[Buildroot] [PATCH] package/mupdf: add patch for CVE-2026-25556

[Buildroot] [PATCH] package/mupdf: add patch for CVE-2026-25556

[Thomas Perale via buildroot]

Fixes the following vulnerability:

- CVE-2026-25556:
    MuPDF versions 1.23.0 through 1.27.0 contain a double-free
    vulnerability in fz_fill_pixmap_from_display_list() when an exception
    occurs during display list rendering. The function accepts a caller-
    owned fz_pixmap pointer but incorrectly drops the pixmap in its error
    handling path before rethrowing the exception. Callers (including the
    barcode decoding path in fz_decode_barcode_from_display_list) also
    drop the same pixmap in cleanup, resulting in a double-free that can
    corrupt the heap and crash the process. This issue affects
    applications that enable and use MuPDF barcode decoding and can be
    triggered by processing crafted input that causes a rendering-time
    error while decoding barcodes.

For more information, see
  - https://www.cve.org/CVERecord?id=CVE-2026-25556
  - https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...-incorrect-error-case-free-of-pixmap.patch | 53 +++++++++++++++++++
 package/mupdf/mupdf.mk                        |  3 ++
 2 files changed, 56 insertions(+)
 create mode 100644 package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch

diff --git a/package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch b/package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch
new file mode 100644
index 0000000000..f78c429cef
--- /dev/null
+++ b/package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch
@@ -0,0 +1,53 @@
+From d4743b6092d513321c23c6f7fe5cff87cde043c1 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Mon, 12 Jan 2026 19:08:56 +0000
+Subject: Bug 709029: Fix incorrect error-case free of pixmap.
+
+Don't free a pixmap we don't own!
+
+CVE: CVE-2026-25556
+Upstream: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ source/fitz/util.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/source/fitz/util.c b/source/fitz/util.c
+index 7710124cc..90226a5c1 100644
+--- a/source/fitz/util.c
++++ b/source/fitz/util.c
+@@ -119,7 +119,15 @@ fz_new_pixmap_from_display_list_with_separations(fz_context *ctx, fz_display_lis
+ 	else
+ 		fz_clear_pixmap_with_value(ctx, pix, 0xFF);
+
+-	return fz_fill_pixmap_from_display_list(ctx, list, ctm, pix);
++	fz_try(ctx)
++		fz_fill_pixmap_from_display_list(ctx, list, ctm, pix);
++	fz_catch(ctx)
++	{
++		fz_drop_pixmap(ctx, pix);
++		fz_rethrow(ctx);
++	}
++
++	return pix;
+ }
+
+ fz_pixmap *
+@@ -136,14 +144,9 @@ fz_fill_pixmap_from_display_list(fz_context *ctx, fz_display_list *list, fz_matr
+ 		fz_close_device(ctx, dev);
+ 	}
+ 	fz_always(ctx)
+-	{
+ 		fz_drop_device(ctx, dev);
+-	}
+ 	fz_catch(ctx)
+-	{
+-		fz_drop_pixmap(ctx, pix);
+ 		fz_rethrow(ctx);
+-	}
+
+ 	return pix;
+ }
+--
+cgit v1.2.3
+
diff --git a/package/mupdf/mupdf.mk b/package/mupdf/mupdf.mk
index fe4f3e6756..c538b9bec8 100644
--- a/package/mupdf/mupdf.mk
+++ b/package/mupdf/mupdf.mk
@@ -27,6 +27,9 @@ MUPDF_IGNORE_CVES = \
 	CVE-2024-24258 \
 	CVE-2024-24259
 
+# 0001-Fix-incorrect-error-case-free-of-pixmap.patch
+MUPDF_IGNORE_CVES += CVE-2026-25556
+
 # mupdf doesn't use CFLAGS and LIBS but XCFLAGS and XLIBS instead.
 # with USE_SYSTEM_LIBS it will try to use system libraries instead of the bundled ones.
 MUPDF_MAKE_ENV = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/mupdf: add patch for CVE-2026-25556

[Julien Olivain via buildroot]

On 28/02/2026 21:15, Thomas Perale via buildroot wrote:
> Fixes the following vulnerability:
> 
> - CVE-2026-25556:
>     MuPDF versions 1.23.0 through 1.27.0 contain a double-free
>     vulnerability in fz_fill_pixmap_from_display_list() when an 
> exception
>     occurs during display list rendering. The function accepts a 
> caller-
>     owned fz_pixmap pointer but incorrectly drops the pixmap in its 
> error
>     handling path before rethrowing the exception. Callers (including 
> the
>     barcode decoding path in fz_decode_barcode_from_display_list) also
>     drop the same pixmap in cleanup, resulting in a double-free that 
> can
>     corrupt the heap and crash the process. This issue affects
>     applications that enable and use MuPDF barcode decoding and can be
>     triggered by processing crafted input that causes a rendering-time
>     error while decoding barcodes.
> 
> For more information, see
>   - https://www.cve.org/CVERecord?id=CVE-2026-25556
>   - 
> https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/mupdf: add patch for CVE-2026-25556

