From 76bbce6af2baed0c2fa7dddd43ecc2ffe6482c41 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sat, 3 Dec 2016 21:39:55 +0100 Subject: gnu: mupdf: Update to 1.10a. * gnu/packages/patches/mupdf-CVE-2016-6265.patch: Delete file. * gnu/packages/patches/mupdf-CVE-2016-6525.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7504.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7505.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7506.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7563.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-7564.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-8674.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-9017.patch: Likewise. * gnu/packages/patches/mupdf-CVE-2016-9136.patch: Likewise. * gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: Adjust to 1.10a. * gnu/local.mk (dist_patch_DATA): Remove deleted patches. * gnu/packages/pdf.scm (mupdf): Update to 1.10a. [source]: Remove patches. --- gnu/local.mk | 10 -- gnu/packages/patches/mupdf-CVE-2016-6265.patch | 30 ---- gnu/packages/patches/mupdf-CVE-2016-6525.patch | 21 --- gnu/packages/patches/mupdf-CVE-2016-7504.patch | 99 ------------- gnu/packages/patches/mupdf-CVE-2016-7505.patch | 32 ---- gnu/packages/patches/mupdf-CVE-2016-7506.patch | 42 ------ gnu/packages/patches/mupdf-CVE-2016-7563.patch | 37 ----- gnu/packages/patches/mupdf-CVE-2016-7564.patch | 34 ----- gnu/packages/patches/mupdf-CVE-2016-8674.patch | 165 --------------------- gnu/packages/patches/mupdf-CVE-2016-9017.patch | 46 ------ gnu/packages/patches/mupdf-CVE-2016-9136.patch | 32 ---- .../patches/mupdf-build-with-openjpeg-2.1.patch | 9 -- gnu/packages/pdf.scm | 16 +- 13 files changed, 3 insertions(+), 570 deletions(-) delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-6265.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-6525.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-7504.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-7505.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-7506.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-7563.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-7564.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-8674.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-9017.patch delete mode 100644 gnu/packages/patches/mupdf-CVE-2016-9136.patch diff --git a/gnu/local.mk b/gnu/local.mk index c635a4792c..30f7b59f12 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -719,16 +719,6 @@ dist_patch_DATA = \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/mumps-build-parallelism.patch \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ - %D%/packages/patches/mupdf-CVE-2016-6265.patch \ - %D%/packages/patches/mupdf-CVE-2016-6525.patch \ - %D%/packages/patches/mupdf-CVE-2016-7504.patch \ - %D%/packages/patches/mupdf-CVE-2016-7505.patch \ - %D%/packages/patches/mupdf-CVE-2016-7506.patch \ - %D%/packages/patches/mupdf-CVE-2016-7563.patch \ - %D%/packages/patches/mupdf-CVE-2016-7564.patch \ - %D%/packages/patches/mupdf-CVE-2016-8674.patch \ - %D%/packages/patches/mupdf-CVE-2016-9017.patch \ - %D%/packages/patches/mupdf-CVE-2016-9136.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2016-6265.patch b/gnu/packages/patches/mupdf-CVE-2016-6265.patch deleted file mode 100644 index 58f5c3726c..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-6265.patch +++ /dev/null @@ -1,30 +0,0 @@ -Fix CVE-2016-6265 (use after free in pdf_load_xref()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265 -https://security-tracker.debian.org/tracker/CVE-2016-6265 - -Patch copied from upstream source repository: - -http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958 - -diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c -index 576c315..3222599 100644 ---- a/source/pdf/pdf-xref.c -+++ b/source/pdf/pdf-xref.c -@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) - fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i); - } - if (entry->type == 'o') -- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n') -- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i); -+ { -+ /* Read this into a local variable here, because pdf_get_xref_entry -+ * may solidify the xref, hence invalidating "entry", meaning we -+ * need a stashed value for the throw. */ -+ fz_off_t ofs = entry->ofs; -+ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n') -+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i); -+ } - } - } - diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch b/gnu/packages/patches/mupdf-CVE-2016-6525.patch deleted file mode 100644 index 370af5ade6..