mupdf: Backport patches to address CVE-2019-13290

Bump PKGREVISION

3 files changed, 52 insertions, 2 deletions

diff --git a/print/mupdf/Makefile b/print/mupdf/Makefile
index 0e2c63141ee..da23b804fb9 100644
--- a/print/mupdf/Makefile
+++ b/print/mupdf/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.68 2019/05/13 11:03:58 leot Exp $
+# $NetBSD: Makefile,v 1.69 2019/07/06 11:27:48 leot Exp $
 
 DISTNAME=	mupdf-1.15.0-source
 PKGNAME=	${DISTNAME:S/-source//}
+PKGREVISION=	1
 CATEGORIES=	print
 MASTER_SITES=	https://mupdf.com/downloads/archive/
 
diff --git a/print/mupdf/distinfo b/print/mupdf/distinfo
index 0eed8b9eed9..c0464840181 100644
--- a/print/mupdf/distinfo
+++ b/print/mupdf/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2019/05/17 05:45:10 wiz Exp $
+$NetBSD: distinfo,v 1.46 2019/07/06 11:27:48 leot Exp $
 
 SHA1 (mupdf-1.15.0-source.tar.gz) = 4354a1c7245d4351ba604a4deed4a4ecf3e27492
 RMD160 (mupdf-1.15.0-source.tar.gz) = 892247f12a9e85d384c6cbc6c5a394d36e783158
@@ -10,5 +10,6 @@ SHA1 (patch-ac) = 94294d03a0ad31e2e4063fca05e02bc6e2713bec
 SHA1 (patch-ae) = c6b113818b32cb4470e8549c00a16e0b2f364ede
 SHA1 (patch-platform_gl_gl-app.h) = f8682b54821a560b2ba1082bcf215eeefb549644
 SHA1 (patch-platform_gl_gl-main.c) = edff1aa77c4d6af59b2eca442340606a0bae9970
+SHA1 (patch-source_fitz_list-device.c) = ea8ca9df49c16a91546ab05e8f3e57b1308c2278
 SHA1 (patch-source_fitz_load-jpx.c) = 161d21bca13bb57db37807aec844c85dc5b34157
 SHA1 (patch-thirdparty_mujs_Makefile) = 833e44f4e23d2a6ff61e6276feede4892feeb9bb
diff --git a/print/mupdf/patches/patch-source_fitz_list-device.c b/print/mupdf/patches/patch-source_fitz_list-device.c
new file mode 100644
index 00000000000..5992646c8ea
--- /dev/null
+++ b/print/mupdf/patches/patch-source_fitz_list-device.c
@@ -0,0 +1,48 @@
+$NetBSD: patch-source_fitz_list-device.c,v 1.1 2019/07/06 11:27:48 leot Exp $
+
+Backport commits ed19bc806809ad10c4ddce515d375581b86ede85 and
+aaf794439e40a2ef544f15b50c20e657414dec7a to address CVE-2019-13290.
+
+Commit ed19bc806809ad10c4ddce515d375581b86ede85:
+> Bug 701118: Handle appending large display list nodes.
+> 
+> The size of the begin layer node depends on the size of the layer
+> name. That name may be a string from the page's property resources,
+> and is only bounded by memory when parsed by lex_string(). So the
+> append_list_node() logic cannot simply double the size of the
+> display list and hope that the node fits, since the node may be
+> of arbitrary size.
+> 
+> Now append_list_node() would repeatedly double the size of the
+> display list until the node fits, or malloc() runs out of memory.
+
+Commit aaf794439e40a2ef544f15b50c20e657414dec7a:
+> Bug 701118: Limit size of begin layer nodes in display list.
+> 
+> The size of the begin layer node depends on the size of the layer
+> name. That name may be a string from the page's property resources,
+> and is only bounded by memory when parsed by lex_string(). The
+> layer name may cause a display node to be larger than the maximum
+> size allowed. This condition is now checked for.
+
+--- source/fitz/list-device.c.orig
++++ source/fitz/list-device.c
+@@ -462,6 +462,9 @@ fz_append_display_node(
+ 	}
+ 	if (private_data != NULL)
+ 	{
++		int max = SIZE_IN_NODES(MAX_NODE_SIZE) - size;
++		if (SIZE_IN_NODES(private_data_len) > max)
++			fz_throw(ctx, FZ_ERROR_GENERIC, "Private data too large to pack into display list node");
+ 		private_off = size;
+ 		size += SIZE_IN_NODES(private_data_len);
+ 	}
+@@ -466,7 +466,7 @@ fz_append_display_node(
+ 		size += SIZE_IN_NODES(private_data_len);
+ 	}
+ 
+-	if (list->len + size > list->max)
++	while (list->len + size > list->max)
+ 	{
+ 		int newsize = list->max * 2;
+ 		fz_display_node *old = list->list;