ghostscript: fix several CVEs by adding bounds checking

CVE-2017-9611
CVE-2017-9612
CVE-2017-9739
CVE-2017-9726

(From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf)

Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 37 insertions, 0 deletions

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch
new file mode 100644
index 0000000000..69a94df7b9
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch
@@ -0,0 +1,37 @@
+From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 16 Jun 2017 08:29:25 +0100
+Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR
+
+---
+ base/ttinterp.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- end of original header
+
+CVE: CVE-2017-9739
+
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+diff --git a/base/ttinterp.c b/base/ttinterp.c
+index af457e8..adf3f0c 100644
+--- a/base/ttinterp.c
++++ b/base/ttinterp.c
+@@ -1794,6 +1794,12 @@ static int nInstrCount=0;
+ 
+   static void  Ins_JMPR( INS_ARG )
+   {
++    if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) )
++    {
++      CUR.error = TT_Err_Invalid_Reference;
++      return;
++    }
++
+     CUR.IP      += (Int)(args[0]);
+     CUR.step_ins = FALSE;
+ 
+-- 
+1.7.9.5
+