diff options
| author | Lee Chee Yang <chee.yang.lee@intel.com> | 2022-02-25 15:09:52 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-10 16:39:50 +0000 |
| commit | 5a89035cf7a8f3e7b9a4b76cbb703667e3150f15 (patch) | |
| tree | 05a8be8e38e699b22f3b9ee685b1515c198d5672 | |
| parent | 2cdb01ee20ec8ec2da522c8951325a3b2bd4d592 (diff) | |
| download | poky-5a89035cf7a8f3e7b9a4b76cbb703667e3150f15.tar.gz | |
ghostscript: fix CVE-2021-45949
(From OE-Core rev: aebdb079eba5426253c5709e1ea20b97a302b556)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch | 68 | ||||
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb | 1 |
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..8e4fd40932 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch | |||
| @@ -0,0 +1,68 @@ | |||
| 1 | From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
| 3 | Date: Tue, 1 Jun 2021 19:57:16 +0100 | ||
| 4 | Subject: [PATCH] Bug 703902: Fix op stack management in | ||
| 5 | sampled_data_continue() | ||
| 6 | |||
| 7 | Replace pop() (which does no checking, and doesn't handle stack extension | ||
| 8 | blocks) with ref_stack_pop() which does do all that. | ||
| 9 | |||
| 10 | We still use pop() in one case (it's faster), but we have to later use | ||
| 11 | ref_stack_pop() before calling sampled_data_sample() which also accesses the | ||
| 12 | op stack. | ||
| 13 | |||
| 14 | Fixes: | ||
| 15 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 | ||
| 16 | |||
| 17 | Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] | ||
| 18 | CVE: CVE-2021-45949 | ||
| 19 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
| 20 | --- | ||
| 21 | psi/zfsample.c | 16 ++++++++++------ | ||
| 22 | 1 file changed, 10 insertions(+), 6 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/psi/zfsample.c b/psi/zfsample.c | ||
| 25 | index 0e8e4bc8d..00cd0cfdd 100644 | ||
| 26 | --- a/psi/zfsample.c | ||
| 27 | +++ b/psi/zfsample.c | ||
| 28 | @@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
| 29 | for (j = 0; j < bps; j++) | ||
| 30 | data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ | ||
| 31 | } | ||
| 32 | - pop(num_out); /* Move op to base of result values */ | ||
| 33 | |||
| 34 | - /* Check if we are done collecting data. */ | ||
| 35 | + pop(num_out); /* Move op to base of result values */ | ||
| 36 | |||
| 37 | + /* From here on, we have to use ref_stack_pop() rather than pop() | ||
| 38 | + so that it handles stack extension blocks properly, before calling | ||
| 39 | + sampled_data_sample() which also uses the op stack. | ||
| 40 | + */ | ||
| 41 | + /* Check if we are done collecting data. */ | ||
| 42 | if (increment_cube_indexes(params, penum->indexes)) { | ||
| 43 | if (stack_depth_adjust == 0) | ||
| 44 | - pop(O_STACK_PAD); /* Remove spare stack space */ | ||
| 45 | + ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ | ||
| 46 | else | ||
| 47 | - pop(stack_depth_adjust - num_out); | ||
| 48 | + ref_stack_pop(&o_stack, stack_depth_adjust - num_out); | ||
| 49 | /* Execute the closing procedure, if given */ | ||
| 50 | code = 0; | ||
| 51 | if (esp_finish_proc != 0) | ||
| 52 | @@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
| 53 | if ((O_STACK_PAD - stack_depth_adjust) < 0) { | ||
| 54 | stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); | ||
| 55 | check_op(stack_depth_adjust); | ||
| 56 | - pop(stack_depth_adjust); | ||
| 57 | + ref_stack_pop(&o_stack, stack_depth_adjust); | ||
| 58 | } | ||
| 59 | else { | ||
| 60 | check_ostack(O_STACK_PAD - stack_depth_adjust); | ||
| 61 | - push(O_STACK_PAD - stack_depth_adjust); | ||
| 62 | + ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); | ||
| 63 | for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
| 64 | make_null(op - i); | ||
| 65 | } | ||
| 66 | -- | ||
| 67 | 2.25.1 | ||
| 68 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb index 59cc560cf8..d4442a4908 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb | |||
| @@ -33,6 +33,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
| 33 | file://do-not-check-local-libpng-source.patch \ | 33 | file://do-not-check-local-libpng-source.patch \ |
| 34 | file://avoid-host-contamination.patch \ | 34 | file://avoid-host-contamination.patch \ |
| 35 | file://mkdir-p.patch \ | 35 | file://mkdir-p.patch \ |
| 36 | file://CVE-2021-45949.patch \ | ||
| 36 | " | 37 | " |
| 37 | 38 | ||
| 38 | SRC_URI = "${SRC_URI_BASE} \ | 39 | SRC_URI = "${SRC_URI_BASE} \ |