1 files changed, 0 insertions, 56 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch
deleted file mode 100644
index df654f721d..0000000000
--- a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001
-From: Ken Sharp <ken.sharp@artifex.com>
-Date: Thu, 23 Aug 2018 15:42:02 +0100
-Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode"
-The specimen file calls aesdecode without specifying the key to be
-used, though it does manage to do enough work with the PDF interpreter
-routines to get access to aesdecode (which isn't normally available).
-This causes us to read uninitialised memory, which can (and often does)
-lead to a segmentation fault.
-In this commit we set the key to NULL explicitly during intialisation
-and then check it before we read it. If its NULL we just return.
-It seems bizarre that we don't return error codes, we should probably
-look into that at some point, but this prevents the code trying to
-read uninitialised memory.
-CVE: CVE-2018-15911
-Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- base/aes.c  | 3 +++
- base/saes.c | 1 +
- 2 files changed, 4 insertions(+)
-diff --git a/base/aes.c b/base/aes.c
-index a6bce93..e86f000 100644
--- a/base/aes.c
-+++ b/base/aes.c
-@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx,
-     }
- #endif
- 
-+    if (ctx == NULL || ctx->rk == NULL)
-+        return;
-+
-     RK = ctx->rk;
- 
-     GET_ULONG_LE( X0, input,  0 ); X0 ^= *RK++;
-diff --git a/base/saes.c b/base/saes.c
-index 6db0e8b..307ed74 100644
--- a/base/saes.c
-+++ b/base/saes.c
-@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr,
-         gs_throw(gs_error_VMerror, "could not allocate aes context");
-         return ERRC;
-       }
-+      memset(state->ctx, 0x00, sizeof(aes_context));
-       if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) {
-         gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)",
-                 state->keylength);
-- 
-2.8.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch deleted file mode 100644 index df654f721d..0000000000 --- a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch +++ /dev/null
@@ -1,56 +0,0 @@
1	From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001
2	From: Ken Sharp <ken.sharp@artifex.com>
3	Date: Thu, 23 Aug 2018 15:42:02 +0100
4	Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode"
5
6	The specimen file calls aesdecode without specifying the key to be
7	used, though it does manage to do enough work with the PDF interpreter
8	routines to get access to aesdecode (which isn't normally available).
9
10	This causes us to read uninitialised memory, which can (and often does)
11	lead to a segmentation fault.
12
13	In this commit we set the key to NULL explicitly during intialisation
14	and then check it before we read it. If its NULL we just return.
15
16	It seems bizarre that we don't return error codes, we should probably
17	look into that at some point, but this prevents the code trying to
18	read uninitialised memory.
19
20	CVE: CVE-2018-15911
21	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
22	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
23	---
24	base/aes.c \| 3 +++
25	base/saes.c \| 1 +
26	2 files changed, 4 insertions(+)
27
28	diff --git a/base/aes.c b/base/aes.c
29	index a6bce93..e86f000 100644
30	--- a/base/aes.c
31	+++ b/base/aes.c
32	@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx,
33	}
34	#endif
35
36	+ if (ctx == NULL \|\| ctx->rk == NULL)
37	+ return;
38	+
39	RK = ctx->rk;
40
41	GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
42	diff --git a/base/saes.c b/base/saes.c
43	index 6db0e8b..307ed74 100644
44	--- a/base/saes.c
45	+++ b/base/saes.c
46	@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr,
47	gs_throw(gs_error_VMerror, "could not allocate aes context");
48	return ERRC;
49	}
50	+ memset(state->ctx, 0x00, sizeof(aes_context));
51	if (state->keylength < 1 \|\| state->keylength > SAES_MAX_KEYLENGTH) {
52	gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)",
53	state->keylength);
54	--
55	2.8.1
56