mupdf: security fix for CVE-2017-5627 and CVE-2017-5628.

Patches were backported by NetBSD.
This commit is contained in:
Leah Neukirchen 2017-01-31 17:19:56 +01:00
parent 9d7f777c38
commit f86d9179e5
3 changed files with 49 additions and 1 deletions

View file

@ -0,0 +1,27 @@
$NetBSD: patch-thirdparty_mujs_jsdate.c,v 1.1 2017/01/30 14:06:05 leot Exp $
Backport a fix from upstream for CVE-2017-5628:
Fix 697496: Check NAN before accessing array in MakeDay().
--- thirdparty/mujs/jsdate.c.orig
+++ thirdparty/mujs/jsdate.c
@@ -207,12 +207,17 @@ static double MakeDay(double y, double m, double date)
};
double yd, md;
+ int im;
y += floor(m / 12);
m = pmod(m, 12);
+ im = (int)m;
+ if (im < 0 || im >= 12)
+ return NAN;
+
yd = floor(TimeFromYear(y) / msPerDay);
- md = firstDayOfMonth[InLeapYear(y)][(int)m];
+ md = firstDayOfMonth[InLeapYear(y)][im];
return yd + md + date - 1;
}

View file

@ -0,0 +1,21 @@
$NetBSD: patch-thirdparty_mujs_jsrun.c,v 1.1 2017/01/30 14:06:05 leot Exp $
Backport a fix from upstream for CVE-2017-5627:
Fix 697497: Ensure array length is positive.
As a side effect when changing to using regular integers (and avoid the
nightmare of mixing signed and unsigned) we accidentally allowed negative
array lengths.
--- thirdparty/mujs/jsrun.c.orig
+++ thirdparty/mujs/jsrun.c
@@ -544,7 +544,7 @@ static void jsR_setproperty(js_State *J, js_Object *obj, const char *name)
if (!strcmp(name, "length")) {
double rawlen = jsV_tonumber(J, value);
int newlen = jsV_numbertointeger(rawlen);
- if (newlen != rawlen)
+ if (newlen != rawlen || newlen < 0)
js_rangeerror(J, "array length");
jsV_resizearray(J, obj, newlen);
return;

View file

@ -1,7 +1,7 @@
# Template file for 'mupdf'
pkgname=mupdf
version=1.10a
revision=1
revision=2
wrksrc="${pkgname}-${version}-source"
hostmakedepends="pkg-config zlib-devel libcurl-devel freetype-devel
libjpeg-turbo-devel jbig2dec-devel libXext-devel libXcursor-devel