From 327bb4ca7708e6ed2ee6b126d40fd78b68d2bb77 Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Tue, 6 Aug 2024 15:17:52 +0800
Subject: [PATCH] Bugfix for CVE-2023-51103 & CVE-2023-51104 & CVE-2023-51105

---
 Bugfix-for-CVE-2023-51103.patch | 86 +++++++++++++++++++++++++++++++++
 Bugfix-for-CVE-2023-51104.patch | 45 +++++++++++++++++
 Bugfix-for-CVE-2023-51105.patch | 26 ++++++++++
 mupdf.spec                      | 19 +++++++-
 4 files changed, 175 insertions(+), 1 deletion(-)
 create mode 100644 Bugfix-for-CVE-2023-51103.patch
 create mode 100644 Bugfix-for-CVE-2023-51104.patch
 create mode 100644 Bugfix-for-CVE-2023-51105.patch

diff --git a/Bugfix-for-CVE-2023-51103.patch b/Bugfix-for-CVE-2023-51103.patch
new file mode 100644
index 0000000..4d5c92b
--- /dev/null
+++ b/Bugfix-for-CVE-2023-51103.patch
@@ -0,0 +1,86 @@
+From 9393b0bae84dc422d33faeded16a0d4135ab7a5e Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Tue, 6 Aug 2024 11:03:32 +0800
+Subject: [PATCH] Bugfix-for-CVE-2023-51103
+
+---
+ source/fitz/pixmap.c      | 23 ++++++++++++++---------
+ 1 files changed, 14 insertions(+), 9 deletions(-)
+ create mode 100644 0001-CVE-2023-51105.patch
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index db5838e..21af0d0 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1253,10 +1253,11 @@ calc_percentile(int *hist, float thr, float scale, float minval, float maxval)
+ }
+ 
+ static void
+-calc_percentiles(fz_context *ctx, int nsamples, float *samples, float *minprct, float *maxprct)
++calc_percentiles(fz_context *ctx, size_t nsamples, float *samples, float *minprct, float *maxprct)
+ {
+ 	float minval, maxval, scale;
+-	int *hist, size, k;
++	size_t size, k;
++	int *hist;
+ 
+ 	minval = maxval = samples[0];
+ 	for (k = 1; k < nsamples; k++)
+@@ -1271,7 +1272,7 @@ calc_percentiles(fz_context *ctx, int nsamples, float *samples, float *minprct,
+ 		return;
+ 	}
+ 
+-	size = fz_mini(65535, nsamples);
++	size = fz_minz(65535, nsamples);
+ 	scale = (size - 1) / (maxval - minval);
+ 
+ 	hist = fz_calloc(ctx, size, sizeof(int));
+@@ -1301,18 +1302,24 @@ fz_new_pixmap_from_float_data(fz_context *ctx, fz_colorspace *cs, int w, int h,
+ 	float minsample, maxsample, mu;
+ 	float k1, d0, sigma, sigmasq2;
+ 	float minprct, maxprct, range;
+-	int y, k, n = fz_colorspace_n(ctx, cs);
+-	int nsamples = w * h * n;
++	int y;
++	size_t k, nsamples;
+ #define KIMKAUTZC1 (3.0f)
+ #define KIMKAUTZC2 (0.5f)
+ #define MAXLD (logf(300.0f))
+ #define MINLD (logf(0.3f))
+ 
+-	fz_var(pixmap);
+ 	fz_var(lsamples);
+ 
++	pixmap = fz_new_pixmap(ctx, cs, w, h, NULL, 0);
++
+ 	fz_try(ctx)
+ 	{
++		nsamples = (size_t) w * h;
++		if ((size_t) pixmap->n > SIZE_MAX / nsamples)
++			fz_throw(ctx, FZ_ERROR_COUNT, "too many floating point samples to convert to pixmap");
++		nsamples *= pixmap->n;
++
+ 		lsamples = fz_malloc(ctx, nsamples * sizeof(float));
+ 
+ 		mu = 0;
+@@ -1345,8 +1352,6 @@ fz_new_pixmap_from_float_data(fz_context *ctx, fz_colorspace *cs, int w, int h,
+ 		calc_percentiles(ctx, nsamples, samples, &minprct, &maxprct);
+ 		range = maxprct - minprct;
+ 
+-		pixmap = fz_new_pixmap(ctx, cs, w, h, NULL, 0);
+-
+ 		dp = pixmap->samples + pixmap->stride * (h - 1);
+ 		sample = samples;
+ 
+@@ -1354,7 +1359,7 @@ fz_new_pixmap_from_float_data(fz_context *ctx, fz_colorspace *cs, int w, int h,
+ 		{
+ 			unsigned char *dpp = dp;
+ 
+-			for (k = 0; k < w * n; k++)
++			for (k = 0; k < (size_t) w * pixmap->n; k++)
+ 				*dpp++ = 255.0f * (fz_clamp(*sample++, minprct, maxprct) - minprct) / range;
+ 
+ 			dp -= pixmap->stride;
+-- 
+2.27.0
+
diff --git a/Bugfix-for-CVE-2023-51104.patch b/Bugfix-for-CVE-2023-51104.patch
new file mode 100644
index 0000000..ce49c15
--- /dev/null
+++ b/Bugfix-for-CVE-2023-51104.patch
@@ -0,0 +1,45 @@
+From c0093ce8bf279afaeaa225ee76207d3f8a6d0a55 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Tue, 6 Aug 2024 11:06:42 +0800
+Subject: [PATCH] Bugfix-for-CVE-2023-51104
+
+---
+ source/fitz/load-pnm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/source/fitz/load-pnm.c b/source/fitz/load-pnm.c
+index 53ae54f..6a951e1 100644
+--- a/source/fitz/load-pnm.c
++++ b/source/fitz/load-pnm.c
+@@ -477,6 +477,10 @@ pnm_binary_read_image(fz_context *ctx, struct info *pnm, const unsigned char *p,
+ {
+ 	fz_pixmap *img = NULL;
+ 	size_t span;
++	int n;
++
++	n = fz_colorspace_n(ctx, pnm->cs);
++	assert(n >= 1 && n <= 3);
+ 
+ 	pnm->width = 0;
+ 	p = pnm_read_comments(ctx, p, e, 1);
+@@ -516,14 +520,14 @@ pnm_binary_read_image(fz_context *ctx, struct info *pnm, const unsigned char *p,
+ 	if (pnm->bitdepth == 1)
+ 	{
+ 		/* Overly sensitive test, but we can live with it. */
+-		if ((size_t)pnm->width > SIZE_MAX / (unsigned int)fz_colorspace_n(ctx, pnm->cs))
++		if ((size_t)pnm->width > SIZE_MAX / (unsigned int)n)
+ 			fz_throw(ctx, FZ_ERROR_GENERIC, "image row too large");
+-		span = ((size_t)fz_colorspace_n(ctx, pnm->cs) * pnm->width + 7)/8;
++		span = ((size_t)n * pnm->width + 7)/8;
+ 	}
+ 	else
+ 	{
+ 		size_t bytes_per_sample = (pnm->bitdepth-1)/8 + 1;
+-		span = (size_t)fz_colorspace_n(ctx, pnm->cs) * bytes_per_sample;
++		span = (size_t)n * bytes_per_sample;
+ 		if ((size_t)pnm->width > SIZE_MAX / span)
+ 			fz_throw(ctx, FZ_ERROR_GENERIC, "image row too large");
+ 		span = (size_t)pnm->width * span;
+-- 
+2.27.0
+
diff --git a/Bugfix-for-CVE-2023-51105.patch b/Bugfix-for-CVE-2023-51105.patch
new file mode 100644
index 0000000..d3c633e
--- /dev/null
+++ b/Bugfix-for-CVE-2023-51105.patch
@@ -0,0 +1,26 @@
+From 1cd2015f9f1fd6b575e262da23b6ed30884bd597 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Tue, 6 Aug 2024 11:08:04 +0800
+Subject: [PATCH] Bugfix-for-CVE-2023-51105
+
+---
+ source/fitz/load-bmp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source/fitz/load-bmp.c b/source/fitz/load-bmp.c
+index 5b6a79b..f8daa50 100644
+--- a/source/fitz/load-bmp.c
++++ b/source/fitz/load-bmp.c
+@@ -580,6 +580,9 @@ bmp_read_bitmap(fz_context *ctx, struct info *info, const unsigned char *begin,
+ 	uint32_t x;
+ 	int32_t y;
+ 
++	assert(info->width > 0 && info->width <= SHRT_MAX);
++	assert(info->height > 0 && info->height <= SHRT_MAX);
++
+ 	if (info->compression == BI_NONE)
+ 		ssp = p;
+ 	else if (info->compression == BI_RLE4)
+-- 
+2.27.0
+
diff --git a/mupdf.spec b/mupdf.spec
index a04bcff..1a692a1 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 # Desired jbig2dec header files and library version
 # Apparantly, jbig2dec complains even about newer versions.
@@ -16,6 +16,18 @@ Source0:        http://mupdf.com/downloads/archive/%{name}-%{upversion}-source.t
 Source1:        %{name}.desktop
 Source2:        %{name}-gl.desktop
 