[Thomas Perale via buildroot]

In reply of:
> Fixes the following vulnerability:
> 
> - CVE-2026-25556:
>     MuPDF versions 1.23.0 through 1.27.0 contain a double-free
>     vulnerability in fz_fill_pixmap_from_display_list() when an exception
>     occurs during display list rendering. The function accepts a caller-
>     owned fz_pixmap pointer but incorrectly drops the pixmap in its error
>     handling path before rethrowing the exception. Callers (including the
>     barcode decoding path in fz_decode_barcode_from_display_list) also
>     drop the same pixmap in cleanup, resulting in a double-free that can
>     corrupt the heap and crash the process. This issue affects
>     applications that enable and use MuPDF barcode decoding and can be
>     triggered by processing crafted input that causes a rendering-time
>     error while decoding barcodes.
> 
> For more information, see
>   - https://www.cve.org/CVERecord?id=CVE-2026-25556
>   - https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2025.11.x. Thanks

> ---
>  ...-incorrect-error-case-free-of-pixmap.patch | 53 +++++++++++++++++++
>  package/mupdf/mupdf.mk                        |  3 ++
>  2 files changed, 56 insertions(+)
>  create mode 100644 package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch
> 
> diff --git a/package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch b/package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch
> new file mode 100644
> index 0000000000..f78c429cef
> --- /dev/null
> +++ b/package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch
> @@ -0,0 +1,53 @@
> +From d4743b6092d513321c23c6f7fe5cff87cde043c1 Mon Sep 17 00:00:00 2001
> +From: Robin Watts <Robin.Watts@artifex.com>
> +Date: Mon, 12 Jan 2026 19:08:56 +0000
> +Subject: Bug 709029: Fix incorrect error-case free of pixmap.
> +
> +Don't free a pixmap we don't own!
> +
> +CVE: CVE-2026-25556
> +Upstream: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + source/fitz/util.c | 15 +++++++++------
> + 1 file changed, 9 insertions(+), 6 deletions(-)
> +
> +diff --git a/source/fitz/util.c b/source/fitz/util.c
> +index 7710124cc..90226a5c1 100644
> +--- a/source/fitz/util.c
> ++++ b/source/fitz/util.c
> +@@ -119,7 +119,15 @@ fz_new_pixmap_from_display_list_with_separations(fz_context *ctx, fz_display_lis
> + 	else
> + 		fz_clear_pixmap_with_value(ctx, pix, 0xFF);
> +
> +-	return fz_fill_pixmap_from_display_list(ctx, list, ctm, pix);
> ++	fz_try(ctx)
> ++		fz_fill_pixmap_from_display_list(ctx, list, ctm, pix);
> ++	fz_catch(ctx)
> ++	{
> ++		fz_drop_pixmap(ctx, pix);
> ++		fz_rethrow(ctx);
> ++	}
> ++
> ++	return pix;
> + }
> +
> + fz_pixmap *
> +@@ -136,14 +144,9 @@ fz_fill_pixmap_from_display_list(fz_context *ctx, fz_display_list *list, fz_matr
> + 		fz_close_device(ctx, dev);
> + 	}
> + 	fz_always(ctx)
> +-	{
> + 		fz_drop_device(ctx, dev);
> +-	}
> + 	fz_catch(ctx)
> +-	{
> +-		fz_drop_pixmap(ctx, pix);
> + 		fz_rethrow(ctx);
> +-	}
> +
> + 	return pix;
> + }
> +--
> +cgit v1.2.3
> +
> diff --git a/package/mupdf/mupdf.mk b/package/mupdf/mupdf.mk
> index fe4f3e6756..c538b9bec8 100644
> --- a/package/mupdf/mupdf.mk
> +++ b/package/mupdf/mupdf.mk
> @@ -27,6 +27,9 @@ MUPDF_IGNORE_CVES = \
>  	CVE-2024-24258 \
>  	CVE-2024-24259
>  
> +# 0001-Fix-incorrect-error-case-free-of-pixmap.patch
> +MUPDF_IGNORE_CVES += CVE-2026-25556
> +
>  # mupdf doesn't use CFLAGS and LIBS but XCFLAGS and XLIBS instead.
>  # with USE_SYSTEM_LIBS it will try to use system libraries instead of the bundled ones.
>  MUPDF_MAKE_ENV = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot