ghostscript: Backport fix for CVE-2020-36773

Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874] (From OE-Core rev: 1a25a8ebedf39f1a868fcf646684b2eeaa67301f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-02-08 08:09:47 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-02-16 03:35:51 -1000
commit: 5c5d9d5bccf6a33ee636b3d9c684232eca8c60c5 (patch)
tree: e9b64c18214473e31a519d79ccea055875c15c6c /meta
parent: 1c77446c9611e000f71c9aab1a5c041fa6b81502 (diff)
download: poky-5c5d9d5bccf6a33ee636b3d9c684232eca8c60c5.tar.gz
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
new file mode 100644
index 0000000000..ea8bf26f3f
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
@@ -0,0 +1,109 @@
+From 8c7bd787defa071c96289b7da9397f673fddb874 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 20 May 2020 16:02:07 +0100
+Subject: [PATCH] txtwrite - address memory problems
+Bug #702229 " txtwrite: use after free in 9.51 on some files (regression from 9.50)"
+Also bug #702346 and the earlier report #701877.
+The problems occur because its possible for a single character code in
+a PDF file to map to more than a single Unicode code point. In the case
+of the file for 701877 the character code maps to 'f' and 'i' (it is an
+fi ligature).
+The code should deal with this, but we need to ensure we are using the
+correct index. In addition, if we do get more Unicode code points than
+we expected, we need to set the widths of the 'extra' code points to
+zero (we only want to consider the width of the original character).
+This does mean increasing the size of the Widths array to cater for
+the possibility of more entries on output than there were on input.
+While working on it I noticed that the Unicode remapping on little-
+endian machines was reversing the order of the Unicode values, when
+there was more than a single code point returned, so fixed that at
+the same time.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874]
+CVE: CVE-2020-36773
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ devices/vector/gdevtxtw.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
+index 87f9355..bddce5a 100644
+--- a/devices/vector/gdevtxtw.c
+++ b/devices/vector/gdevtxtw.c
+@@ -1812,11 +1812,11 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph,
+ #else
+         b = (char *)Buffer;
+         u = (char *)unicode;
+-        while (l >= 0) {
+-            *b++ = *(u + l);
+-            l--;
+-        }
+ 
+       for (l=0;l<length;l+=2, u+=2){
+           *b++ = *(u+1);
+           *b++ = *u;
+       }
+ #endif
+         gs_free_object(penum->dev->memory, unicode, "free temporary unicode buffer");
+         return length / sizeof(short);
+@@ -1963,7 +1963,7 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
+                           &penum->text_state->matrix, &wanted);
+         pte->returned.total_width.x += wanted.x;
+         pte->returned.total_width.y += wanted.y;
+-        penum->Widths[pte->index - 1] = wanted.x;
+        penum->Widths[penum->TextBufferIndex] = wanted.x;
+ 
+         if (pte->text.operation & TEXT_ADD_TO_ALL_WIDTHS) {
+             gs_point tpt;
+@@ -1984,8 +1984,14 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
+         pte->returned.total_width.x += dpt.x;
+         pte->returned.total_width.y += dpt.y;
+ 
+-        penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
+-        penum->Widths[pte->index - 1] += dpt.x;
+       penum->Widths[penum->TextBufferIndex] += dpt.x;
+       code = get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
+       /* If a single text code returned multiple Unicode values, then we need to set the
+        * 'extra' code points' widths to 0.
