diff --git a/Bugfix-for-CVE-2024-29510.patch b/Bugfix-for-CVE-2024-29510.patch deleted file mode 100644 index f3f6e7fbc7e53312936d1d7d0e43d151a005ec14..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-29510.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 6084990327177c0e3409d063e4d40c7dfed2e97d Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:26:10 +0800 -Subject: [PATCH] Bugfix for CVE-2024-29510 - ---- - devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/devices/gdevupd.c b/devices/gdevupd.c -index 740dae0..0eac02b 100644 ---- a/devices/gdevupd.c -+++ b/devices/gdevupd.c -@@ -1887,6 +1887,16 @@ out on this copies. - if(!upd_strings[i]) continue; - UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory); - if(0 == code) { -+ if (gs_is_path_control_active(udev->memory)) { -+ if (strings[i].size != value.size) -+ error = gs_error_invalidaccess; -+ else { -+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0) -+ error = gs_error_invalidaccess; -+ } -+ if (error < 0) -+ goto exit; -+ } - if(0 <= error) error |= UPD_PUT_STRINGS; - UPD_MM_DEL_PARAM(udev->memory, strings[i]); - if(!value.size) { -@@ -1904,6 +1914,26 @@ out on this copies. - if(!upd_string_a[i]) continue; - UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory); - if(0 == code) { -+ if (gs_is_path_control_active(udev->memory)) { -+ if (string_a[i].size != value.size) -+ error = gs_error_invalidaccess; -+ else { -+ int loop; -+ for (loop = 0;loop < string_a[i].size;loop++) { -+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]); -+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop]; -+ -+ if (tmp1->size != tmp2->size) -+ error = gs_error_invalidaccess; -+ else { -+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) -+ error = gs_error_invalidaccess; -+ } -+ } -+ } -+ if (error < 0) -+ goto exit; -+ } - if(0 <= error) error |= UPD_PUT_STRING_A; - UPD_MM_DEL_APARAM(udev->memory, string_a[i]); - if(!value.size) { -@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may - if(0 > code) error = code; - } - -+exit: - if(0 < error) { /* Actually something loaded without error */ - - if(!(upd = udev->upd)) { --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33869.patch b/Bugfix-for-CVE-2024-33869.patch deleted file mode 100644 index eee4be6416b688c020721f5a09fe8c9f5a318465..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33869.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 0b257385e39b1213e5e971add5476b7da330b963 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:33:19 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33869 - ---- - base/gpmisc.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/base/gpmisc.c b/base/gpmisc.c -index c4a69b0..b0d5c71 100644 ---- a/base/gpmisc.c -+++ b/base/gpmisc.c -@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem, - rlen = len; - } - else { -+ char *test = (char *)path, *test1; -+ uint tlen = len, slen; -+ -+ /* Look for any pipe (%pipe% or '|' specifications between path separators -+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start. -+ */ -+ while (tlen > 0) { -+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } -+ test1 = test; -+ slen = search_separator((const char **)&test, path + len, test1, 1); -+ if(slen == 0) -+ break; -+ test += slen; -+ tlen -= test - test1; -+ if (test >= path + len) -+ break; -+ } -+ - rlen = len+1; - bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); - if (bufferfull == NULL) -@@ -1164,8 +1185,8 @@ gp_validate_path_len(const gs_memory_t *mem, - - continue; - } -- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { -- buffer = bufferfull + cdirstrl + dirsepstrl; -+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull -+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) { - continue; - } - break; --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33870.patch b/Bugfix-for-CVE-2024-33870.patch deleted file mode 100644 index f13ae6d09c3ff2b8c8c0ffc2fdeecbae8e92af31..