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-6525.patch +++ /dev/null @@ -1,21 +0,0 @@ -Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525 -https://security-tracker.debian.org/tracker/CVE-2016-6525 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e - -diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c -index 7815b3c..6e25efa 100644 ---- a/source/pdf/pdf-shade.c -+++ b/source/pdf/pdf-shade.c -@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob - obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode); - if (pdf_array_len(ctx, obj) >= 6) - { -- n = (pdf_array_len(ctx, obj) - 4) / 2; -+ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2); - shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0)); - shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1)); - shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2)); diff --git a/gnu/packages/patches/mupdf-CVE-2016-7504.patch b/gnu/packages/patches/mupdf-CVE-2016-7504.patch deleted file mode 100644 index 4bbb4411c0..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7504.patch +++ /dev/null @@ -1,99 +0,0 @@ -Fix CVE-2016-7504: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504 -http://bugs.ghostscript.com/show_bug.cgi?id=697142 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a - -From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001 -From: Tor Andersson -Date: Wed, 21 Sep 2016 16:01:08 +0200 -Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object. - -Make sure to make a copy of the source pattern string. -A case we missed when adding short and memory strings to the runtime. -The code assumed all strings passed to it were either literal or interned. ---- - jsgc.c | 4 +++- - jsi.h | 1 + - jsregexp.c | 2 +- - jsrun.c | 8 ++++++++ - jsvalue.h | 2 +- - 5 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/jsgc.c b/jsgc.c -index 9bd6482..4f7e7dc 100644 ---- a/thirdparty/mujs/jsgc.c -+++ b/thirdparty/mujs/jsgc.c -@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj) - { - if (obj->head) - jsG_freeproperty(J, obj->head); -- if (obj->type == JS_CREGEXP) -+ if (obj->type == JS_CREGEXP) { -+ js_free(J, obj->u.r.source); - js_regfree(obj->u.r.prog); -+ } - if (obj->type == JS_CITERATOR) - jsG_freeiterator(J, obj->u.iter.head); - if (obj->type == JS_CUSERDATA && obj->u.user.finalize) -diff --git a/jsi.h b/jsi.h -index 7d9f7c7..e855045 100644 ---- a/thirdparty/mujs/jsi.h -+++ b/thirdparty/mujs/jsi.h -@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction; - - /* String interning */ - -+char *js_strdup(js_State *J, const char *s); - const char *js_intern(js_State *J, const char *s); - void jsS_dumpstrings(js_State *J); - void jsS_freestrings(js_State *J); -diff --git a/jsregexp.c b/jsregexp.c -index 2a056b7..a2d5156 100644 ---- a/thirdparty/mujs/jsregexp.c -+++ b/thirdparty/mujs/jsregexp.c -@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags) - js_syntaxerror(J, "regular expression: %s", error); - - obj->u.r.prog = prog; -- obj->u.r.source = pattern; -+ obj->u.r.source = js_strdup(J, pattern); - obj->u.r.flags = flags; - obj->u.r.last = 0; - js_pushobject(J, obj); -diff --git a/jsrun.c b/jsrun.c -index 2648c4c..ee80845 100644 ---- a/thirdparty/mujs/jsrun.c -+++ b/thirdparty/mujs/jsrun.c -@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size) - return ptr; - } - -+char *js_strdup(js_State *J, const char *s) -+{ -+ int n = strlen(s) + 1; -+ char *p = js_malloc(J, n); -+ memcpy(p, s, n); -+ return p; -+} -+ - void js_free(js_State *J, void *ptr) - { - J->alloc(J->actx, ptr, 0); -diff --git a/jsvalue.h b/jsvalue.h -index 6cfbd89..8fb5016 100644 ---- a/thirdparty/mujs/jsvalue.h -+++ b/thirdparty/mujs/jsvalue.h -@@ -71,7 +71,7 @@ struct js_String - struct js_Regexp - { - void *prog; -- const char *source; -+ char *source; - unsigned short flags; - unsigned short last; - }; --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-7505.patch b/gnu/packages/patches/mupdf-CVE-2016-7505.patch deleted file mode 100644 index 15e4f374d6..