+        */
+       if (code > 1)
+           memset(&penum->Widths[penum->TextBufferIndex + 1], 0x00, (code - 1) * sizeof(float));
+       penum->TextBufferIndex += code;
+     }
+     return 0;
+ }
+@@ -2123,7 +2129,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum)
+     if (!penum->text_state->Widths)
+         return gs_note_error(gs_error_VMerror);
+     memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
+-    memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float));
+    memcpy(penum->text_state->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
+ 
+     unsorted_entry->Unicode_Text = (unsigned short *)gs_malloc(tdev->memory->stable_memory,
+         penum->TextBufferIndex, sizeof(unsigned short), "txtwrite alloc sorted text buffer");
+@@ -2136,7 +2142,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum)
+     if (!unsorted_entry->Widths)
+         return gs_note_error(gs_error_VMerror);
+     memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
+-    memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * sizeof(float));
+    memcpy(unsorted_entry->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
+ 
+     unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_memory,
+         (strlen(penum->text_state->FontName) + 1), sizeof(unsigned char), "txtwrite alloc sorted text buffer");
+@@ -2192,7 +2198,7 @@ textw_text_process(gs_text_enum_t *pte)
+         if (!penum->TextBuffer)
+             return gs_note_error(gs_error_VMerror);
+         penum->Widths = (float *)gs_malloc(tdev->memory->stable_memory,
+-            pte->text.size, sizeof(float), "txtwrite temporary widths array");
+            pte->text.size * 4, sizeof(float), "txtwrite temporary widths array");
+         if (!penum->Widths)
+             return gs_note_error(gs_error_VMerror);
+     }
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 9712871e7f..e57f592892 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -45,6 +45,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2023-36664-1.patch \
                file://CVE-2023-36664-2.patch \
                file://CVE-2023-43115.patch \
+                file://CVE-2020-36773.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Vijay Anusuri <vanusuri@mvista.com>	2024-02-08 08:09:47 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-02-16 03:35:51 -1000
commit	5c5d9d5bccf6a33ee636b3d9c684232eca8c60c5 (patch)
tree	e9b64c18214473e31a519d79ccea055875c15c6c /meta
parent	1c77446c9611e000f71c9aab1a5c041fa6b81502 (diff)
download	poky-5c5d9d5bccf6a33ee636b3d9c684232eca8c60c5.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch new file mode 100644 index 0000000000..ea8bf26f3f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
@@ -0,0 +1,109 @@
		1	From 8c7bd787defa071c96289b7da9397f673fddb874 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <ken.sharp@artifex.com>
		3	Date: Wed, 20 May 2020 16:02:07 +0100
		4	Subject: [PATCH] txtwrite - address memory problems
		5
		6	Bug #702229 " txtwrite: use after free in 9.51 on some files (regression from 9.50)"
		7	Also bug #702346 and the earlier report #701877.
		8
		9	The problems occur because its possible for a single character code in
		10	a PDF file to map to more than a single Unicode code point. In the case
		11	of the file for 701877 the character code maps to 'f' and 'i' (it is an
		12	fi ligature).
		13
		14	The code should deal with this, but we need to ensure we are using the
		15	correct index. In addition, if we do get more Unicode code points than
		16	we expected, we need to set the widths of the 'extra' code points to
		17	zero (we only want to consider the width of the original character).
		18
		19	This does mean increasing the size of the Widths array to cater for
		20	the possibility of more entries on output than there were on input.
		21
		22	While working on it I noticed that the Unicode remapping on little-
		23	endian machines was reversing the order of the Unicode values, when
		24	there was more than a single code point returned, so fixed that at
		25	the same time.
