diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-02-08 08:09:47 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-02-16 03:35:51 -1000 |
commit | 5c5d9d5bccf6a33ee636b3d9c684232eca8c60c5 (patch) | |
tree | e9b64c18214473e31a519d79ccea055875c15c6c /meta/recipes-extended/ghostscript | |
parent | 1c77446c9611e000f71c9aab1a5c041fa6b81502 (diff) | |
download | poky-5c5d9d5bccf6a33ee636b3d9c684232eca8c60c5.tar.gz |
ghostscript: Backport fix for CVE-2020-36773
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874]
(From OE-Core rev: 1a25a8ebedf39f1a868fcf646684b2eeaa67301f)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-extended/ghostscript')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch | 109 | ||||
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_9.52.bb | 1 |
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch new file mode 100644 index 0000000000..ea8bf26f3f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 8c7bd787defa071c96289b7da9397f673fddb874 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Wed, 20 May 2020 16:02:07 +0100 | ||
4 | Subject: [PATCH] txtwrite - address memory problems | ||
5 | |||
6 | Bug #702229 " txtwrite: use after free in 9.51 on some files (regression from 9.50)" | ||
7 | Also bug #702346 and the earlier report #701877. | ||
8 | |||
9 | The problems occur because its possible for a single character code in | ||
10 | a PDF file to map to more than a single Unicode code point. In the case | ||
11 | of the file for 701877 the character code maps to 'f' and 'i' (it is an | ||
12 | fi ligature). | ||
13 | |||
14 | The code should deal with this, but we need to ensure we are using the | ||
15 | correct index. In addition, if we do get more Unicode code points than | ||
16 | we expected, we need to set the widths of the 'extra' code points to | ||
17 | zero (we only want to consider the width of the original character). | ||
18 | |||
19 | This does mean increasing the size of the Widths array to cater for | ||
20 | the possibility of more entries on output than there were on input. | ||
21 | |||
22 | While working on it I noticed that the Unicode remapping on little- | ||
23 | endian machines was reversing the order of the Unicode values, when | ||
24 | there was more than a single code point returned, so fixed that at | ||
25 | the same time. | ||
26 | |||
27 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874] | ||
28 | CVE: CVE-2020-36773 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | devices/vector/gdevtxtw.c | 26 ++++++++++++++++---------- | ||
32 | 1 file changed, 16 insertions(+), 10 deletions(-) | ||
33 | |||
34 | diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c | ||
35 | index 87f9355..bddce5a 100644 | ||
36 | --- a/devices/vector/gdevtxtw.c | ||
37 | +++ b/devices/vector/gdevtxtw.c | ||
38 | @@ -1812,11 +1812,11 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph, | ||
39 | #else | ||
40 | b = (char *)Buffer; | ||
41 | u = (char *)unicode; | ||
42 | - while (l >= 0) { | ||
43 | - *b++ = *(u + l); | ||
44 | - l--; | ||
45 | - } | ||
46 | |||
47 | + for (l=0;l<length;l+=2, u+=2){ | ||
48 | + *b++ = *(u+1); | ||
49 | + *b++ = *u; | ||
50 | + } | ||
51 | #endif | ||
52 | gs_free_object(penum->dev->memory, unicode, "free temporary unicode buffer"); | ||
53 | return length / sizeof(short); | ||
54 | @@ -1963,7 +1963,7 @@ txtwrite_process_plain_text(gs_text_enum_t *pte) | ||
55 | &penum->text_state->matrix, &wanted); | ||
56 | pte->returned.total_width.x += wanted.x; | ||
57 | pte->returned.total_width.y += wanted.y; | ||
58 | - penum->Widths[pte->index - 1] = wanted.x; | ||
59 | + penum->Widths[penum->TextBufferIndex] = wanted.x; | ||
60 | |||
61 | if (pte->text.operation & TEXT_ADD_TO_ALL_WIDTHS) { | ||
62 | gs_point tpt; | ||
63 | @@ -1984,8 +1984,14 @@ txtwrite_process_plain_text(gs_text_enum_t *pte) | ||
64 | pte->returned.total_width.x += dpt.x; | ||
65 | pte->returned.total_width.y += dpt.y; | ||
66 | |||
67 | - penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]); | ||
68 | - penum->Widths[pte->index - 1] += dpt.x; | ||
69 | + penum->Widths[penum->TextBufferIndex] += dpt.x; | ||
70 | + code = get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]); | ||
71 | + /* If a single text code returned multiple Unicode values, then we need to set the | ||
72 | + * 'extra' code points' widths to 0. | ||
73 | + */ | ||
74 | + if (code > 1) | ||
75 | + memset(&penum->Widths[penum->TextBufferIndex + 1], 0x00, (code - 1) * sizeof(float)); | ||
76 | + penum->TextBufferIndex += code; | ||
77 | } | ||
78 | return 0; | ||
79 | } | ||
80 | @@ -2123,7 +2129,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum) | ||
81 | if (!penum->text_state->Widths) | ||
82 | return gs_note_error(gs_error_VMerror); | ||
83 | memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float)); | ||
84 | - memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float)); | ||
85 | + memcpy(penum->text_state->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float)); | ||
86 | |||
87 | unsorted_entry->Unicode_Text = (unsigned short *)gs_malloc(tdev->memory->stable_memory, | ||
88 | penum->TextBufferIndex, sizeof(unsigned short), "txtwrite alloc sorted text buffer"); | ||
89 | @@ -2136,7 +2142,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum) | ||
90 | if (!unsorted_entry->Widths) | ||
91 | return gs_note_error(gs_error_VMerror); | ||
92 | memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeof(float)); | ||
93 | - memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * sizeof(float)); | ||
94 | + memcpy(unsorted_entry->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float)); | ||
95 | |||
96 | unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_memory, | ||
97 | (strlen(penum->text_state->FontName) + 1), sizeof(unsigned char), "txtwrite alloc sorted text buffer"); | ||
98 | @@ -2192,7 +2198,7 @@ textw_text_process(gs_text_enum_t *pte) | ||
99 | if (!penum->TextBuffer) | ||
100 | return gs_note_error(gs_error_VMerror); | ||
101 | penum->Widths = (float *)gs_malloc(tdev->memory->stable_memory, | ||
102 | - pte->text.size, sizeof(float), "txtwrite temporary widths array"); | ||
103 | + pte->text.size * 4, sizeof(float), "txtwrite temporary widths array"); | ||
104 | if (!penum->Widths) | ||
105 | return gs_note_error(gs_error_VMerror); | ||
106 | } | ||
107 | -- | ||
108 | 2.25.1 | ||
109 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 9712871e7f..e57f592892 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb | |||
@@ -45,6 +45,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
45 | file://CVE-2023-36664-1.patch \ | 45 | file://CVE-2023-36664-1.patch \ |
46 | file://CVE-2023-36664-2.patch \ | 46 | file://CVE-2023-36664-2.patch \ |
47 | file://CVE-2023-43115.patch \ | 47 | file://CVE-2023-43115.patch \ |
48 | file://CVE-2020-36773.patch \ | ||
48 | " | 49 | " |
49 | 50 | ||
50 | SRC_URI = "${SRC_URI_BASE} \ | 51 | SRC_URI = "${SRC_URI_BASE} \ |