1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
new file mode 100644
index 0000000000..852f2459f7
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
@@ -0,0 +1,54 @@
+From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Fri, 24 Mar 2023 13:19:57 +0000
+Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
+Bug #706494 "Buffer Overflow in s_xBCPE_process"
+As described in detail in the bug report, if the write buffer is filled
+to one byte less than full, and we then try to write an escaped
+character, we overrun the buffer because we don't check before
+writing two bytes to it.
+This just checks if we have two bytes before starting to write an
+escaped character and exits if we don't (replacing the consumed byte
+of the input).
+Up for further discussion; why do we even permit a BCP encoding filter
+anyway ? I think we should remove this, at least when SAFER is true.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179]
+CVE: CVE-2023-28879
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/sbcp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/base/sbcp.c b/base/sbcp.c
+index 6b0383c..90784b5 100644
+--- a/base/sbcp.c
+++ b/base/sbcp.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2019 Artifex Software, Inc.
+/* Copyright (C) 2001-2023 Artifex Software, Inc.
+    All Rights Reserved.
+ 
+    This software is provided AS-IS with no warranty, either express or
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
+         byte ch = *++p;
+ 
+         if (ch <= 31 && escaped[ch]) {
+            /* Make sure we have space to store two characters in the write buffer,
+            * if we don't then exit without consuming the input character, we'll process
+            * that on the next time round.
+            */
+            if (pw->limit - q < 2) {
+                p--;
+                break;
+            }
+             if (p == rlimit) {
+                 p--;
+                 break;
+-- 
+2.25.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch new file mode 100644 index 0000000000..852f2459f7 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
@@ -0,0 +1,54 @@
	1	From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
	2	From: Ken Sharp <ken.sharp@artifex.com>
	3	Date: Fri, 24 Mar 2023 13:19:57 +0000
	4	Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
	5
	6	Bug #706494 "Buffer Overflow in s_xBCPE_process"
	7
	8	As described in detail in the bug report, if the write buffer is filled
	9	to one byte less than full, and we then try to write an escaped
	10	character, we overrun the buffer because we don't check before
	11	writing two bytes to it.
	12
	13	This just checks if we have two bytes before starting to write an
	14	escaped character and exits if we don't (replacing the consumed byte
	15	of the input).
	16
	17	Up for further discussion; why do we even permit a BCP encoding filter
	18	anyway ? I think we should remove this, at least when SAFER is true.
	19
	20	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179]
	21	CVE: CVE-2023-28879
	22	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	23	---
	24	base/sbcp.c \| 10 +++++++++-
	25	1 file changed, 9 insertions(+), 1 deletion(-)
	26
	27	diff --git a/base/sbcp.c b/base/sbcp.c
	28	index 6b0383c..90784b5 100644
	29	--- a/base/sbcp.c
	30	+++ b/base/sbcp.c
	31	@@ -1,4 +1,4 @@
	32	-/* Copyright (C) 2001-2019 Artifex Software, Inc.
	33	+/* Copyright (C) 2001-2023 Artifex Software, Inc.
	34	All Rights Reserved.
	35
	36	This software is provided AS-IS with no warranty, either express or
	37	@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
	38	byte ch = *++p;
	39
	40	if (ch <= 31 && escaped[ch]) {
	41	+ /* Make sure we have space to store two characters in the write buffer,
	42	+ * if we don't then exit without consuming the input character, we'll process
	43	+ * that on the next time round.
	44	+ */
	45	+ if (pw->limit - q < 2) {
	46	+ p--;
	47	+ break;
	48	+ }
	49	if (p == rlimit) {
	50	p--;
	51	break;
	52	--
	53	2.25.1
	54