		26
		27	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874]
		28	CVE: CVE-2020-36773
		29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		30	---
		31	devices/vector/gdevtxtw.c \| 26 ++++++++++++++++----------
		32	1 file changed, 16 insertions(+), 10 deletions(-)
		33
		34	diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
		35	index 87f9355..bddce5a 100644
		36	--- a/devices/vector/gdevtxtw.c
		37	+++ b/devices/vector/gdevtxtw.c
		38	@@ -1812,11 +1812,11 @@ static int get_unicode(textw_text_enum_t penum, gs_font font, gs_glyph glyph,
		39	#else
		40	b = (char *)Buffer;
		41	u = (char *)unicode;
		42	- while (l >= 0) {
		43	- b++ = (u + l);
		44	- l--;
		45	- }
		46
		47	+ for (l=0;l<length;l+=2, u+=2){
		48	+ b++ = (u+1);
		49	+ b++ = u;
		50	+ }
		51	#endif
		52	gs_free_object(penum->dev->memory, unicode, "free temporary unicode buffer");
		53	return length / sizeof(short);
		54	@@ -1963,7 +1963,7 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
		55	&penum->text_state->matrix, &wanted);
		56	pte->returned.total_width.x += wanted.x;
		57	pte->returned.total_width.y += wanted.y;
		58	- penum->Widths[pte->index - 1] = wanted.x;
		59	+ penum->Widths[penum->TextBufferIndex] = wanted.x;
		60
		61	if (pte->text.operation & TEXT_ADD_TO_ALL_WIDTHS) {
		62	gs_point tpt;
		63	@@ -1984,8 +1984,14 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
		64	pte->returned.total_width.x += dpt.x;
		65	pte->returned.total_width.y += dpt.y;
		66
		67	- penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
		68	- penum->Widths[pte->index - 1] += dpt.x;
		69	+ penum->Widths[penum->TextBufferIndex] += dpt.x;
		70	+ code = get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
		71	+ /* If a single text code returned multiple Unicode values, then we need to set the
		72	+ * 'extra' code points' widths to 0.
		73	+ */
		74	+ if (code > 1)
		75	+ memset(&penum->Widths[penum->TextBufferIndex + 1], 0x00, (code - 1) * sizeof(float));
		76	+ penum->TextBufferIndex += code;
		77	}
		78	return 0;
		79	}
		80	@@ -2123,7 +2129,7 @@ txt_add_fragment(gx_device_txtwrite_t tdev, textw_text_enum_t penum)
		81	if (!penum->text_state->Widths)
		82	return gs_note_error(gs_error_VMerror);
		83	memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
		84	- memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float));
		85	+ memcpy(penum->text_state->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
		86
		87	unsorted_entry->Unicode_Text = (unsigned short *)gs_malloc(tdev->memory->stable_memory,
		88	penum->TextBufferIndex, sizeof(unsigned short), "txtwrite alloc sorted text buffer");
		89	@@ -2136,7 +2142,7 @@ txt_add_fragment(gx_device_txtwrite_t tdev, textw_text_enum_t penum)
		90	if (!unsorted_entry->Widths)
		91	return gs_note_error(gs_error_VMerror);
		92	memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
		93	- memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * sizeof(float));
		94	+ memcpy(unsorted_entry->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
		95
		96	unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_memory,
		97	(strlen(penum->text_state->FontName) + 1), sizeof(unsigned char), "txtwrite alloc sorted text buffer");
		98	@@ -2192,7 +2198,7 @@ textw_text_process(gs_text_enum_t *pte)
		99	if (!penum->TextBuffer)
		100	return gs_note_error(gs_error_VMerror);
		101	penum->Widths = (float *)gs_malloc(tdev->memory->stable_memory,
		102	- pte->text.size, sizeof(float), "txtwrite temporary widths array");
		103	+ pte->text.size * 4, sizeof(float), "txtwrite temporary widths array");
		104	if (!penum->Widths)
		105	return gs_note_error(gs_error_VMerror);
		106	}
		107	--
		108	2.25.1
		109


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 9712871e7f..e57f592892 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -45,6 +45,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
45	file://CVE-2023-36664-1.patch \	45	file://CVE-2023-36664-1.patch \
46	file://CVE-2023-36664-2.patch \	46	file://CVE-2023-36664-2.patch \
47	file://CVE-2023-43115.patch \	47	file://CVE-2023-43115.patch \
		48	file://CVE-2020-36773.patch \
48	"	49	"
49		50
50	SRC_URI = "${SRC_URI_BASE} \	51	SRC_URI = "${SRC_URI_BASE} \