scripts/jpeg/jconfig.h | 45 0 + 45 - 0 !
1 file changed, 45 deletions(-)

 fix_libjpeg_header_mismatch

commit 674a7b563e3010d26faef86d674b246d42c8edf0

docs/man/mupdf.1 | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 mupdf_manpage

Makerules | 4 2 + 2 - 0 !
source/fitz/load-jpx.c | 10 1 + 9 - 0 !
2 files changed, 3 insertions(+), 11 deletions(-)

 fix build with libopenjp2

Makerules | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 fix build with system gl and glfw

platform/x11/x11_main.c | 10 2 + 8 - 0 !
1 file changed, 2 insertions(+), 8 deletions(-)

 don't communicate via tty

Closes: #830143

source/pdf/pdf-xref.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 bug 696941: fix use after free.

The file is HORRIBLY corrupt, and triggers Sophos to think it's
PDF malware (which it isn't). It does however trigger a use
after free, worked around here.

source/pdf/pdf-shade.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 make sure that number of colors in mesh params is valid.

Fixes bug 696954.

include/mupdf/pdf/document.h | 4 4 + 0 - 0 !
include/mupdf/pdf/object.h | 1 1 + 0 - 0 !
source/pdf/pdf-object.c | 31 27 + 4 - 0 !
source/pdf/pdf-repair.c | 27 25 + 2 - 0 !
source/pdf/pdf-xref.c | 6 6 + 0 - 0 !
5 files changed, 63 insertions(+), 6 deletions(-)

 bug 697015: avoid object references vanishing during repair.

A PDF repair can be triggered 'just in time', when we encounter
a problem in the file. The idea is that this can happen without
the enclosing code being aware of it.

Thus the enclosing code may be holding 'borrowed' references
(such as those returned by pdf_dict_get()) at the time when the
repair is triggered. We are therefore at pains to ensure that
the repair does not replace any objects that exist already, so
that the calling code will not have these references unexpectedly
invalidated.

The sole exception to this is when we replace the 'Length' fields
in stream dictionaries with the actual lengths. Bug 697015 shows
exactly this situation causing a reference to become invalid.

The solution implemented here is to add an 'orphan list' to the
document, where we put these (hopefully few, small) objects. These
orphans are kept around until the document is closed.

source/fitz/pixmap.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 bug 697515: fix out of bounds read in fz_subsample_pixmap

Pointer arithmetic for final special case was going wrong.

source/pdf/pdf-op-run.c | 26 18 + 8 - 0 !
1 file changed, 18 insertions(+), 8 deletions(-)

 bug 697500: fix null ptr access.

Cope better with errors during rendering - avoid letting the
gstate stack get out of sync.

This avoids us ever getting into the situation of popping
a clip when we should be popping a mask or a group. This was
causing an unexpected case in the painting.

source/xps/xps-link.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 verify that an xps font could be loaded.

source/fitz/unzip.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 check whether size fields in a zip entry are negative numbers.

source/html/css-apply.c | 2 1 + 1 - 0 !
source/xps/xps-common.c | 6 3 + 3 - 0 !
source/xps/xps-glyphs.c | 2 1 + 1 - 0 !
source/xps/xps-path.c | 4 2 + 2 - 0 !
source/xps/xps-resource.c | 2 1 + 1 - 0 !
5 files changed, 8 insertions(+), 8 deletions(-)

 fix of mishandling of xml tag name comparisons.

source/pdf/pdf-xref.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 an integer overflow was discovered in pdf_read_new_xref_section

source/pdf/pdf-appearance.c | 9 2 + 7 - 0 !
1 file changed, 2 insertions(+), 7 deletions(-)

 [patch] bug 698825: do not drop borrowed colorspaces.

Previously the borrowed colorspace was dropped when updating annotation
appearances, leading to use after free warnings from valgrind/ASAN.

source/pdf/pdf-xref.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

---

source/pdf/pdf-write.c | 62 47 + 15 - 0 !
1 file changed, 47 insertions(+), 15 deletions(-)

 cve-2017-17866

X-Git-Url: https://git.ghostscript.com/?p=mupdf.git;a=patch;h=520cc26d18c9ee245b56e9e91f9d4fcae02be5f0

source/pdf/pdf-interpret.c | 2 0 + 2 - 0 !
source/pdf/pdf-op-run.c | 114 72 + 42 - 0 !
source/pdf/pdf-xobject.c | 3 3 + 0 - 0 !
3 files changed, 75 insertions(+), 44 deletions(-)

 cve-2018-1000037

X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=patch;h=8a3257b01faa899dd9b5e35c6bb3403cd709c371;hp=de39f005f12a1afc6973c1f5cec362d6545f70cb
X-Git-Url: https://git.ghostscript.com/?p=mupdf.git;a=patch;h=b2e7d38e845c7d4922d05e6e41f3a2dc1bc1b14a;hp=f51836b9732c38d945b87fda0770009a77ba680c

source/fitz/colorspace.c | 19 10 + 9 - 0 !
1 file changed, 10 insertions(+), 9 deletions(-)

 cve-2018-1000040

X-Git-Url: https://git.ghostscript.com/?p=mupdf.git;a=patch;h=83d4dae44c71816c084a635550acc1a51529b881;hp=f597300439e62f5e921f0d7b1e880b5c1a1f1607

include/mupdf/fitz/stream.h | 29 22 + 7 - 0 !
1 file changed, 22 insertions(+), 7 deletions(-)

 cve-2018-5686

source/pdf/pdf-write.c | 15 10 + 5 - 0 !
1 file changed, 10 insertions(+), 5 deletions(-)

 cve-2018-6187

X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=patch;h=3e30fbb7bf5efd88df431e366492356e7eb969ec

source/pdf/pdf-lex.c | 28 22 + 6 - 0 !
source/pdf/pdf-parse.c | 6 5 + 1 - 0 !
2 files changed, 27 insertions(+), 7 deletions(-)

 cve-2018-6187

X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=patch;h=fa9cd085533f68367c299e058ab3fbb7ad8a2dc6

include/mupdf/pdf/object.h | 2 2 + 0 - 0 !
source/pdf/pdf-parse.c | 2 2 + 0 - 0 !
source/pdf/pdf-xref.c | 4 2 + 2 - 0 !
3 files changed, 6 insertions(+), 2 deletions(-)

 cve-2018-6192

X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=patch;h=5e411a99604ff6be5db9e273ee84737204113299