ghostscript: Fix CVE-2025-27834

Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b] (From OE-Core rev: 06fb236cabf550ea7c92cda0a725dd3db8a8a38b) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-04-08 16:27:19 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-04-11 08:36:03 -0700
commit: ee952ae6240d70ab34fa782566c4fbf2c7521574 (patch)
tree: 16de959633464f6acb9502d1c9796b83469653d9
parent: bfe8ae1a38eeceff5030df78b6263fa8ac45a01e (diff)
download: poky-ee952ae6240d70ab34fa782566c4fbf2c7521574.tar.gz
2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch
new file mode 100644
index 0000000000..66e13ca729
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch
@@ -0,0 +1,57 @@
+From ef42ff180a04926e187d40faea40d4a43e304e3b Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 20 Jan 2025 16:13:46 +0000
+Subject: [PATCH] PDF interpreter - Guard against unsigned int overflow
+Bug #708253 - see bug report for details.
+CVE-2025-27834
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b]
+CVE: CVE-2025-27834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pdf/pdf_func.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
+index 9b7d5bb..423e544 100644
+--- a/pdf/pdf_func.c
+++ b/pdf/pdf_func.c
+@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in
+     byte *p = (ops ? ops + *size : NULL);
+ 
+     do {
+       if (*size > max_uint / 2)
+           return gs_note_error(gs_error_VMerror);
+
+         code = pdfi_read_bytes(ctx, &c, 1, 1, function_stream);
+         if (code < 0)
+             break;
+@@ -318,6 +321,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR,
+     if (code < 0)
+         goto function_4_error;
+ 
+    if (size > max_uint - 1) {
+       code = gs_note_error(gs_error_VMerror);
+       goto function_4_error;
+    }
+
+     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
+     if (ops == NULL) {
+         code = gs_error_VMerror;
+@@ -816,6 +824,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte *
+     if (code < 0)
+         goto halftone_function_error;
+ 
+    if (size > max_uint - 1) {
+       code = gs_note_error(gs_error_VMerror);
+       goto halftone_function_error;
+    }
+
+     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
+     if (ops == NULL) {
+         code = gs_error_VMerror;
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 284ae3a28e..376d4a300e 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -66,6 +66,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2025-27831-pre1.patch \
                file://CVE-2025-27831.patch \
                file://CVE-2025-27832.patch \
+                file://CVE-2025-27834.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Vijay Anusuri <vanusuri@mvista.com>	2025-04-08 16:27:19 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-04-11 08:36:03 -0700
commit	ee952ae6240d70ab34fa782566c4fbf2c7521574 (patch)
tree	16de959633464f6acb9502d1c9796b83469653d9
parent	bfe8ae1a38eeceff5030df78b6263fa8ac45a01e (diff)
download	poky-ee952ae6240d70ab34fa782566c4fbf2c7521574.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch new file mode 100644 index 0000000000..66e13ca729 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch
@@ -0,0 +1,57 @@
		1	From ef42ff180a04926e187d40faea40d4a43e304e3b Mon Sep 17 00:00:00 2001
		2	From: Zdenek Hutyra <zhutyra@centrum.cz>
		3	Date: Mon, 20 Jan 2025 16:13:46 +0000
		4	Subject: [PATCH] PDF interpreter - Guard against unsigned int overflow
		5
		6	Bug #708253 - see bug report for details.
		7
		8	CVE-2025-27834
		9
		10	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b]
		11	CVE: CVE-2025-27834
		12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		13	---
		14	pdf/pdf_func.c \| 13 +++++++++++++
		15	1 file changed, 13 insertions(+)
		16
		17	diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
		18	index 9b7d5bb..423e544 100644
		19	--- a/pdf/pdf_func.c
		20	+++ b/pdf/pdf_func.c
		21	@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context ctx, pdf_c_stream function_stream, in
		22	byte p = (ops ? ops + size : NULL);
		23
		24	do {
		25	+ if (*size > max_uint / 2)
		26	+ return gs_note_error(gs_error_VMerror);
		27	+
		28	code = pdfi_read_bytes(ctx, &c, 1, 1, function_stream);
		29	if (code < 0)
		30	break;
		31	@@ -318,6 +321,11 @@ pdfi_build_function_4(pdf_context ctx, gs_function_params_t mnDR,
		32	if (code < 0)
		33	goto function_4_error;
		34
		35	+ if (size > max_uint - 1) {
		36	+ code = gs_note_error(gs_error_VMerror);
		37	+ goto function_4_error;
		38	+ }
		39	+
		40	ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
		41	if (ops == NULL) {
		42	code = gs_error_VMerror;
		43	@@ -816,6 +824,11 @@ int pdfi_build_halftone_function(pdf_context ctx, gs_function_t * ppfn, byte *
		44	if (code < 0)
		45	goto halftone_function_error;
		46
		47	+ if (size > max_uint - 1) {
		48	+ code = gs_note_error(gs_error_VMerror);
		49	+ goto halftone_function_error;
		50	+ }
		51	+
		52	ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
		53	if (ops == NULL) {
		54	code = gs_error_VMerror;
		55	--
		56	2.25.1
		57


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 284ae3a28e..376d4a300e 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -66,6 +66,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
66	file://CVE-2025-27831-pre1.patch \	66	file://CVE-2025-27831-pre1.patch \
67	file://CVE-2025-27831.patch \	67	file://CVE-2025-27831.patch \
68	file://CVE-2025-27832.patch \	68	file://CVE-2025-27832.patch \
		69	file://CVE-2025-27834.patch \
69	"	70	"
70		71
71	SRC_URI = "${SRC_URI_BASE} \	72	SRC_URI = "${SRC_URI_BASE} \