From 9700856e4e80c818e7dc78d133d349032624135b Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Thu, 24 Apr 2025 17:23:57 +0800
Subject: [PATCH] [CVE] FIX CVE-2025-27833

to #19775
add patch to fix CVE-2025-27833
Project: TC2024080204
Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
---
 bugfix-for-cve-2025-27833.patch | 35 +++++++++++++++++++++++++++++++++
 ghostscript.spec                | 10 +++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 bugfix-for-cve-2025-27833.patch

diff --git a/bugfix-for-cve-2025-27833.patch b/bugfix-for-cve-2025-27833.patch
new file mode 100644
index 0000000..374e954
--- /dev/null
+++ b/bugfix-for-cve-2025-27833.patch
@@ -0,0 +1,35 @@
+From 477e36cfa1faa0037069a22eeeb4fc750733f120 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 20 Jan 2025 09:38:59 +0000
+Subject: Bug 708259: Check TTF name size before copying to buffer.
+
+CVE-2025-27833
+---
+ pdf/pdf_fmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c
+index 5ddf229da..328d8db86 100644
+--- a/pdf/pdf_fmap.c
++++ b/pdf/pdf_fmap.c
+@@ -751,7 +751,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
+                         int nl = u16(rec + 8);
+                         int noffs = u16(rec + 10);
+ 
+-                        if (nl + noffs + storageOffset > table_len) {
++                        if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
+                             break;
+                         }
+                         memcpy(pname, namet + storageOffset + noffs, nl);
+@@ -789,7 +789,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
+                             int nl = u16(rec + 8);
+                             int noffs = u16(rec + 10);
+ 
+-                            if (nl + noffs + storageOffset > table_len) {
++                            if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
+                                 break;
+                             }
+                             memcpy(pname, namet + storageOffset + noffs, nl);
+-- 
+cgit v1.2.3
+
diff --git a/ghostscript.spec b/ghostscript.spec
index f9deacf..f6f1494 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 %global _hardened_build 1
 %global _docdir_fmt     %{name}
@@ -69,6 +69,11 @@ Patch6: bugfix-for-cve-2025-27831.patch
 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=36ac25fca7b
 Patch7: bugfix-for-cve-2025-27832.patch
 
+# CVE-2025-27833
+# Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708259
+# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=477e36cfa1f
+Patch8: bugfix-for-cve-2025-27833.patch
+
 %description
 Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files.
 
@@ -263,6 +268,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 
 
 %changelog
+* Thu Apr 24 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.03.0-2
+- Fix CVE-2025-27833
+
 * Thu Apr 24 2025 zjl02254423 <zjl02254423@alibaba-inc.com> - 10.03.0-1
 - Update vesion to fix CVE-2024-29508
 
-- 
Gitee