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33870.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 26b9b4262dcd6a5d2c0a494c80ba38c216a44151 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:30:42 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33870 - ---- - base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++---- - 1 file changed, 32 insertions(+), 4 deletions(-) - -diff --git a/base/gpmisc.c b/base/gpmisc.c -index 2b0064b..c4a69b0 100644 ---- a/base/gpmisc.c -+++ b/base/gpmisc.c -@@ -1,4 +1,4 @@ --/* Copyright (C) 2001-2023 Artifex Software, Inc. -+/* Copyright (C) 2001-2024 Artifex Software, Inc. - All Rights Reserved. - - This software is provided AS-IS with no warranty, either express or -@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, - const uint len, - const char *mode) - { -- char *buffer, *bufferfull; -+ char *buffer, *bufferfull = NULL; - uint rlen; - int code = 0; - const char *cdirstr = gp_file_name_current(); -@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem, - return gs_error_VMerror; - - buffer = bufferfull + prefix_len; -- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -- return gs_error_invalidfileaccess; -+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } - buffer[rlen] = 0; - } - while (1) { -@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem, - code = gs_note_error(gs_error_invalidfileaccess); - } - if (code < 0 && prefix_len > 0 && buffer > bufferfull) { -+ uint newlen = rlen + cdirstrl + dirsepstrl; -+ char *newbuffer; -+ int code; -+ - buffer = bufferfull; - memcpy(buffer, cdirstr, cdirstrl); - memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); -+ -+ /* We've prepended a './' or similar for the current working directory. We need -+ * to execute file_name_reduce on that, to eliminate any '../' or similar from -+ * the (new) full path. -+ */ -+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); -+ if (newbuffer == NULL) { -+ code = gs_note_error(gs_error_VMerror); -+ goto exit; -+ } -+ -+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); -+ newbuffer[newlen] = 0x00; -+ -+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); -+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); -+ if (code != gp_combine_success) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } -+ - continue; - } - else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { -@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem, - gs_path_control_flag_is_scratch_file); - } - -+exit: - gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); - #ifdef EACCES - if (code == gs_error_invalidfileaccess) --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33871.patch b/Bugfix-for-CVE-2024-33871.patch deleted file mode 100644 index f4af83b70ee642d9c97a728d00321976a26304fb..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33871.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 6afe688e06ca700dd4f187a80777eb1947a534a5 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:36:21 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33871 - ---- - contrib/opvp/gdevopvp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c -index 74200cf..80eb23b 100644 ---- a/contrib/opvp/gdevopvp.c -+++ b/contrib/opvp/gdevopvp.c -@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) - code = param_read_string(plist, pname, &vdps); - switch (code) { - case 0: -+ if (gs_is_path_control_active(dev->memory) -+ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size -+ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { -+ param_signal_error(plist, pname, gs_error_invalidaccess); -+ return_error(gs_error_invalidaccess); -+ } - buff = realloc(buff, vdps.size + 1); - memcpy(buff, vdps.data, vdps.size); - buff[vdps.size] = 0; --- -2.27.0 - diff --git a/bugfix-for-cve-2024-46954.patch b/bugfix-for-cve-2024-46954.patch deleted file mode 100644 index 4d21ad24ac32b4521bc4f3c46e5c42926d7c6d2c..