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7505.patch +++ /dev/null @@ -1,32 +0,0 @@ -Fix CVE-2016-7505: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505 -http://bugs.ghostscript.com/show_bug.cgi?id=697140 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5 - -From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001 -From: Tor Andersson -Date: Wed, 21 Sep 2016 15:21:04 +0200 -Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod. - ---- - jsdtoa.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/jsdtoa.c b/jsdtoa.c -index 2e52368..920c1a7 100644 ---- a/thirdparty/mujs/jsdtoa.c -+++ b/thirdparty/mujs/jsdtoa.c -@@ -735,6 +735,7 @@ xx: - n -= c<= Ndig) break; /* abort if overflowing */ - } - *p = 0; - } --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-7506.patch b/gnu/packages/patches/mupdf-CVE-2016-7506.patch deleted file mode 100644 index 733249acaa..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7506.patch +++ /dev/null @@ -1,42 +0,0 @@ -Fix CVE-2016-7506: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506 -http://bugs.ghostscript.com/show_bug.cgi?id=697141 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a - -From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001 -From: Tor Andersson -Date: Wed, 21 Sep 2016 16:02:11 +0200 -Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution. - -A '$' escape at the end of the string would read past the zero terminator -when looking for the escaped character. ---- - jsstring.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/jsstring.c b/jsstring.c -index 66f6a89..0209a8e 100644 ---- a/thirdparty/mujs/jsstring.c -+++ b/thirdparty/mujs/jsstring.c -@@ -421,6 +421,7 @@ loop: - while (*r) { - if (*r == '$') { - switch (*(++r)) { -+ case 0: --r; /* end of string; back up and fall through */ - case '$': js_putc(J, &sb, '$'); break; - case '`': js_putm(J, &sb, source, s); break; - case '\'': js_puts(J, &sb, s + n); break; -@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J) - while (*r) { - if (*r == '$') { - switch (*(++r)) { -+ case 0: --r; /* end of string; back up and fall through */ - case '$': js_putc(J, &sb, '$'); break; - case '&': js_putm(J, &sb, s, s + n); break; - case '`': js_putm(J, &sb, source, s); break; --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-7563.patch b/gnu/packages/patches/mupdf-CVE-2016-7563.patch deleted file mode 100644 index 288c9ab2df..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7563.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2016-7563: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563 -http://bugs.ghostscript.com/show_bug.cgi?id=697136 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59 - -From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001 -From: Tor Andersson -Date: Tue, 20 Sep 2016 17:11:32 +0200 -Subject: [PATCH] Fix bug 697136. - -We were unconditionally reading the next character if we encountered -a '*' in a multi-line comment; possibly reading past the end of -the input. ---- - jslex.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/jslex.c b/jslex.c -index 7b80800..cbd0eeb 100644 ---- a/thirdparty/mujs/jslex.c -+++ b/thirdparty/mujs/jslex.c -@@ -225,7 +225,8 @@ static int lexcomment(js_State *J) - if (jsY_accept(J, '/')) - return 0; - } -- jsY_next(J); -+ else -+ jsY_next(J); - } - return -1; - } --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-7564.patch b/gnu/packages/patches/mupdf-CVE-2016-7564.patch deleted file mode 100644 index c2ce33d1df..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7564.patch +++ /dev/null @@ -1,34 +0,0 @@ -Fix CVE-2016-7564: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564 -http://bugs.ghostscript.com/show_bug.cgi?id=697137 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8 - -From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001 -From: Tor Andersson -Date: Tue, 20 Sep 2016 17:19:06 +0200 -Subject: [PATCH] Fix bug 697137: off by one in string length calculation. - -We were not allocating space for the terminating zero byte. ---- - jsfunction.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/jsfunction.c b/jsfunction.c -index 8b5b18e..28f7aa7 100644 ---- a/thirdparty/mujs/jsfunction.c -+++ b/thirdparty/mujs/jsfunction.c -@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J) - n += strlen(F->name); - for (i = 0; i < F->numparams; ++i) - n += strlen(F->vartab[i]) + 1; -- s = js_malloc(J, n); -+ s = js_malloc(J, n + 1); - strcpy(s, "function "); - strcat(s, F->name); - strcat(s, "("); --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-8674.patch b/gnu/packages/patches/mupdf-CVE-2016-8674.patch deleted file mode 100644 index 2a35619761..