[pkgsrc/trunk]: pkgsrc/print/mupdf Add a patch to fix CVE-2016-6265 use after...

[leot <leot%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/3ac81af63f6a
branches:  trunk
changeset: 350096:3ac81af63f6a
user:      leot <leot%pkgsrc.org@localhost>
date:      Fri Jul 22 15:42:38 2016 +0000

description:
Add a patch to fix CVE-2016-6265 use after free bug (from upstream)

Bump PKGREVISION

diffstat:

 print/mupdf/Makefile                            |   4 ++--
 print/mupdf/distinfo                            |   3 ++-
 print/mupdf/patches/patch-source_pdf_pdf-xref.c |  23 +++++++++++++++++++++++
 3 files changed, 27 insertions(+), 3 deletions(-)

diffs (56 lines):

diff -r 7b7874038c6f -r 3ac81af63f6a print/mupdf/Makefile
--- a/print/mupdf/Makefile      Fri Jul 22 13:16:39 2016 +0000
+++ b/print/mupdf/Makefile      Fri Jul 22 15:42:38 2016 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.37 2016/07/15 12:32:33 leot Exp $
+# $NetBSD: Makefile,v 1.38 2016/07/22 15:42:38 leot Exp $
 
 DISTNAME=      mupdf-1.9a-source
 PKGNAME=       ${DISTNAME:S/-source//}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    print
 MASTER_SITES=  http://mupdf.com/downloads/archive/
 
diff -r 7b7874038c6f -r 3ac81af63f6a print/mupdf/distinfo
--- a/print/mupdf/distinfo      Fri Jul 22 13:16:39 2016 +0000
+++ b/print/mupdf/distinfo      Fri Jul 22 15:42:38 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2016/07/15 12:32:33 leot Exp $
+$NetBSD: distinfo,v 1.26 2016/07/22 15:42:38 leot Exp $
 
 SHA1 (mupdf-1.9a-source.tar.gz) = f2b3c21e5060d6ec56ea0d0c32b0feac7eac0e5f
 RMD160 (mupdf-1.9a-source.tar.gz) = 0cb0d098c603b16be217e42299052a928d95c3fc
@@ -9,4 +9,5 @@
 SHA1 (patch-ac) = 51b62ef8ff3e6c44ad954b2405bd982f9d682d37
 SHA1 (patch-ae) = c6b113818b32cb4470e8549c00a16e0b2f364ede
 SHA1 (patch-source_fitz_load-jpx.c) = cb33828a6ca638c1b61ff017708a41cc586d1b0e
+SHA1 (patch-source_pdf_pdf-xref.c) = 406c7a664b7171eb5ca7c5a09aac6be549a8fbb5
 SHA1 (patch-thirdparty_mujs_Makefile) = f1da7cdf2c9e2e4bbac3e80ef486204a39b27e34
diff -r 7b7874038c6f -r 3ac81af63f6a print/mupdf/patches/patch-source_pdf_pdf-xref.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/mupdf/patches/patch-source_pdf_pdf-xref.c   Fri Jul 22 15:42:38 2016 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-source_pdf_pdf-xref.c,v 1.1 2016/07/22 15:42:38 leot Exp $
+
+Fix for CVE-2016-6265 use after free (via upstream bug 696941).
+
+--- source/pdf/pdf-xref.c.orig 2016-04-21 11:14:32.000000000 +0000
++++ source/pdf/pdf-xref.c
+@@ -1191,8 +1191,14 @@ pdf_load_xref(fz_context *ctx, pdf_docum
+                               fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
+               }
+               if (entry->type == 'o')
+-                      if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
+-                              fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
++              {
++                      /* Read this into a local variable here, because pdf_get_xref_entry
++                       * may solidify the xref, hence invalidating "entry", meaning we
++                       * need a stashed value for the throw. */
++                      fz_off_t ofs = entry->ofs;
++                      if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
++                              fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
++              }
+       }
+ }
+