From af8c7e10147acd105fe33f60baab2d1d21f38f7b Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Thu, 12 Jan 2017 19:06:55 +0100
Subject: gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mujs.

* gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch,
gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/pdf.scm (mupdf)[replacement]: New field.
(mupdf/fixed): New variable.

Co-authored-by: Leo Famulari <leo@famulari.name>
---
 .../patches/mupdf-mujs-CVE-2016-10133.patch        | 36 ++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch

(limited to 'gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch')

diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
new file mode 100644
index 0000000000..d73849262c
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
@@ -0,0 +1,36 @@
+Fix CVE-2016-10133:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697401
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133
+
+Patch lifted from upstream source repository:
+
+https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24
+
+From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@gmail.com>
+Date: Thu, 12 Jan 2017 14:47:01 +0100
+Subject: [PATCH] Fix 697401: Error when dropping extra arguments to
+ lightweight functions.
+
+---
+ thirdparty/mujs/jsrun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c
+index ee80845..782a6f9 100644
+--- a/thirdparty/mujs/jsrun.c
++++ b/thirdparty/mujs/jsrun.c
+@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen
+ 	jsR_savescope(J, scope);
+ 
+ 	if (n > F->numparams) {
+-		js_pop(J, F->numparams - n);
++		js_pop(J, n - F->numparams);
+ 		n = F->numparams;
+ 	}
+ 	for (i = n; i < F->varlen; ++i)
+-- 
+2.9.1
+
-- 
cgit v1.2.3