CVS commit: [pkgsrc-2019Q2] pkgsrc/print/mupdf

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat Jul  6 19:06:39 UTC 2019

Modified Files:
        pkgsrc/print/mupdf [pkgsrc-2019Q2]: Makefile distinfo
Added Files:
        pkgsrc/print/mupdf/patches [pkgsrc-2019Q2]:
            patch-source_fitz_list-device.c

Log Message:
Pullup ticket #5989 - requested by leot
print/mupdf: security fix

Revisions pulled up:
- print/mupdf/Makefile                                          1.69
- print/mupdf/distinfo                                          1.46
- print/mupdf/patches/patch-source_fitz_list-device.c           1.1

---
   Module Name: pkgsrc
   Committed By:        leot
   Date:                Sat Jul  6 11:27:48 UTC 2019

   Modified Files:
        pkgsrc/print/mupdf: Makefile distinfo
   Added Files:
        pkgsrc/print/mupdf/patches: patch-source_fitz_list-device.c

   Log Message:
   mupdf: Backport patches to address CVE-2019-13290

   Bump PKGREVISION


To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.68.2.1 pkgsrc/print/mupdf/Makefile
cvs rdiff -u -r1.45 -r1.45.2.1 pkgsrc/print/mupdf/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/print/mupdf/patches/patch-source_fitz_list-device.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/print/mupdf/Makefile
diff -u pkgsrc/print/mupdf/Makefile:1.68 pkgsrc/print/mupdf/Makefile:1.68.2.1
--- pkgsrc/print/mupdf/Makefile:1.68    Mon May 13 11:03:58 2019
+++ pkgsrc/print/mupdf/Makefile Sat Jul  6 19:06:39 2019
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.68 2019/05/13 11:03:58 leot Exp $
+# $NetBSD: Makefile,v 1.68.2.1 2019/07/06 19:06:39 bsiegert Exp $
 
 DISTNAME=      mupdf-1.15.0-source
 PKGNAME=       ${DISTNAME:S/-source//}
+PKGREVISION=   1
 CATEGORIES=    print
 MASTER_SITES=  https://mupdf.com/downloads/archive/
 

Index: pkgsrc/print/mupdf/distinfo
diff -u pkgsrc/print/mupdf/distinfo:1.45 pkgsrc/print/mupdf/distinfo:1.45.2.1
--- pkgsrc/print/mupdf/distinfo:1.45    Fri May 17 05:45:10 2019
+++ pkgsrc/print/mupdf/distinfo Sat Jul  6 19:06:39 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2019/05/17 05:45:10 wiz Exp $
+$NetBSD: distinfo,v 1.45.2.1 2019/07/06 19:06:39 bsiegert Exp $
 
 SHA1 (mupdf-1.15.0-source.tar.gz) = 4354a1c7245d4351ba604a4deed4a4ecf3e27492
 RMD160 (mupdf-1.15.0-source.tar.gz) = 892247f12a9e85d384c6cbc6c5a394d36e783158
@@ -10,5 +10,6 @@ SHA1 (patch-ac) = 94294d03a0ad31e2e4063f
 SHA1 (patch-ae) = c6b113818b32cb4470e8549c00a16e0b2f364ede
 SHA1 (patch-platform_gl_gl-app.h) = f8682b54821a560b2ba1082bcf215eeefb549644
 SHA1 (patch-platform_gl_gl-main.c) = edff1aa77c4d6af59b2eca442340606a0bae9970
+SHA1 (patch-source_fitz_list-device.c) = ea8ca9df49c16a91546ab05e8f3e57b1308c2278
 SHA1 (patch-source_fitz_load-jpx.c) = 161d21bca13bb57db37807aec844c85dc5b34157
 SHA1 (patch-thirdparty_mujs_Makefile) = 833e44f4e23d2a6ff61e6276feede4892feeb9bb

Added files:

Index: pkgsrc/print/mupdf/patches/patch-source_fitz_list-device.c
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-source_fitz_list-device.c:1.1.2.2
--- /dev/null   Sat Jul  6 19:06:39 2019
+++ pkgsrc/print/mupdf/patches/patch-source_fitz_list-device.c  Sat Jul  6 19:06:39 2019
@@ -0,0 +1,48 @@
+$NetBSD: patch-source_fitz_list-device.c,v 1.1.2.2 2019/07/06 19:06:39 bsiegert Exp $
+
+Backport commits ed19bc806809ad10c4ddce515d375581b86ede85 and
+aaf794439e40a2ef544f15b50c20e657414dec7a to address CVE-2019-13290.
+
+Commit ed19bc806809ad10c4ddce515d375581b86ede85:
+> Bug 701118: Handle appending large display list nodes.
+> 
+> The size of the begin layer node depends on the size of the layer
+> name. That name may be a string from the page's property resources,
+> and is only bounded by memory when parsed by lex_string(). So the
+> append_list_node() logic cannot simply double the size of the
+> display list and hope that the node fits, since the node may be
+> of arbitrary size.
+> 
+> Now append_list_node() would repeatedly double the size of the
+> display list until the node fits, or malloc() runs out of memory.
+
+Commit aaf794439e40a2ef544f15b50c20e657414dec7a:
+> Bug 701118: Limit size of begin layer nodes in display list.
+> 
+> The size of the begin layer node depends on the size of the layer
+> name. That name may be a string from the page's property resources,
+> and is only bounded by memory when parsed by lex_string(). The
+> layer name may cause a display node to be larger than the maximum
+> size allowed. This condition is now checked for.
+
+--- source/fitz/list-device.c.orig
++++ source/fitz/list-device.c
+@@ -462,6 +462,9 @@ fz_append_display_node(
+       }
+       if (private_data != NULL)
+       {
++              int max = SIZE_IN_NODES(MAX_NODE_SIZE) - size;
++              if (SIZE_IN_NODES(private_data_len) > max)
++                      fz_throw(ctx, FZ_ERROR_GENERIC, "Private data too large to pack into display list node");
+               private_off = size;
+               size += SIZE_IN_NODES(private_data_len);
+       }
+@@ -466,7 +466,7 @@ fz_append_display_node(
+               size += SIZE_IN_NODES(private_data_len);
+       }
+ 
+-      if (list->len + size > list->max)
++      while (list->len + size > list->max)
+       {
+               int newsize = list->max * 2;
+               fz_display_node *old = list->list;