summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/ghostscript
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-extended/ghostscript')
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch68
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb1
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
new file mode 100644
index 0000000000..8e4fd40932
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
@@ -0,0 +1,68 @@
1From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Tue, 1 Jun 2021 19:57:16 +0100
4Subject: [PATCH] Bug 703902: Fix op stack management in
5 sampled_data_continue()
6
7Replace pop() (which does no checking, and doesn't handle stack extension
8blocks) with ref_stack_pop() which does do all that.
9
10We still use pop() in one case (it's faster), but we have to later use
11ref_stack_pop() before calling sampled_data_sample() which also accesses the
12op stack.
13
14Fixes:
15https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
16
17Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7]
18CVE: CVE-2021-45949
19Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
20---
21 psi/zfsample.c | 16 ++++++++++------
22 1 file changed, 10 insertions(+), 6 deletions(-)
23
24diff --git a/psi/zfsample.c b/psi/zfsample.c
25index 0e8e4bc8d..00cd0cfdd 100644
26--- a/psi/zfsample.c
27+++ b/psi/zfsample.c
28@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
29 for (j = 0; j < bps; j++)
30 data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
31 }
32- pop(num_out); /* Move op to base of result values */
33
34- /* Check if we are done collecting data. */
35+ pop(num_out); /* Move op to base of result values */
36
37+ /* From here on, we have to use ref_stack_pop() rather than pop()
38+ so that it handles stack extension blocks properly, before calling
39+ sampled_data_sample() which also uses the op stack.
40+ */
41+ /* Check if we are done collecting data. */
42 if (increment_cube_indexes(params, penum->indexes)) {
43 if (stack_depth_adjust == 0)
44- pop(O_STACK_PAD); /* Remove spare stack space */
45+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
46 else
47- pop(stack_depth_adjust - num_out);
48+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
49 /* Execute the closing procedure, if given */
50 code = 0;
51 if (esp_finish_proc != 0)
52@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
53 if ((O_STACK_PAD - stack_depth_adjust) < 0) {
54 stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
55 check_op(stack_depth_adjust);
56- pop(stack_depth_adjust);
57+ ref_stack_pop(&o_stack, stack_depth_adjust);
58 }
59 else {
60 check_ostack(O_STACK_PAD - stack_depth_adjust);
61- push(O_STACK_PAD - stack_depth_adjust);
62+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
63 for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
64 make_null(op - i);
65 }
66--
672.25.1
68
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
index 59cc560cf8..d4442a4908 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
@@ -33,6 +33,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
33 file://do-not-check-local-libpng-source.patch \ 33 file://do-not-check-local-libpng-source.patch \
34 file://avoid-host-contamination.patch \ 34 file://avoid-host-contamination.patch \
35 file://mkdir-p.patch \ 35 file://mkdir-p.patch \
36 file://CVE-2021-45949.patch \
36" 37"
37 38
38SRC_URI = "${SRC_URI_BASE} \ 39SRC_URI = "${SRC_URI_BASE} \