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-8674.patch +++ /dev/null @@ -1,165 +0,0 @@ -Fix CVE-2016-8674 (use-after-free in pdf_to_num()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674 -https://security-tracker.debian.org/tracker/CVE-2016-8674 - -Patch adapted from upstream source repository: -http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec - -diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h -index f8ef0cd..e8345b7 100644 ---- a/include/mupdf/pdf/document.h -+++ b/include/mupdf/pdf/document.h -@@ -258,6 +258,10 @@ struct pdf_document_s - fz_font **type3_fonts; - - pdf_resource_tables *resources; -+ -+ int orphans_max; -+ int orphans_count; -+ pdf_obj **orphans; - }; - - /* -diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h -index 346a2f1..02d4119 100644 ---- a/include/mupdf/pdf/object.h -+++ b/include/mupdf/pdf/object.h -@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key); - pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev); - void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val); - void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val); -+void pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val, pdf_obj **old_val); - void pdf_dict_puts(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val); - void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val); - void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val); -diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c -index f2e4551..a0d0d8e 100644 ---- a/source/pdf/pdf-object.c -+++ b/source/pdf/pdf-object.c -@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev) - return pdf_dict_get(ctx, obj, abbrev); - } - --void --pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) -+static void -+pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val) - { -+ -+ if (old_val) -+ *old_val = NULL; -+ - RESOLVE(obj); - if (obj >= PDF_OBJ__LIMIT) - { -@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) - { - pdf_obj *d = DICT(obj)->items[i].v; - DICT(obj)->items[i].v = pdf_keep_obj(ctx, val); -- pdf_drop_obj(ctx, d); -+ if (old_val) -+ *old_val = d; -+ else -+ pdf_drop_obj(ctx, d); - } - } - else -@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) - } - - void -+pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) -+{ -+ pdf_dict_get_put(ctx, obj, key, val, NULL); -+} -+ -+void - pdf_dict_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) - { - fz_try(ctx) -- pdf_dict_put(ctx, obj, key, val); -+ pdf_dict_get_put(ctx, obj, key, val, NULL); -+ fz_always(ctx) -+ pdf_drop_obj(ctx, val); -+ fz_catch(ctx) -+ fz_rethrow(ctx); -+} -+ -+void -+pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val) -+{ -+ fz_try(ctx) -+ pdf_dict_get_put(ctx, obj, key, val, old_val); - fz_always(ctx) - pdf_drop_obj(ctx, val); - fz_catch(ctx) -diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c -index fdd4648..212c8b7 100644 ---- a/source/pdf/pdf-repair.c -+++ b/source/pdf/pdf-repair.c -@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen) - } - } - -+static void -+orphan_object(fz_context *ctx, pdf_document *doc, pdf_obj *obj) -+{ -+ if (doc->orphans_count == doc->orphans_max) -+ { -+ int new_max = (doc->orphans_max ? doc->orphans_max*2 : 32); -+ -+ fz_try(ctx) -+ { -+ doc->orphans = fz_resize_array(ctx, doc->orphans, new_max, sizeof(*doc->orphans)); -+ doc->orphans_max = new_max; -+ } -+ fz_catch(ctx) -+ { -+ pdf_drop_obj(ctx, obj); -+ fz_rethrow(ctx); -+ } -+ } -+ doc->orphans[doc->orphans_count++] = obj; -+} -+ - void - pdf_repair_xref(fz_context *ctx, pdf_document *doc) - { -@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc) - /* correct stream length for unencrypted documents */ - if (!encrypt && list[i].stm_len >= 0) - { -+ pdf_obj *old_obj = NULL; - dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen); - - length = pdf_new_int(ctx, doc, list[i].stm_len); -- pdf_dict_put(ctx, dict, PDF_NAME_Length, length); -- pdf_drop_obj(ctx, length); -- -+ pdf_dict_get_put_drop(ctx, dict, PDF_NAME_Length, length, &old_obj); -+ if (old_obj) -+ orphan_object(ctx, doc, old_obj); - pdf_drop_obj(ctx, dict); - } - } -diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c -index 3de1cd2..6682741 100644 ---- a/source/pdf/pdf-xref.c -+++ b/source/pdf/pdf-xref.c -@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc) - - pdf_drop_resource_tables(ctx, doc); - -+ for (i = 0; i < doc->orphans_count; i++) -+ { -+ pdf_drop_obj(ctx, doc->orphans[i]); -+ } -+ fz_free(ctx, doc->orphans); -+ - fz_free(ctx, doc); - } - --- -2.10.1 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-9017.patch b/gnu/packages/patches/mupdf-CVE-2016-9017.patch deleted file mode 100644 index 1e2b7c3258..