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2024-46954.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 55f587dd039282316f512e1bea64218fd991f934 Mon Sep 17 00:00:00 2001 -From: Robin Watts -Date: Tue, 18 Jun 2024 18:22:55 +0100 -Subject: Bug 707788: Fix decode_utf8 to forbid overlong encodings. - -These can be used by malicious code to escape directories. - -CVE-2024-46954 ---- - base/gp_utf8.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/base/gp_utf8.c b/base/gp_utf8.c -index c33fc3550..b78977e37 100644 ---- a/base/gp_utf8.c -+++ b/base/gp_utf8.c -@@ -1,4 +1,4 @@ --/* Copyright (C) 2001-2023 Artifex Software, Inc. -+/* Copyright (C) 2001-2024 Artifex Software, Inc. - All Rights Reserved. - - This software is provided AS-IS with no warranty, either express or -@@ -25,12 +25,16 @@ decode_utf8(const char **inp, unsigned int i) - if (i < 0x80) { - } else if ((i & 0xE0) == 0xC0) { - i &= 0x1F; -+ if (i == 0) -+ goto fail_overlong; - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; - i = (i<<6) | (c & 0x3f); - } else if ((i & 0xF0) == 0xE0) { - i &= 0xF; -+ if (i == 0) -+ goto fail_overlong; - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; -@@ -41,6 +45,8 @@ decode_utf8(const char **inp, unsigned int i) - i = (i<<6) | (c & 0x3f); - } else if ((i & 0xF8) == 0xF0) { - i &= 0x7; -+ if (i == 0) -+ goto fail_overlong; - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; -@@ -59,6 +65,11 @@ decode_utf8(const char **inp, unsigned int i) - /* If we fail, unread the last one, and return the unicode replacement char. */ - fail: - in--; -+fail_overlong: -+ /* If we jump to here it's because we've detected an 'overlong' encoding. -+ * While this seems harmless, it's actually illegal, for good reason; -+ * this is typically an attempt to sneak stuff past security checks, like -+ * "../" in paths. Fail this. */ - i = 0xfffd; - } - *inp = in; --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-27830.patch b/bugfix-for-cve-2025-27830.patch deleted file mode 100644 index b705a4a709cca28dff9b5adcba2a1704a433dd2c..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-27830.patch +++ /dev/null @@ -1,81 +0,0 @@ -From dc17ab3fe8cd43eeaf3f2da9bcaa30a2be69e57b Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Mon, 13 Jan 2025 09:15:01 +0000 -Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend - -During serializing a multiple master font for passing to Freetype. - -Use CVE-2025-27830 ---- - base/write_t1.c | 9 +++++---- - psi/zfapi.c | 9 +++++++-- - 2 files changed, 12 insertions(+), 6 deletions(-) - -diff --git a/base/write_t1.c b/base/write_t1.c -index 1faaeb583..6b4482d04 100644 ---- a/base/write_t1.c -+++ b/base/write_t1.c -@@ -1,4 +1,4 @@ --/* Copyright (C) 2001-2023 Artifex Software, Inc. -+/* Copyright (C) 2001-2025 Artifex Software, Inc. - All Rights Reserved. - - This software is provided AS-IS with no warranty, either express or -@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri - WRF_wbyte(a_fapi_font->memory, a_output, '\n'); - if (is_MM_font(a_fapi_font)) { - short x, x2; -+ unsigned short ux; - float x1; - uint i, j, entries; - char Buffer[255]; -@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri - */ - code = a_fapi_font->get_word(a_fapi_font, - gs_fapi_font_feature_DollarBlend_length, -- 0, (unsigned short *)&x); -+ 0, &ux); - if (code < 0) - return code; - -- if (x > 0) { -+ if (ux > 0) { - int len; - WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); - - if (a_output->m_count) -- a_output->m_count += x; -+ a_output->m_count += ux; - len = a_fapi_font->get_proc(a_fapi_font, - gs_fapi_font_feature_DollarBlend, 0, - (char *)a_output->m_pos); -diff --git a/psi/zfapi.c b/psi/zfapi.c -index fc6141d6b..fc342a81e 100644 ---- a/psi/zfapi.c -+++ b/psi/zfapi.c -@@ -689,7 +689,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig - /* When reading the real proc, we add a space between each entry */ - length++; - if (array_get(ff->memory, DBlend, i, &Element) < 0) { -- *ret = 0; -+ length = 0; - break; - } - switch (r_btype(&Element)) { -@@ -716,7 +716,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig - default: - break; - } -- } -+ -+ if (length > max_ushort) { -+ length = 0; -+ break; -+ } -+ } - *ret = length; - break; - } --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-27831.patch b/bugfix-for-cve-2025-27831.patch deleted file mode 100644 index 36762d600162be0f22f6648afb0a82f5c7d4560b..