mupdf: fix stack buffer overflow in xps_parse_color

3 files changed, 140 insertions, 3 deletions

diff --git a/mupdf/.md5sum b/mupdf/.md5sum
index 4c8d669af..d4e253d42 100644
--- a/mupdf/.md5sum
+++ b/mupdf/.md5sum
@@ -1,2 +1,3 @@
 fe53c2a56ebd7759f5f965bc4ff66359  mupdf-1.3-source.tar.gz
+f4d785b28f711e12d4a078ce9b3ed8f5  mupdf-694957.patch
 9a173e6f0067130b77f4daa658087c31  mupdf-sys_curl.patch
diff --git a/mupdf/Pkgfile b/mupdf/Pkgfile
index 67d022086..2ce31dcb4 100644
--- a/mupdf/Pkgfile
+++ b/mupdf/Pkgfile
@@ -5,15 +5,16 @@
 
 name=mupdf
 version=1.3
-release=1
+release=2
 source=(https://mupdf.googlecode.com/files/$name-$version-source.tar.gz
-        $name-sys_curl.patch)
+        $name-sys_curl.patch $name-694957.patch)
 
 build() {
     cd $name-$version-source
     
     patch -p1 -i $SRC/$name-sys_curl.patch
-    
+    patch -p1 -i $SRC/$name-694957.patch
+
     rm -r thirdparty/{freetype*,jpeg*,zlib,curl}
     make build=release 
     make prefix=$PKG/usr mandir=$PKG/usr/man install
diff --git a/mupdf/mupdf-694957.patch b/mupdf/mupdf-694957.patch
new file mode 100644
index 000000000..bfe86f320
--- /dev/null
+++ b/mupdf/mupdf-694957.patch
@@ -0,0 +1,135 @@
+From 60dabde18d7fe12b19da8b509bdfee9cc886aafc Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Simon=20B=C3=BCnzli?= <zeniko@gmail.com>
+Date: Thu, 16 Jan 2014 22:04:51 +0100
+Subject: [PATCH] Bug 694957: fix stack buffer overflow in xps_parse_color
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+xps_parse_color happily reads more than FZ_MAX_COLORS values out of a
+ContextColor array which overflows the passed in samples array.
+Limiting the number of allowed samples to FZ_MAX_COLORS and make sure
+to use that constant for all callers fixes the problem.
+
+Thanks to Jean-Jamil Khalifé for reporting and investigating the issue
+and providing a sample exploit file.
+---
+ source/xps/xps-common.c   |   22 ++++++++++++++--------
+ source/xps/xps-glyphs.c   |    2 +-
+ source/xps/xps-gradient.c |    2 +-
+ source/xps/xps-path.c     |    2 +-
+ 4 files changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/source/xps/xps-common.c b/source/xps/xps-common.c
+index b780f42..32a30ba 100644
+--- a/source/xps/xps-common.c
++++ b/source/xps/xps-common.c
+@@ -89,7 +89,7 @@ xps_begin_opacity(xps_document *doc, const fz_matrix *ctm, const fz_rect *area,
+ 		if (scb_color_att)
+ 		{
+ 			fz_colorspace *colorspace;
+-			float samples[32];
++			float samples[FZ_MAX_COLORS];
+ 			xps_parse_color(doc, base_uri, scb_color_att, &colorspace, samples);
+ 			opacity = opacity * samples[0];
+ 		}
+@@ -208,12 +208,13 @@ void
+ xps_parse_color(xps_document *doc, char *base_uri, char *string,
+ 		fz_colorspace **csp, float *samples)
+ {
++	fz_context *ctx = doc->ctx;
+ 	char *p;
+ 	int i, n;
+ 	char buf[1024];
+ 	char *profile;
+ 
+-	*csp = fz_device_rgb(doc->ctx);
++	*csp = fz_device_rgb(ctx);
+ 
+ 	samples[0] = 1;
+ 	samples[1] = 0;
+@@ -259,7 +260,7 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string,
+ 		profile = strchr(buf, ' ');
+ 		if (!profile)
+ 		{
+-			fz_warn(doc->ctx, "cannot find icc profile uri in '%s'", string);
++			fz_warn(ctx, "cannot find icc profile uri in '%s'", string);
+ 			return;
+ 		}
+ 
+@@ -267,12 +268,17 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string,
+ 		p = strchr(profile, ' ');
+ 		if (!p)
+ 		{
+-			fz_warn(doc->ctx, "cannot find component values in '%s'", profile);
++			fz_warn(ctx, "cannot find component values in '%s'", profile);
+ 			return;
+ 		}
+ 
+ 		*p++ = 0;
+ 		n = count_commas(p) + 1;
++		if (n > FZ_MAX_COLORS)
++		{
++			fz_warn(ctx, "ignoring %d color components (max %d allowed)", n - FZ_MAX_COLORS, FZ_MAX_COLORS);
++			n = FZ_MAX_COLORS;
++		}
+ 		i = 0;
+ 		while (i < n)
+ 		{
+@@ -292,10 +298,10 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string,
+ 		/* TODO: load ICC profile */
+ 		switch (n)
+ 		{
+-		case 2: *csp = fz_device_gray(doc->ctx); break;
+-		case 4: *csp = fz_device_rgb(doc->ctx); break;
+-		case 5: *csp = fz_device_cmyk(doc->ctx); break;
+-		default: *csp = fz_device_gray(doc->ctx); break;
++		case 2: *csp = fz_device_gray(ctx); break;
++		case 4: *csp = fz_device_rgb(ctx); break;
++		case 5: *csp = fz_device_cmyk(ctx); break;
++		default: *csp = fz_device_gray(ctx); break;
+ 		}
+ 	}
+ }
+diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
+index b26e18d..e621257 100644
+--- a/source/xps/xps-glyphs.c
++++ b/source/xps/xps-glyphs.c
+@@ -590,7 +590,7 @@ xps_parse_glyphs(xps_document *doc, const fz_matrix *ctm,
+ 
+ 	if (fill_att)
+ 	{
+-		float samples[32];
++		float samples[FZ_MAX_COLORS];
+ 		fz_colorspace *colorspace;
+ 
+ 		xps_parse_color(doc, base_uri, fill_att, &colorspace, samples);
+diff --git a/source/xps/xps-gradient.c b/source/xps/xps-gradient.c
+index 7d03f89..76188e9 100644
+--- a/source/xps/xps-gradient.c
++++ b/source/xps/xps-gradient.c
+@@ -39,7 +39,7 @@ xps_parse_gradient_stops(xps_document *doc, char *base_uri, fz_xml *node,
+ 	struct stop *stops, int maxcount)
+ {
+ 	fz_colorspace *colorspace;
+-	float sample[8];
++	float sample[FZ_MAX_COLORS];
+ 	float rgb[3];
+ 	int before, after;
+ 	int count;
+diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c
+index b97ee17..ea84a81 100644
+--- a/source/xps/xps-path.c
++++ b/source/xps/xps-path.c
+@@ -826,7 +826,7 @@ xps_parse_path(xps_document *doc, const fz_matrix *ctm, char *base_uri, xps_reso
+ 
+ 	fz_stroke_state *stroke = NULL;
+ 	fz_matrix transform;
+-	float samples[32];
++	float samples[FZ_MAX_COLORS];
+ 	fz_colorspace *colorspace;
+ 	fz_path *path = NULL;
+ 	fz_path *stroke_path = NULL;
+-- 
+1.7.9.5
+