ghostscript: CVE-2017-9727, -9835, -11714

CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust CVE-2017-9835: bounds check the array allocations methods CVE-2017-11714: prevent trying to reloc a freed object (From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <jslater@windriver.com> 2017-08-22 14:14:46 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-08-23 08:47:03 +0100
commit: 67afd9ead60c139484c5179be3c0dcbbf87938c3 (patch)
tree: 5b19856cfaffca20691d76886cb1a0fdb57511dc /meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
parent: 8efe72508002772df08664d9bb0d5f8b25497ce5 (diff)
download: poky-67afd9ead60c139484c5179be3c0dcbbf87938c3.tar.gz
1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
new file mode 100644
index 0000000000..84983c5aea
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
@@ -0,0 +1,61 @@
+From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Jul 2017 14:54:02 +0100
+Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object
+In the token reader, we pass the scanner state structure around as a
+t_struct ref on the Postscript operand stack.
+But we explicitly free the scanner state when we're done, which leaves a
+dangling reference on the operand stack and, unless that reference gets
+overwritten before the next garbager run, we can end up with the garbager
+trying to deal with an already freed object - that can cause a crash, or
+memory corruption.
+---
+ psi/ztoken.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+--- end of original header
+CVE: CVE-2017-11714
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/psi/ztoken.c b/psi/ztoken.c
+index 4dba7c5..af1ceeb 100644
+--- a/psi/ztoken.c
+++ b/psi/ztoken.c
+@@ -107,6 +107,12 @@ token_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
+     int code;
+     ref token;
+ 
+    /* Since we might free pstate below, and we're dealing with
+     * gc memory referenced by the stack, we need to explicitly
+     * remove the reference to pstate from the stack, otherwise
+     * the garbager will fall over
+     */
+    make_null(osp);
+     /* Note that gs_scan_token may change osp! */
+     pop(1);                     /* remove the file or scanner state */
+ again:
+@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p)
+ static int
+ tokenexec_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
+ {
+-    os_ptr op;
+    os_ptr op = osp;
+     int code;
+    /* Since we might free pstate below, and we're dealing with
+     * gc memory referenced by the stack, we need to explicitly
+     * remove the reference to pstate from the stack, otherwise
+     * the garbager will fall over
+     */
+    make_null(osp);
+     /* Note that gs_scan_token may change osp! */
+     pop(1);
+ again:
+-- 
+1.7.9.5
author	Joe Slater <jslater@windriver.com>	2017-08-22 14:14:46 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-08-23 08:47:03 +0100
commit	67afd9ead60c139484c5179be3c0dcbbf87938c3 (patch)
tree	5b19856cfaffca20691d76886cb1a0fdb57511dc /meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
parent	8efe72508002772df08664d9bb0d5f8b25497ce5 (diff)
download	poky-67afd9ead60c139484c5179be3c0dcbbf87938c3.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch new file mode 100644 index 0000000000..84983c5aea --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
@@ -0,0 +1,61 @@
	1	From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001
	2	From: Chris Liddell <chris.liddell@artifex.com>
	3	Date: Thu, 6 Jul 2017 14:54:02 +0100
	4	Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object
	5
	6	In the token reader, we pass the scanner state structure around as a
	7	t_struct ref on the Postscript operand stack.
	8
	9	But we explicitly free the scanner state when we're done, which leaves a
	10	dangling reference on the operand stack and, unless that reference gets
	11	overwritten before the next garbager run, we can end up with the garbager
	12	trying to deal with an already freed object - that can cause a crash, or
	13	memory corruption.
	14	---
	15	psi/ztoken.c \| 14 +++++++++++++-
	16	1 file changed, 13 insertions(+), 1 deletion(-)
	17
	18	--- end of original header
	19
	20	CVE: CVE-2017-11714
	21
	22	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
	23
	24	Signed-off-by: Joe Slater <joe.slater@windriver.com>
	25
	26	diff --git a/psi/ztoken.c b/psi/ztoken.c
	27	index 4dba7c5..af1ceeb 100644
	28	--- a/psi/ztoken.c
	29	+++ b/psi/ztoken.c
	30	@@ -107,6 +107,12 @@ token_continue(i_ctx_t i_ctx_p, scanner_state pstate, bool save)
	31	int code;
	32	ref token;
	33
	34	+ /* Since we might free pstate below, and we're dealing with
	35	+ * gc memory referenced by the stack, we need to explicitly
	36	+ * remove the reference to pstate from the stack, otherwise
	37	+ * the garbager will fall over
	38	+ */
	39	+ make_null(osp);
	40	/* Note that gs_scan_token may change osp! */
	41	pop(1); /* remove the file or scanner state */
	42	again:
	43	@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p)
	44	static int
	45	tokenexec_continue(i_ctx_t i_ctx_p, scanner_state pstate, bool save)
	46	{
	47	- os_ptr op;
	48	+ os_ptr op = osp;
	49	int code;
	50	+ /* Since we might free pstate below, and we're dealing with
	51	+ * gc memory referenced by the stack, we need to explicitly
	52	+ * remove the reference to pstate from the stack, otherwise
	53	+ * the garbager will fall over
	54	+ */
	55	+ make_null(osp);
	56	/* Note that gs_scan_token may change osp! */
	57	pop(1);
	58	again:
	59	--
	60	1.7.9.5
	61