ghostscript: patch CVE-2025-59800

Pick commit mentioned in the NVD report. (From OE-Core rev: 5109fd6675b6782f10f86f774fe54b6ccecee415) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-10-08 00:11:42 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-10-14 07:20:35 -0700
commit: 02148028a0e32c4f09f0f6aa38641af0f9615b2b (patch)
tree: 89c8c430d3db07aa44f10a88da971978509badd7 /meta/recipes-extended
parent: 093e91d1906c468497835c9f2e6925ae87f6601d (diff)
download: poky-02148028a0e32c4f09f0f6aa38641af0f9615b2b.tar.gz
2 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
new file mode 100644
index 0000000000..5d50865271
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
@@ -0,0 +1,36 @@
+From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 1 Jul 2025 10:31:17 +0100
+Subject: [PATCH] PDF OCR 8 bit device - avoid overflow
+Bug 708602 "Heap overflow in ocr_line8"
+Make sure the calculation of the required raster size does not overflow
+an int.
+CVE: CVE-2025-59800
+Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/176cf0188a2294bc307b8caec876f39412e58350]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ devices/gdevpdfocr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
+index f27dc11db..6362f4104 100644
+--- a/devices/gdevpdfocr.c
+++ b/devices/gdevpdfocr.c
+@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image *dev, void *row)
+ static int
+ ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp)
+ {
+-    int raster = (w+3)&~3;
+    int64_t raster = (w + 3) & ~3;
+ 
+-    dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page");
+    raster = raster * (int64_t)h;
+    if (raster < 0 || raster > max_size_t)
+        return gs_note_error(gs_error_VMerror);
+    dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page");
+     if (dev->ocr.data == NULL)
+         return_error(gs_error_VMerror);
+     dev->ocr.w = w;
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 349c007e94..b8195e3eff 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -78,6 +78,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2025-48708.patch \
                file://CVE-2025-59798.patch \
                file://CVE-2025-59799.patch \
+                file://CVE-2025-59800.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Peter Marko <peter.marko@siemens.com>	2025-10-08 00:11:42 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-10-14 07:20:35 -0700
commit	02148028a0e32c4f09f0f6aa38641af0f9615b2b (patch)
tree	89c8c430d3db07aa44f10a88da971978509badd7 /meta/recipes-extended
parent	093e91d1906c468497835c9f2e6925ae87f6601d (diff)
download	poky-02148028a0e32c4f09f0f6aa38641af0f9615b2b.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch new file mode 100644 index 0000000000..5d50865271 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
@@ -0,0 +1,36 @@
		1	From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Tue, 1 Jul 2025 10:31:17 +0100
		4	Subject: [PATCH] PDF OCR 8 bit device - avoid overflow
		5
		6	Bug 708602 "Heap overflow in ocr_line8"
		7
		8	Make sure the calculation of the required raster size does not overflow
		9	an int.
		10
		11	CVE: CVE-2025-59800
		12	Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/176cf0188a2294bc307b8caec876f39412e58350]
		13	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		14	---
		15	devices/gdevpdfocr.c \| 7 +++++--
		16	1 file changed, 5 insertions(+), 2 deletions(-)
		17
		18	diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
		19	index f27dc11db..6362f4104 100644
		20	--- a/devices/gdevpdfocr.c
		21	+++ b/devices/gdevpdfocr.c
		22	@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image dev, void row)
		23	static int
		24	ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp)
		25	{
		26	- int raster = (w+3)&~3;
		27	+ int64_t raster = (w + 3) & ~3;
		28
		29	- dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page");
		30	+ raster = raster * (int64_t)h;
		31	+ if (raster < 0 \|\| raster > max_size_t)
		32	+ return gs_note_error(gs_error_VMerror);
		33	+ dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page");
		34	if (dev->ocr.data == NULL)
		35	return_error(gs_error_VMerror);
		36	dev->ocr.w = w;


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 349c007e94..b8195e3eff 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -78,6 +78,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
78	file://CVE-2025-48708.patch \	78	file://CVE-2025-48708.patch \
79	file://CVE-2025-59798.patch \	79	file://CVE-2025-59798.patch \
80	file://CVE-2025-59799.patch \	80	file://CVE-2025-59799.patch \
		81	file://CVE-2025-59800.patch \
81	"	82	"
82		83
83	SRC_URI = "${SRC_URI_BASE} \	84	SRC_URI = "${SRC_URI_BASE} \