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-27831.patch +++ /dev/null @@ -1,80 +0,0 @@ -From e4db46d7529a13b93a96d2f59f34f8286a1124a6 Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Thu, 21 Nov 2024 10:04:17 +0000 -Subject: Prevent Unicode decoding overrun - -Bug #708132 "Text buffer overflow with long characters" - -The txt_get_unicode function was copying too few bytes from the -fixed glyph name to unicode mapping tables. This was probably -causing incorrect Unicode code points in relatively rare cases but -not otherwise a problem. - -However, a badly formed GlyphNames2Unicode array attached to a font -could cause the decoding to spill over the assigned buffer. - -We really should rewrite the Unicode handling, but until we do just -checking that the length is no more than 4 Unicode code points is -enough to prevent an overrun. All the current clients allocate at least -4 code points per character code. - -Added a comment to explain the magic number. - -CVE-2025-27831 ---- - devices/vector/doc_common.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/devices/vector/doc_common.c b/devices/vector/doc_common.c -index 690f8eaed..05fb3d51f 100644 ---- a/devices/vector/doc_common.c -+++ b/devices/vector/doc_common.c -@@ -479,7 +479,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u - } - if (strlen(dentry->Glyph) == gnstr.size) { - if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) { -- memcpy(Buffer, dentry->Unicode, 2); -+ memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short)); - return 2; - } - } -@@ -497,7 +497,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u - } - if (strlen(tentry->Glyph) == gnstr.size) { - if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) { -- memcpy(Buffer, tentry->Unicode, 3); -+ memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short)); - return 3; - } - } -@@ -515,7 +515,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u - } - if (strlen(qentry->Glyph) == gnstr.size) { - if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) { -- memcpy(Buffer, qentry->Unicode, 4); -+ memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short)); - return 4; - } - } -@@ -527,12 +527,16 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u - return 1; - } else { - char *b, *u; -- int l = length - 1; -+ int l; - - /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly - * 2 bytes. If we got an odd number, give up and return the character code. -+ * -+ * The magic number here is due to the clients calling this code. Currently txtwrite and docxwrite -+ * allow up to 4 Unicode values per character/glyph, if the length would exceed that we can't -+ * write it. For now, again, fall back to the character code. - */ -- if (length & 1) { -+ if (length & 1 || length > 4 * sizeof(unsigned short)) { - *Buffer = fallback; - return 1; - } --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-27832.patch b/bugfix-for-cve-2025-27832.patch deleted file mode 100644 index 4451a32c9d6c7a50c0995c55aec27e5f97dcbaed..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-27832.