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-9017.patch +++ /dev/null @@ -1,46 +0,0 @@ -Fix CVE-2016-9017: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107 -http://bugs.ghostscript.com/show_bug.cgi?id=697171 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 - -From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001 -From: Tor Andersson -Date: Tue, 25 Oct 2016 14:08:27 +0200 -Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump. - ---- - jscompile.h | 2 +- - jsdump.c | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/jscompile.h b/jscompile.h -index 802cc9e..3054d13 100644 ---- a/thirdparty/mujs/jscompile.h -+++ b/thirdparty/mujs/jscompile.h -@@ -21,7 +21,7 @@ enum js_OpCode - - OP_NEWARRAY, - OP_NEWOBJECT, -- OP_NEWREGEXP, -+ OP_NEWREGEXP, /* -S,opts- */ - - OP_UNDEF, - OP_NULL, -diff --git a/jsdump.c b/jsdump.c -index 1c51c29..37ad88c 100644 ---- a/thirdparty/mujs/jsdump.c -+++ b/thirdparty/mujs/jsdump.c -@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F) - case OP_INITVAR: - case OP_DEFVAR: - case OP_GETVAR: -+ case OP_HASVAR: - case OP_SETVAR: - case OP_DELVAR: - case OP_GETPROP_S: --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-9136.patch b/gnu/packages/patches/mupdf-CVE-2016-9136.patch deleted file mode 100644 index 1f68839a52..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-9136.patch +++ /dev/null @@ -1,32 +0,0 @@ -Fix CVE-2016-9136: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136 -http://bugs.ghostscript.com/show_bug.cgi?id=697244 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89 -From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001 -From: Tor Andersson -Date: Mon, 31 Oct 2016 13:05:37 +0100 -Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of - input. - ---- - jslex.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/jslex.c b/jslex.c -index cbd0eeb..aaafdac 100644 ---- a/thirdparty/mujs/jslex.c -+++ b/thirdparty/mujs/jslex.c -@@ -377,6 +377,7 @@ static int lexescape(js_State *J) - return 0; - - switch (J->lexchar) { -+ case 0: jsY_error(J, "unterminated escape sequence"); - case 'u': - jsY_next(J); - if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); } --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch index cd8136b701..d97c1cb348 100644 --- a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch +++ b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch @@ -27,12 +27,3 @@ index 6b92e5c..72dea50 100644 #include static void fz_opj_error_callback(const char *msg, void *client_data) -@@ -117,7 +109,7 @@ fz_load_jpx(fz_context *ctx, unsigned char *data, int size, fz_colorspace *defcs - opj_stream_set_read_function(stream, fz_opj_stream_read); - opj_stream_set_skip_function(stream, fz_opj_stream_skip); - opj_stream_set_seek_function(stream, fz_opj_stream_seek); -- opj_stream_set_user_data(stream, &sb); -+ opj_stream_set_user_data(stream, &sb, NULL); - /* Set the length to avoid an assert */ - opj_stream_set_user_data_length(stream, size); - diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index d491642e49..3f329c5426 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -479,7 +479,7 @@ (define-public podofo (define-public mupdf (package (name "mupdf") - (version "1.9a") + (version "1.10a") (source (origin (method url-fetch) @@ -487,18 +487,8 @@ (define-public mupdf name "-" version "-source.tar.gz")) (sha256 (base32 - "1k64pdapyj8a336jw3j61fhn0rp4q6az7d0dqp9r5n3d9rgwa5c0")) - (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" - "mupdf-CVE-2016-6265.patch" - "mupdf-CVE-2016-6525.patch" - "mupdf-CVE-2016-7504.patch" - "mupdf-CVE-2016-7505.patch" - "mupdf-CVE-2016-7506.patch" - "mupdf-CVE-2016-7563.patch" - "mupdf-CVE-2016-7564.patch" - "mupdf-CVE-2016-8674.patch" - "mupdf-CVE-2016-9017.patch" - "mupdf-CVE-2016-9136.patch")) + "0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a")) + (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch")) (modules '((guix build utils))) (snippet ;; Delete all the bundled libraries except for mujs, which is -- cgit v1.2.3