From 8cf64f990d9d652084e6e8bccedc03f8a0a1eef7 Mon Sep 17 00:00:00 2001
From: Daniel Sabogal <dsabogalcc@gmail.com>
Date: Fri, 10 Feb 2017 13:43:31 -0500
Subject: main/mupdf: security fix for CVE-2017-5896

---
 main/mupdf/APKBUILD            | 16 ++++++-------
 main/mupdf/CVE-2017-5896.patch | 51 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 8 deletions(-)
 create mode 100644 main/mupdf/CVE-2017-5896.patch

(limited to 'main')

diff --git a/main/mupdf/APKBUILD b/main/mupdf/APKBUILD
index bc9ed9cdd5..a242705c4c 100644
--- a/main/mupdf/APKBUILD
+++ b/main/mupdf/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Daniel Sabogal <dsabogalcc@gmail.com>
 pkgname=mupdf
 pkgver=1.10a
-pkgrel=0
+pkgrel=1
 pkgdesc="A lightweight PDF and XPS viewer"
 url="http://mupdf.com"
 arch="all"
@@ -16,8 +16,13 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
 source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
 	shared-lib.patch
 	openjpeg-2.1.patch
+	CVE-2017-5896.patch
 	"
 
+# secfixes:
+#   1.10a-r1:
+#   - CVE-2017-5896
+
 builddir="$srcdir/$pkgname-$pkgver-source"
 prepare() {
 	default_prepare || return 1
@@ -74,12 +79,7 @@ _tools() {
 		"$subpkgdir"/usr/bin/ || return 1
 }
 
-md5sums="f80fbba2524d1d52f6ed09237d382411  mupdf-1.10a-source.tar.gz
-8c4c5ec03c3df7e87a672c79302f6df5  shared-lib.patch
-a5b85a55be0e958c16f900730ff24ad8  openjpeg-2.1.patch"
-sha256sums="aacc1f36b9180f562022ef1ab3439b009369d944364f3cff8a2a898834e3a836  mupdf-1.10a-source.tar.gz
-3ff3c9413c4c1005db7e41a085ce8e72ee1e956e8d1538a615f51f86f8bb1d14  shared-lib.patch
-12ea2a295b62ca85298273d54b423ec8e73fb52d712bcee20bab0507a595b7a0  openjpeg-2.1.patch"
 sha512sums="8c735963364985e74ceb38242afae555a3d2ee7c69abe3fe5c485e8613a83d996a58f231cb689a156019d431fa67d565503247d010b0a404054850483aed9fec  mupdf-1.10a-source.tar.gz
 bc38cc6935ed1c5941773e0671bea25d33897c1018c30f11ff3a1ec1e583276597f521b9e526f9bd38a6f9a1e76aa3e52782995ded72a618d07811abcd7ca734  shared-lib.patch
-bfb509c529e26c3d2dc827298ce3a6083640fbe3fd7491560ffb1e8f86d62bbd4a5d52721079caef8a38d6f332132b581859276000b397f9512673eedb0315a7  openjpeg-2.1.patch"
+bfb509c529e26c3d2dc827298ce3a6083640fbe3fd7491560ffb1e8f86d62bbd4a5d52721079caef8a38d6f332132b581859276000b397f9512673eedb0315a7  openjpeg-2.1.patch
+e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7  CVE-2017-5896.patch"
diff --git a/main/mupdf/CVE-2017-5896.patch b/main/mupdf/CVE-2017-5896.patch
new file mode 100644
index 0000000000..a68715ac31
--- /dev/null
+++ b/main/mupdf/CVE-2017-5896.patch
@@ -0,0 +1,51 @@
+From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index a831712..f1291dc 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ 	"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ 	"ldr	r4, [r13,#4*22]		@ r4 = divXY			\n"
+ 	"ldr	r5, [r13,#4*11]		@ for (nn = n; nn > 0; n--) {	\n"
++	"ldr	r8, [r13,#4*17]		@ r8 = back4			\n"
+ 	"18:				@				\n"
+ 	"mov	r14,#0			@ r14= v = 0			\n"
+ 	"sub	r5, r5, r1, LSL #8	@ for (xx = x; xx > 0; x--) {	\n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ 	"mul	r14,r4, r14		@ r14= v *= divX		\n"
+ 	"mov	r14,r14,LSR #16		@ r14= v >>= 16			\n"
+ 	"strb	r14,[r9], #1		@ *d++ = r14			\n"
+-	"sub	r0, r0, r8		@ s -= back2			\n"
++	"sub	r0, r0, r8		@ s -= back4			\n"
+ 	"subs	r5, r5, #1		@ n--				\n"
+ 	"bgt	18b			@ }				\n"
+ 	"21:				@				\n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ 		x += f;
+ 		if (x > 0)
+ 		{
++			int back4 = x * n - 1;
+ 			div = x * y;
+ 			for (nn = n; nn > 0; nn--)
+ 			{
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ 					s -= back5;
+ 				}
+ 				*d++ = v / div;
+-				s -= back2;
++				s -= back4;
+ 			}
+ 		}
+ 	}
+-- 
+2.9.1
+
-- 
cgit v1.2.3