura-* builds will need updating to
+#     be compatible with new zathura-pdf-mupdf
+#   The security fix is needed now, it's a tiny patch, and shouldn't have
+#   to wait on all that other stuff.
+
 PRGNAM=mupdf
 VERSION=${VERSION:-1.2}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
 
 if [ -z "$ARCH" ]; then
@@ -80,6 +94,11 @@ patch -p1 < $CWD/man_page.diff
 sed -i 's,libopenjpeg,libopenjpeg1,' Makerules
 rm -rf thirdparty
 
+# patch from upstream git, fix security vulnerability CVE-2014-2013.
+# from here: http://git.ghostscript.com/?p=user/zeniko/mupdf.git;h=60dabde18d
+# Patch is for mupdf-1.3, I've backported it to 1.2 for now.
+patch -p1 < $CWD/xps_parse_color_overflow_fix.diff
+
 make build=release prefix=/usr XCFLAGS="$SLKCFLAGS"
 make \
   build=release \
diff --git a/office/mupdf/xps_parse_color_overflow_fix.diff b/office/mupdf/xps_parse_color_overflow_fix.diff
new file mode 100644
index 0000000000..3995b665cc
--- /dev/null
+++ b/office/mupdf/xps_parse_color_overflow_fix.diff
@@ -0,0 +1,60 @@
+diff -Naur mupdf-1.2-source/xps/xps_common.c mupdf-1.2-source.patched/xps/xps_common.c
+--- mupdf-1.2-source/xps/xps_common.c	2013-02-13 15:25:08.000000000 -0500
++++ mupdf-1.2-source.patched/xps/xps_common.c	2014-02-24 15:25:35.000000000 -0500
+@@ -89,7 +89,7 @@
+ 		if (scb_color_att)
+ 		{
+ 			fz_colorspace *colorspace;
+-			float samples[32];
++			float samples[FZ_MAX_COLORS];
+ 			xps_parse_color(doc, base_uri, scb_color_att, &colorspace, samples);
+ 			opacity = opacity * samples[0];
+ 		}
+@@ -273,6 +273,11 @@
+ 
+ 		*p++ = 0;
+ 		n = count_commas(p) + 1;
++		if (n > FZ_MAX_COLORS)
++		{
++			fz_warn(doc->ctx, "ignoring %d color components (max %d allowed)", n - FZ_MAX_COLORS, FZ_MAX_COLORS);
++			n = FZ_MAX_COLORS;
++		}
+ 		i = 0;
+ 		while (i < n)
+ 		{
+diff -Naur mupdf-1.2-source/xps/xps_glyphs.c mupdf-1.2-source.patched/xps/xps_glyphs.c
+--- mupdf-1.2-source/xps/xps_glyphs.c	2013-02-13 15:25:08.000000000 -0500
++++ mupdf-1.2-source.patched/xps/xps_glyphs.c	2014-02-24 15:25:57.000000000 -0500
+@@ -591,7 +591,7 @@
+ 
+ 	if (fill_att)
+ 	{
+-		float samples[32];
++		float samples[FZ_MAX_COLORS];
+ 		fz_colorspace *colorspace;
+ 
+ 		xps_parse_color(doc, base_uri, fill_att, &colorspace, samples);
+diff -Naur mupdf-1.2-source/xps/xps_gradient.c mupdf-1.2-source.patched/xps/xps_gradient.c
+--- mupdf-1.2-source/xps/xps_gradient.c	2013-02-13 15:25:08.000000000 -0500
++++ mupdf-1.2-source.patched/xps/xps_gradient.c	2014-02-24 15:26:30.000000000 -0500
+@@ -38,7 +38,7 @@
+ 	struct stop *stops, int maxcount)
+ {
+ 	fz_colorspace *colorspace;
+-	float sample[8];
++	float sample[FZ_MAX_COLORS];
+ 	float rgb[3];
+ 	int before, after;
+ 	int count;
+diff -Naur mupdf-1.2-source/xps/xps_path.c mupdf-1.2-source.patched/xps/xps_path.c
+--- mupdf-1.2-source/xps/xps_path.c	2013-02-13 15:25:08.000000000 -0500
++++ mupdf-1.2-source.patched/xps/xps_path.c	2014-02-24 15:27:07.000000000 -0500
+@@ -826,7 +826,7 @@
+ 
+ 	fz_stroke_state *stroke = NULL;
+ 	fz_matrix transform;
+-	float samples[32];
++	float samples[FZ_MAX_COLORS];
+ 	fz_colorspace *colorspace;
+ 	fz_path *path;
+ 	fz_path *stroke_path = NULL;
-- 
cgit v1.2.3