summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch61
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch35
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch125
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.21.bb3
4 files changed, 224 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
new file mode 100644
index 0000000000..84983c5aea
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
@@ -0,0 +1,61 @@
1From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Thu, 6 Jul 2017 14:54:02 +0100
4Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object
5
6In the token reader, we pass the scanner state structure around as a
7t_struct ref on the Postscript operand stack.
8
9But we explicitly free the scanner state when we're done, which leaves a
10dangling reference on the operand stack and, unless that reference gets
11overwritten before the next garbager run, we can end up with the garbager
12trying to deal with an already freed object - that can cause a crash, or
13memory corruption.
14---
15 psi/ztoken.c | 14 +++++++++++++-
16 1 file changed, 13 insertions(+), 1 deletion(-)
17
18--- end of original header
19
20CVE: CVE-2017-11714
21
22Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
23
24Signed-off-by: Joe Slater <joe.slater@windriver.com>
25
26diff --git a/psi/ztoken.c b/psi/ztoken.c
27index 4dba7c5..af1ceeb 100644
28--- a/psi/ztoken.c
29+++ b/psi/ztoken.c
30@@ -107,6 +107,12 @@ token_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
31 int code;
32 ref token;
33
34+ /* Since we might free pstate below, and we're dealing with
35+ * gc memory referenced by the stack, we need to explicitly
36+ * remove the reference to pstate from the stack, otherwise
37+ * the garbager will fall over
38+ */
39+ make_null(osp);
40 /* Note that gs_scan_token may change osp! */
41 pop(1); /* remove the file or scanner state */
42 again:
43@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p)
44 static int
45 tokenexec_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
46 {
47- os_ptr op;
48+ os_ptr op = osp;
49 int code;
50+ /* Since we might free pstate below, and we're dealing with
51+ * gc memory referenced by the stack, we need to explicitly
52+ * remove the reference to pstate from the stack, otherwise
53+ * the garbager will fall over
54+ */
55+ make_null(osp);
56 /* Note that gs_scan_token may change osp! */
57 pop(1);
58 again:
59--
601.7.9.5
61
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch
new file mode 100644
index 0000000000..a2f7bfa506
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch
@@ -0,0 +1,35 @@
1From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Thu, 15 Jun 2017 09:05:20 +0100
4Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more
5 robust
6
7---
8 base/gxttfb.c | 3 ++-
9 1 file changed, 2 insertions(+), 1 deletion(-)
10
11--- end of original header
12
13CVE: CVE-2017-9727
14
15Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
16
17Signed-off-by: Joe Slater <joe.slater@windriver.com>
18
19diff --git a/base/gxttfb.c b/base/gxttfb.c
20index 0e9a444..e1561af 100644
21--- a/base/gxttfb.c
22+++ b/base/gxttfb.c
23@@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n)
24 if (!r->error) {
25 if (r->extra_glyph_index != -1) {
26 q = r->glyph_data.bits.data + r->pos;
27- r->error = (r->glyph_data.bits.size - r->pos < n ?
28+ r->error = ((r->pos >= r->glyph_data.bits.size ||
29+ r->glyph_data.bits.size - r->pos < n) ?
30 gs_note_error(gs_error_invalidfont) : 0);
31 if (r->error == 0)
32 memcpy(p, q, n);
33--
341.7.9.5
35
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch
new file mode 100644
index 0000000000..7c65690c65
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch
@@ -0,0 +1,125 @@
1From cfde94be1d4286bc47633c6e6eaf4e659bd78066 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Wed, 7 Jun 2017 14:55:12 +0100
4Subject: [PATCH] Bug 697985: bounds check the array allocations methods
5
6The clump allocator has four allocation functions that use 'number of elements'
7and 'size of elements' parameters (rather than a simple 'number of bytes').
8
9Those need specific bounds checking.
