mupdf: security fix for CVE-2017-5627 and CVE-2017-5628.
Patches were backported by NetBSD.
This commit is contained in:
Leah Neukirchen
parent
9d7f777c38
commit
f86d9179e5
3 changed files with 49 additions and 1 deletions
27
srcpkgs/mupdf/patches/patch-thirdparty_mujs_jsdate.c
Normal file
27
srcpkgs/mupdf/patches/patch-thirdparty_mujs_jsdate.c
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
$NetBSD: patch-thirdparty_mujs_jsdate.c,v 1.1 2017/01/30 14:06:05 leot Exp $
|
||||
|
||||
Backport a fix from upstream for CVE-2017-5628:
|
||||
|
||||
Fix 697496: Check NAN before accessing array in MakeDay().
|
||||
|
||||
--- thirdparty/mujs/jsdate.c.orig
|
||||
+++ thirdparty/mujs/jsdate.c
|
||||
@@ -207,12 +207,17 @@ static double MakeDay(double y, double m, double date)
|
||||
};
|
||||
|
||||
double yd, md;
|
||||
+ int im;
|
||||
|
||||
y += floor(m / 12);
|
||||
m = pmod(m, 12);
|
||||
|
||||
+ im = (int)m;
|
||||
+ if (im < 0 || im >= 12)
|
||||
+ return NAN;
|
||||
+
|
||||
yd = floor(TimeFromYear(y) / msPerDay);
|
||||
- md = firstDayOfMonth[InLeapYear(y)][(int)m];
|
||||
+ md = firstDayOfMonth[InLeapYear(y)][im];
|
||||
|
||||
return yd + md + date - 1;
|
||||
}
|
||||
21
srcpkgs/mupdf/patches/patch-thirdparty_mujs_jsrun.c
Normal file
21
srcpkgs/mupdf/patches/patch-thirdparty_mujs_jsrun.c
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
$NetBSD: patch-thirdparty_mujs_jsrun.c,v 1.1 2017/01/30 14:06:05 leot Exp $
|
||||
|
||||
Backport a fix from upstream for CVE-2017-5627:
|
||||
|
||||
Fix 697497: Ensure array length is positive.
|
||||
|
||||
As a side effect when changing to using regular integers (and avoid the
|
||||
nightmare of mixing signed and unsigned) we accidentally allowed negative
|
||||
array lengths.
|
||||
|
||||
--- thirdparty/mujs/jsrun.c.orig
|
||||
+++ thirdparty/mujs/jsrun.c
|
||||
@@ -544,7 +544,7 @@ static void jsR_setproperty(js_State *J, js_Object *obj, const char *name)
|
||||
if (!strcmp(name, "length")) {
|
||||
double rawlen = jsV_tonumber(J, value);
|
||||
int newlen = jsV_numbertointeger(rawlen);
|
||||
- if (newlen != rawlen)
|
||||
+ if (newlen != rawlen || newlen < 0)
|
||||
js_rangeerror(J, "array length");
|
||||
jsV_resizearray(J, obj, newlen);
|
||||
return;
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# Template file for 'mupdf'
|
||||
pkgname=mupdf
|
||||
version=1.10a
|
||||
revision=1
|
||||
revision=2
|
||||
wrksrc="${pkgname}-${version}-source"
|
||||
hostmakedepends="pkg-config zlib-devel libcurl-devel freetype-devel
|
||||
libjpeg-turbo-devel jbig2dec-devel libXext-devel libXcursor-devel
|
||||
|
|
|
|||
Loading…
Reference in a new issue