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Wed, 20 Nov 2024 11:42:31 +0000 -Subject: Bug 708133: Avoid integer overflow leading to buffer overflow - -The calculation of the buffer size was being done with int values, and -overflowing that data type. By leaving the total size calculation to the -memory manager, the calculation ends up being done in size_t values, and -avoiding the overflow in this case, but also meaning the memory manager -overflow protection will be effective. - -CVE-2025-27832 ---- - contrib/japanese/gdevnpdl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c -index 60065bacf..4967282bd 100644 ---- a/contrib/japanese/gdevnpdl.c -+++ b/contrib/japanese/gdevnpdl.c -@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c - int code; - int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; - -- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) -+ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) - return_error(gs_error_VMerror); - - /* Initialize printer */ -@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c - /* Form Feed */ - gp_fputs("\014", prn_stream); - -- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); -+ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); - return 0; - } - --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-27833.patch b/bugfix-for-cve-2025-27833.patch deleted file mode 100644 index 374e95444b7facda9925ae7aac1af56341fd84ed..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-27833.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 477e36cfa1faa0037069a22eeeb4fc750733f120 Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Mon, 20 Jan 2025 09:38:59 +0000 -Subject: Bug 708259: Check TTF name size before copying to buffer. - -CVE-2025-27833 ---- - pdf/pdf_fmap.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c -index 5ddf229da..328d8db86 100644 ---- a/pdf/pdf_fmap.c -+++ b/pdf/pdf_fmap.c -@@ -751,7 +751,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4] - int nl = u16(rec + 8); - int noffs = u16(rec + 10); - -- if (nl + noffs + storageOffset > table_len) { -+ if (nl + noffs + storageOffset > table_len || nl >= pname_size) { - break; - } - memcpy(pname, namet + storageOffset + noffs, nl); -@@ -789,7 +789,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4] - int nl = u16(rec + 8); - int noffs = u16(rec + 10); - -- if (nl + noffs + storageOffset > table_len) { -+ if (nl + noffs + storageOffset > table_len || nl >= pname_size) { - break; - } - memcpy(pname, namet + storageOffset + noffs, nl); --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-27834.patch b/bugfix-for-cve-2025-27834.patch deleted file mode 100644 index aaf75db2d619dba863909534dc3ede35b5ea7072..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-27834.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 3885f8307726fa7611b39fa1376403406bdbd55c Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Mon, 20 Jan 2025 16:13:46 +0000 -Subject: PDF interpreter - Guard against unsigned int overflow - -Bug #708253 - see bug report for details. - -CVE-2025-27834 ---- - pdf/pdf_func.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c -index 635fdac54..93492c783 100644 ---- a/pdf/pdf_func.c -+++ b/pdf/pdf_func.c -@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in - byte *p = (ops ? ops + *size : NULL); - - while (1) { -+ if (*size > max_uint / 2) -+ return gs_note_error(gs_error_VMerror); -+ - c = pdfi_read_byte(ctx, function_stream); - if (c < 0) - break; -@@ -321,6 +324,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR, - if (code < 0) - goto function_4_error; - -+ if (size > max_uint - 1) { -+ code = gs_note_error(gs_error_VMerror); -+ goto function_4_error; -+ } -+ - ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)"); - if (ops == NULL) { - code = gs_error_VMerror; -@@ -825,6 +833,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte * - if (code < 0) - goto halftone_function_error; - -+ if (size > max_uint - 1) { -+ code = gs_note_error(gs_error_VMerror); -+ goto halftone_function_error; -+ } -+ - ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)"); - if (ops == NULL) { - code = gs_error_VMerror; --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-27835.patch b/bugfix-for-cve-2025-27835.patch deleted file mode 100644 index c955a3af605e86211376a668bcbdb2b5de55e389..