10---
11 base/gsalloc.c | 42 ++++++++++++++++++++++++++++--------------
12 1 file changed, 28 insertions(+), 14 deletions(-)
13
14--- end of original header
15
16CVE: CVE-2017-9835
17
18Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
19
20Signed-off-by: Joe Slater <joe.slater@windriver.com>
21
22diff --git a/base/gsalloc.c b/base/gsalloc.c
23index 741ba00..10c04dd 100644
24--- a/base/gsalloc.c
25+++ b/base/gsalloc.c
26@@ -1248,19 +1248,32 @@ i_alloc_struct_immovable(gs_memory_t * mem, gs_memory_type_ptr_t pstype,
27 alloc_trace("|+<.", imem, cname, pstype, size, obj);
28 return obj;
29 }
30+
31+static inline bool
32+alloc_array_check_size(ulong num_elements, ulong elt_size, ulong *lsize)
33+{
34+ int64_t s = (int64_t)num_elements * elt_size;
35+ if (s > max_uint) {
36+ return false;
37+ }
38+ *lsize = (ulong)s;
39+ return true;
40+}
41+
42 static byte *
43 i_alloc_byte_array(gs_memory_t * mem, uint num_elements, uint elt_size,
44 client_name_t cname)
45 {
46 gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
47 obj_header_t *obj;
48-
49+ ulong lsize;
50 #ifdef MEMENTO
51 if (Memento_failThisEvent())
52 return NULL;
53 #endif
54-
55- obj = alloc_obj(imem, (ulong) num_elements * elt_size,
56+ if (alloc_array_check_size(num_elements, elt_size, &lsize) == false)
57+ return NULL;
58+ obj = alloc_obj(imem, lsize,
59 &st_bytes, ALLOC_DIRECT, cname);
60
61 if_debug6m('A', mem, "[a%d:+b.]%s -bytes-*(%lu=%u*%u) = 0x%lx\n",
62@@ -1275,13 +1288,14 @@ i_alloc_byte_array_immovable(gs_memory_t * mem, uint num_elements,
63 {
64 gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
65 obj_header_t *obj;
66-
67+ ulong lsize;
68 #ifdef MEMENTO
69 if (Memento_failThisEvent())
70 return NULL;
71 #endif
72-
73- obj = alloc_obj(imem, (ulong) num_elements * elt_size,
74+ if (alloc_array_check_size(num_elements, elt_size, &lsize) == false)
75+ return NULL;
76+ obj = alloc_obj(imem, lsize,
77 &st_bytes, ALLOC_IMMOVABLE | ALLOC_DIRECT,
78 cname);
79
80@@ -1297,7 +1311,7 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements,
81 {
82 gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
83 obj_header_t *obj;
84-
85+ ulong lsize;
86 #ifdef MEMENTO
87 if (Memento_failThisEvent())
88 return NULL;
89@@ -1311,9 +1325,9 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements,
90 return NULL; /* fail */
91 }
92 #endif
93- obj = alloc_obj(imem,
94- (ulong) num_elements * pstype->ssize,
95- pstype, ALLOC_DIRECT, cname);
96+ if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false)
97+ return NULL;
98+ obj = alloc_obj(imem, lsize, pstype, ALLOC_DIRECT, cname);
99 if_debug7m('A', mem, "[a%d:+<.]%s %s*(%lu=%u*%u) = 0x%lx\n",
100 alloc_trace_space(imem), client_name_string(cname),
101 struct_type_name_string(pstype),
102@@ -1327,16 +1341,16 @@ i_alloc_struct_array_immovable(gs_memory_t * mem, uint num_elements,
103 {
104 gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
105 obj_header_t *obj;
106-
107+ ulong lsize;
108 #ifdef MEMENTO
109 if (Memento_failThisEvent())
110 return NULL;
111 #endif
112
113 ALLOC_CHECK_SIZE(mem,pstype);
114- obj = alloc_obj(imem,
115- (ulong) num_elements * pstype->ssize,
116- pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname);
117+ if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false)
118+ return NULL;
119+ obj = alloc_obj(imem, lsize, pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname);
120 if_debug7m('A', mem, "[a%d|+<.]%s %s*(%lu=%u*%u) = 0x%lx\n",
121 alloc_trace_space(imem), client_name_string(cname),
122 struct_type_name_string(pstype),
123--
1241.7.9.5
125
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
index 93589cc2b9..bf985c44a3 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
@@ -41,6 +41,9 @@ SRC_URI = "${SRC_URI_BASE} \
41 file://CVE-2017-9612.patch \ 41 file://CVE-2017-9612.patch \
42 file://CVE-2017-9739.patch \ 42 file://CVE-2017-9739.patch \
43 file://CVE-2017-9726.patch \ 43 file://CVE-2017-9726.patch \
44 file://CVE-2017-9727.patch \
45 file://CVE-2017-9835.patch \
46 file://CVE-2017-11714.patch \
44 " 47 "
45 48
46SRC_URI_class-native = "${SRC_URI_BASE} \ 49SRC_URI_class-native = "${SRC_URI_BASE} \