+# CVE-2023-51103
+# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=f1b5f87edd2675d5c79301e4ef2e1139f67f904b
+Patch1: Bugfix-for-CVE-2023-51103.patch
+
+# CVE-2023-51104
+# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0c06a4e51519515615f6ab2d5b1f25da6771e1f4
+Patch2: Bugfix-for-CVE-2023-51104.patch
+
+# CVE-2023-51105
+# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=cee86dc519d5270a3b96476ad15809ceace64a26
+Patch3: Bugfix-for-CVE-2023-51105.patch
+
 BuildRequires:  gcc gcc-c++ make binutils desktop-file-utils coreutils pkgconfig
 BuildRequires:  openjpeg2-devel desktop-file-utils
 BuildRequires:  libjpeg-devel freetype-devel libXext-devel curl-devel
@@ -131,6 +143,11 @@ cd %{buildroot}/%{_bindir} && ln -s %{name}-x11 %{name}
 %doc README CHANGES docs/*
 
 %changelog
+* Tue Aug 06 2024 lidongyue <dongyue@nfschina.com> - 1.23.2-2
+- Fix CVE-2023-51103
+- Fix CVE-2023-51104
+- Fix CVE-2023-51105
+
 * Fri Sep 01 2023 Funda Wang <fundawang@yeah.net> - 1.23.2-1
 - New version 1.23.2
 
-- 
Gitee