rpms / mupdf

Clone
Source Code
GIT

Files

el6 epel7 epel8 epel8-playground epel9 epel9-next f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   epel9-next
  2.   mupdf-1.21.1-fix-png_write_band.patch
Blob Blame History Raw 
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
Date: Sun, 18 Dec 2022 00:22:04 +0000 (+0900)
Subject: Bug 706227: png_write_band: initialize stream before calling deflateBound
X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=a76b4ed0d3a2c7e52bba2d6c10b44d11d5ade2fe

Bug 706227: png_write_band: initialize stream before calling deflateBound

zlib deflateBound manual says when calling this function,
stream should have been initialized via a call to deflateInit_()
or deflateInit2_(), so change so.

Note that without this fix, "mutool draw -F png" segfaults on s390x,
perhaps on big endian, uninitialized bytes of a value (which is
not wholly initialized) is read, on the other hand, on little endian
initialized bytes of the value is read, so it happens not to cause
segfault.

Fixes https://bugs.ghostscript.com/show_bug.cgi?id=706227
---

diff --git a/source/fitz/output-png.c b/source/fitz/output-png.c
index 17279f913..979c75eeb 100644
--- a/source/fitz/output-png.c
+++ b/source/fitz/output-png.c
@@ -236,6 +236,12 @@ png_write_band(fz_context *ctx, fz_band_writer *writer_, int stride, int band_st
 		if (usize > SIZE_MAX / band_height)
 			fz_throw(ctx, FZ_ERROR_GENERIC, "png data too large.");
 		usize *= band_height;
+		writer->stream.opaque = ctx;
+		writer->stream.zalloc = fz_zlib_alloc;
+		writer->stream.zfree = fz_zlib_free;
+		err = deflateInit(&writer->stream, Z_DEFAULT_COMPRESSION);
+		if (err != Z_OK)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "compression error %d", err);
 		writer->usize = usize;
 		/* Now figure out how large a buffer we need to compress into.
 		 * deflateBound always expands a bit, and it's limited by being
@@ -245,12 +251,6 @@ png_write_band(fz_context *ctx, fz_band_writer *writer_, int stride, int band_st
 			writer->csize = UINT32_MAX;
 		writer->udata = Memento_label(fz_malloc(ctx, writer->usize), "png_write_udata");
 		writer->cdata = Memento_label(fz_malloc(ctx, writer->csize), "png_write_cdata");
-		writer->stream.opaque = ctx;
-		writer->stream.zalloc = fz_zlib_alloc;
-		writer->stream.zfree = fz_zlib_free;
-		err = deflateInit(&writer->stream, Z_DEFAULT_COMPRESSION);
-		if (err != Z_OK)
-			fz_throw(ctx, FZ_ERROR_GENERIC, "compression error %d", err);
 	}
 
 	dp = writer->udata;
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.