1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch
new file mode 100644
index 0000000000..d7c5f034e5
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch
@@ -0,0 +1,54 @@
+From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Wed, 22 Jul 2020 09:57:54 -0700
+Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
+ 9.52
+Fix the 'rsearch' calculation for the 'post' size to give the correct
+size.  Previous calculation would result in a size that was too large,
+and could underflow to max uint32_t. Also fix 'rsearch' to return the
+correct 'pre' string with empty string match.
+A future change may 'undefine' this undocumented, non-standard operator
+during initialization as we do with the many other non-standard internal
+PostScript operators and procedures.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
+CVE: CVE-2020-15900
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ psi/zstring.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+diff --git a/psi/zstring.c b/psi/zstring.c
+index 33662dafa..58e1af2b3 100644
+--- a/psi/zstring.c
+++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+     return 0;
+ found:
+     op->tas.type_attrs = op1->tas.type_attrs;
+-    op->value.bytes = ptr;
+-    r_set_size(op, size);
+    op->value.bytes = ptr;                             /* match */
+    op->tas.rsize = size;                              /* match */
+     push(2);
+-    op[-1] = *op1;
+-    r_set_size(op - 1, ptr - op[-1].value.bytes);
+-    op1->value.bytes = ptr + size;
+-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
+    op[-1] = *op1;                                     /* pre */
+    op[-3].value.bytes = ptr + size;                   /* post */
+    if (forward) {
+        op[-1].tas.rsize = ptr - op[-1].value.bytes;   /* pre */
+        op[-3].tas.rsize = count;                      /* post */
+    } else {
+        op[-1].tas.rsize = count;                      /* pre */
+        op[-3].tas.rsize -= count + size;              /* post */
+    }
+     make_true(op);
+     return 0;
+ }
+-- 
+2.17.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch new file mode 100644 index 0000000000..d7c5f034e5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch
@@ -0,0 +1,54 @@
	1	From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
	2	From: Ray Johnston <ray.johnston@artifex.com>
	3	Date: Wed, 22 Jul 2020 09:57:54 -0700
	4	Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
	5	9.52
	6
	7	Fix the 'rsearch' calculation for the 'post' size to give the correct
	8	size. Previous calculation would result in a size that was too large,
	9	and could underflow to max uint32_t. Also fix 'rsearch' to return the
	10	correct 'pre' string with empty string match.
	11
	12	A future change may 'undefine' this undocumented, non-standard operator
	13	during initialization as we do with the many other non-standard internal
	14	PostScript operators and procedures.
	15
	16	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
	17	CVE: CVE-2020-15900
	18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	19	---
	20	psi/zstring.c \| 17 +++++++++++------
	21	1 file changed, 11 insertions(+), 6 deletions(-)
	22
	23	diff --git a/psi/zstring.c b/psi/zstring.c
	24	index 33662dafa..58e1af2b3 100644
	25	--- a/psi/zstring.c
	26	+++ b/psi/zstring.c
	27	@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
	28	return 0;
	29	found:
	30	op->tas.type_attrs = op1->tas.type_attrs;
	31	- op->value.bytes = ptr;
	32	- r_set_size(op, size);
	33	+ op->value.bytes = ptr; /* match */
	34	+ op->tas.rsize = size; /* match */
	35	push(2);
	36	- op[-1] = *op1;
	37	- r_set_size(op - 1, ptr - op[-1].value.bytes);
	38	- op1->value.bytes = ptr + size;
	39	- r_set_size(op1, count + (!forward ? (size - 1) : 0));
	40	+ op[-1] = op1; / pre */
	41	+ op[-3].value.bytes = ptr + size; /* post */
	42	+ if (forward) {
	43	+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
	44	+ op[-3].tas.rsize = count; /* post */
	45	+ } else {
	46	+ op[-1].tas.rsize = count; /* pre */
	47	+ op[-3].tas.rsize -= count + size; /* post */
	48	+ }
	49	make_true(op);
	50	return 0;
	51	}
	52	--
	53	2.17.1
	54