diff options
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch new file mode 100644 index 0000000000..df654f721d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Thu, 23 Aug 2018 15:42:02 +0100 | ||
4 | Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode" | ||
5 | |||
6 | The specimen file calls aesdecode without specifying the key to be | ||
7 | used, though it does manage to do enough work with the PDF interpreter | ||
8 | routines to get access to aesdecode (which isn't normally available). | ||
9 | |||
10 | This causes us to read uninitialised memory, which can (and often does) | ||
11 | lead to a segmentation fault. | ||
12 | |||
13 | In this commit we set the key to NULL explicitly during intialisation | ||
14 | and then check it before we read it. If its NULL we just return. | ||
15 | |||
16 | It seems bizarre that we don't return error codes, we should probably | ||
17 | look into that at some point, but this prevents the code trying to | ||
18 | read uninitialised memory. | ||
19 | |||
20 | CVE: CVE-2018-15911 | ||
21 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
22 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
23 | --- | ||
24 | base/aes.c | 3 +++ | ||
25 | base/saes.c | 1 + | ||
26 | 2 files changed, 4 insertions(+) | ||
27 | |||
28 | diff --git a/base/aes.c b/base/aes.c | ||
29 | index a6bce93..e86f000 100644 | ||
30 | --- a/base/aes.c | ||
31 | +++ b/base/aes.c | ||
32 | @@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx, | ||
33 | } | ||
34 | #endif | ||
35 | |||
36 | + if (ctx == NULL || ctx->rk == NULL) | ||
37 | + return; | ||
38 | + | ||
39 | RK = ctx->rk; | ||
40 | |||
41 | GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++; | ||
42 | diff --git a/base/saes.c b/base/saes.c | ||
43 | index 6db0e8b..307ed74 100644 | ||
44 | --- a/base/saes.c | ||
45 | +++ b/base/saes.c | ||
46 | @@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr, | ||
47 | gs_throw(gs_error_VMerror, "could not allocate aes context"); | ||
48 | return ERRC; | ||
49 | } | ||
50 | + memset(state->ctx, 0x00, sizeof(aes_context)); | ||
51 | if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) { | ||
52 | gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)", | ||
53 | state->keylength); | ||
54 | -- | ||
55 | 2.8.1 | ||
56 | |||