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-27835.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 920fae688705b3a25a1f8925f3837219a6243565 Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Wed, 20 Nov 2024 11:27:52 +0000 -Subject: Bug 708131: Fix confusion between bytes and shorts - -We were copying data from a string in multiple of shorts, rather than multiple -of bytes, leading to both an read (probably benign, given the memory manager) -and write buffer overflow. - -CVE-2025-27835 ---- - psi/zbfont.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/psi/zbfont.c b/psi/zbfont.c -index acffb39ef..5850ab54d 100644 ---- a/psi/zbfont.c -+++ b/psi/zbfont.c -@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u - if (l > length) - return l; - -- memcpy(unicode_return, v->value.const_bytes, l * sizeof(short)); -+ memcpy(unicode_return, v->value.const_bytes, l); - return l; - } - if (r_type(v) == t_integer) { --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-27836.patch b/bugfix-for-cve-2025-27836.patch deleted file mode 100644 index 6b52215cf4e4a095d3e0241576bc768f4d69bdb2..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-27836.patch +++ /dev/null @@ -1,60 +0,0 @@ -From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Mon, 13 Jan 2025 09:07:57 +0000 -Subject: Bug 708192: Fix potential print buffer overflow - -CVE-2025-27836 ---- - contrib/japanese/gdev10v.c | 22 ++++++++++++++++------ - 1 file changed, 16 insertions(+), 6 deletions(-) - -diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c -index 0bd3cec02..9d27573dc 100644 ---- a/contrib/japanese/gdev10v.c -+++ b/contrib/japanese/gdev10v.c -@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream) - int bytes_per_column = bits_per_column / 8; - int x_skip_unit = bytes_per_column * (xres / 180); - int y_skip_unit = (yres / 180); -- byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)"); -- /* We need one extra byte in for our sentinel. */ -- byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)"); -+ byte *in, *out; - int lnum = 0; - int y_skip = 0; - int code = 0; - int blank_lines = 0; - int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3; - -- if ( in == 0 || out == 0 ) -- return -1; -+ if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) { -+ code = gs_note_error(gs_error_rangecheck); -+ goto error; -+ } -+ -+ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)"); -+ /* We need one extra byte in for our sentinel. */ -+ out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)"); -+ if ( in == NULL || out == NULL ) { -+ code = gs_note_error(gs_error_VMerror); -+ goto error; -+ } - - /* Initialize the printer. */ - prn_puts(pdev, "\033@"); -@@ -320,8 +328,10 @@ notz: - } - - /* Eject the page */ --xit: prn_putc(pdev, 014); /* form feed */ -+xit: -+ prn_putc(pdev, 014); /* form feed */ - prn_flush(pdev); -+error: - gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)"); - gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)"); - return code; --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-27837.patch b/bugfix-for-cve-2025-27837.patch deleted file mode 100644 index 363e32e9c841381cda74c99dc060a4cc0417ae0a..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-27837.patch +++ /dev/null @@ -1,386 +0,0 @@ -From 2cc7667188d65d350f9416c8f65637e39db23112 Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Mon, 20 Jan 2025 14:43:42 +0000 -Subject: Windows platform code - error check UTF-8 conversions - -Bug #708238 see bug for details - -CVE-2025-27837 ---- - base/gp_mswin.c | 103 +++++++++++++++++++++++++++++++++-------------------- - base/gp_ntfs.c | 14 ++++++-- - base/gp_wgetv.c | 16 ++++++--- - base/gp_winfs.c | 8 +++-- - base/gsdparam.c | 5 +-- - base/winrtsup.cpp | 6 ++-- - devices/gdevwpr2.c | 15 +++++--- - 7 files changed, 110 insertions(+), 57 deletions(-) - -diff --git a/base/gp_mswin.c b/base/gp_mswin.c -index 1d995f25a..24d6de33e 100644 ---- a/base/gp_mswin.c -+++ b/base/gp_mswin.c -@@ -365,12 +365,20 @@ BOOL gp_OpenPrinter(char *port, LPHANDLE printer) - #ifdef METRO - return FALSE; - #else -- BOOL opened; -- wchar_t *uni = malloc(gp_utf8_to_uint16(NULL, port) * sizeof(wchar_t)); -- if (uni) -+ BOOL opened = false; -+ wchar_t *uni = NULL; -+ int size = 0; -+ -+ size = gp_utf8_to_uint16(NULL, port); -+ if (size <= 0) -+ return opened; -+ -+ uni = malloc(size * sizeof(wchar_t)); -+ if (uni) { - gp_utf8_to_uint16(uni, port); -- opened = OpenPrinterW(uni, printer, NULL); -- free(uni); -+ opened = OpenPrinterW(uni, printer, NULL); -+ free(uni); -+ } - return opened; - #endif - } -@@ -515,8 +523,11 @@ FILE *mswin_popen(const char *cmd, const char *mode) - siStartInfo.hStdError = hChildStderrWr; - - if (handle == 0) { -- command = (wchar_t *)malloc(sizeof(wchar_t)*gp_utf8_to_uint16(NULL, cmd)); -- if (command) -+ int size = gp_utf8_to_uint16(NULL, cmd); -+ -+ if (size > 0) -+ command = (wchar_t *)malloc(sizeof(wchar_t)*size); -+ if (command != NULL) - gp_utf8_to_uint16(command, cmd); - else - handle = -1; -@@ -566,6 +577,18 @@ FILE *mswin_popen(const char *cmd, const char *mode) - - /* ------ File naming and accessing ------ */ - -+static int limited_uint16_to_utf8(char* out, const unsigned short* in, size_t outlen) -+{ -+ int len = gp_uint16_to_utf8(NULL, in); -+ return (len < 0 || len > outlen) ? -1 : gp_uint16_to_utf8(out, in); -+} -+ -+static int limited_utf8_to_uint16(unsigned short* out, const char* in, size_t outlen) -+{ -+ int len = gp_utf8_to_uint16(NULL, in); -+ return (len < 0 || len > outlen) ? -1 : gp_utf8_to_uint16(out, in); -+} -+ - /* Create and open a scratch file with a given name prefix. */ - /* Write the actual file name at fname. */ - FILE * -@@ -599,9 +622,15 @@ gp_open_scratch_file_impl(const gs_memory_t *mem, - * local encoding. */ - l = GetTempPathWRT(_MAX_PATH, wTempDir); - #else -- GetTempPathW(_MAX_PATH, wTempDir); -+ l = GetTempPathW(_MAX_PATH, wTempDir); - #endif -- l = gp_uint16_to_utf8(sTempDir, wTempDir); -+ if (l == 0 || l > _MAX_PATH) -+ return NULL; -+ -+ l = limited_uint16_to_utf8(sTempDir, wTempDir, _MAX_PATH); -+ /* gp_uint16_to_utf8 returns a count including the terminator */ -+ if (l < 1) -+ return NULL; - } else - l = strlen(sTempDir); - } else { -@@ -614,14 +643,17 @@ gp_open_scratch_file_impl(const gs_memory_t *mem, - sTempDir[l-1] = '\\'; /* What Windoze prefers */ - - if (l <= _MAX_PATH) { -- gp_utf8_to_uint16(wTempDir, sTempDir); -- gp_utf8_to_uint16(wPrefix, prefix); -+ if (limited_utf8_to_uint16(wTempDir, sTempDir, _MAX_PATH) < 0) -+ return NULL; -+ if (limited_utf8_to_uint16(wPrefix, prefix, _MAX_PATH) < 0) -+ return NULL; -+ - #ifdef METRO - n = GetTempFileNameWRT(wTempDir, wPrefix, wTempFileName); - #else -- GetTempFileNameW(wTempDir, wPrefix, 0, wTempFileName); -+ n = GetTempFileNameW(wTempDir, wPrefix, 0, wTempFileName); - #endif -- n = gp_uint16_to_utf8(sTempFileName, wTempFileName); -+ - if (n == 0) { - /* If 'prefix' is not a directory, it is a path prefix. */ - int l = strlen(sTempDir), i; -@@ -636,38 +668,32 @@ gp_open_scratch_file_impl(const gs_memory_t *mem, - } - } - if (i > 0) { -- gp_utf8_to_uint16(wPrefix, sTempDir + i); -+ if (limited_utf8_to_uint16(wTempDir, sTempDir, _MAX_PATH) < 0) -+ return NULL; -+ if (limited_utf8_to_uint16(wPrefix, sTempDir + i, _MAX_PATH) < 0) -+ return NULL; - #ifdef METRO -- GetTempFileNameWRT(wTempDir, wPrefix, wTempFileName); -+ n = GetTempFileNameWRT(wTempDir, wPrefix, wTempFileName); - #else -- GetTempFileNameW(wTempDir, wPrefix, 0, wTempFileName); -+ n = GetTempFileNameW(wTempDir, wPrefix, 0, wTempFileName); - #endif -- n = gp_uint16_to_utf8(sTempFileName, wTempFileName); - } - } -- if (n != 0) { -- int len = gp_utf8_to_uint16(NULL, sTempFileName); -- wchar_t *uni = (len > 0 ? malloc(sizeof(wchar_t)*len) : NULL); -- if (uni == NULL) -- hfile = INVALID_HANDLE_VALUE; -- else { -- gp_utf8_to_uint16(uni, sTempFileName); -+ if (n > 0) { - #ifdef METRO -- hfile = CreateFile2(uni, -- GENERIC_READ | GENERIC_WRITE | DELETE, -- FILE_SHARE_READ | FILE_SHARE_WRITE, -- CREATE_ALWAYS | (remove ? FILE_FLAG_DELETE_ON_CLOSE : 0), -- NULL); -+ hfile = CreateFile2(wTempFileName, -+ GENERIC_READ | GENERIC_WRITE | DELETE, -+ FILE_SHARE_READ | FILE_SHARE_WRITE, -+ CREATE_ALWAYS | (remove ? FILE_FLAG_DELETE_ON_CLOSE : 0), -+ NULL); - #else -- hfile = CreateFileW(uni, -- GENERIC_READ | GENERIC_WRITE | DELETE, -- FILE_SHARE_READ | FILE_SHARE_WRITE, -- NULL, CREATE_ALWAYS, -- FILE_ATTRIBUTE_NORMAL | (remove ? FILE_FLAG_DELETE_ON_CLOSE : 0), -- NULL); -+ hfile = CreateFileW(wTempFileName, -+ GENERIC_READ | GENERIC_WRITE | DELETE, -+ FILE_SHARE_READ | FILE_SHARE_WRITE, -+ NULL, CREATE_ALWAYS, -+ FILE_ATTRIBUTE_NORMAL | (remove ? FILE_FLAG_DELETE_ON_CLOSE : 0), -+ NULL); - #endif -- free(uni); -- } - } - } - if (hfile != INVALID_HANDLE_VALUE) { -@@ -681,7 +707,8 @@ gp_open_scratch_file_impl(const gs_memory_t *mem, - } - } - if (f != NULL) { -- if ((strlen(sTempFileName) < gp_file_name_sizeof)) -+ l = limited_uint16_to_utf8(sTempFileName, wTempFileName, _MAX_PATH); -+ if (l >= 0 && (strlen(sTempFileName) < gp_file_name_sizeof)) - strncpy(fname, sTempFileName, gp_file_name_sizeof - 1); - else { - /* The file name is too long. */ -diff --git a/base/gp_ntfs.c b/base/gp_ntfs.c -index bf2a9805f..3419aca1b 100644 ---- a/base/gp_ntfs.c -+++ b/base/gp_ntfs.c -@@ -231,7 +231,7 @@ gp_enumerate_files_next_impl(gs_memory_t * mem, file_enum * pfen, char *ptr, uin - { - directory_enum *new_denum = NULL, *pden = pfen->current; - int code = 0; -- uint len; -+ uint len, outsize = (sizeof(pden->find_data.cFileName)*3+1)/2; - char outfname[(sizeof(pden->find_data.cFileName)*3+1)/2]; - - if (pfen->illegal) { -@@ -241,8 +241,12 @@ gp_enumerate_files_next_impl(gs_memory_t * mem, file_enum * pfen, char *ptr, uin - - for(;;) { - if (pden->first_time) { -- wchar_t *pat; -- pat = malloc(gp_utf8_to_uint16(NULL, pden->pattern)*sizeof(wchar_t)); -+ wchar_t *pat = NULL; -+ int size = 0; -+ -+ size = gp_utf8_to_uint16(NULL, pden->pattern); -+ if (size > 0) -+ pat = malloc(size*sizeof(wchar_t)); - if (pat == NULL) { - code = -1; - break; -@@ -319,6 +323,10 @@ gp_enumerate_files_next_impl(gs_memory_t * mem, file_enum * pfen, char *ptr, uin - gp_enumerate_files_close(mem, pfen); - return ~(uint) 0; - } -+ len = gp_uint16_to_utf8(outfname, pden->find_data.cFileName); -+ if (len >= outsize) -+ return ~(uint) 0; -+ - gp_uint16_to_utf8(outfname, pden->find_data.cFileName); - len = strlen(outfname); - -diff --git a/base/gp_wgetv.c b/base/gp_wgetv.c -index d4185a399..ad97de631 100644 ---- a/base/gp_wgetv.c -+++ b/base/gp_wgetv.c -@@ -39,8 +39,8 @@ gp_getenv_registry(HKEY hkeyroot, const wchar_t *key, const char *name, - LONG rc; - wchar_t *wptr; - wchar_t *wp = NULL; -- wchar_t *wname; -- int l = -1; -+ wchar_t *wname = NULL; -+ int l = -1, size = 0; - - if (*plen) { - wp = malloc((*plen)*sizeof(wchar_t)); -@@ -49,7 +49,10 @@ gp_getenv_registry(HKEY hkeyroot, const wchar_t *key, const char *name, - } - wptr = wp; - -- wname = malloc(gp_utf8_to_uint16(NULL, name)*sizeof(wchar_t)); -+ size = gp_utf8_to_uint16(NULL, name); -+ if (size >= 0) -+ wname = malloc(size*sizeof(wchar_t)); -+ - if (wname == NULL) { - if (wp) - free(wp); -@@ -113,10 +116,13 @@ gp_getenv_registry(HKEY hkeyroot, const wchar_t *key, const char *name, - int - gp_getenv(const char *name, char *ptr, int *plen) - { -- wchar_t *wname; -+ wchar_t *wname = NULL; - wchar_t *str; -+ int size; - -- wname = malloc(gp_utf8_to_uint16(NULL, name)*sizeof(wchar_t)); -+ size = gp_utf8_to_uint16(NULL, name); -+ if (size >= 0) -+ wname = malloc(size*sizeof(wchar_t)); - if (wname == NULL) { - return -1; - } -diff --git a/base/gp_winfs.c b/base/gp_winfs.c -index abb376bbb..a0d9ea83b 100644 ---- a/base/gp_winfs.c -+++ b/base/gp_winfs.c -@@ -44,8 +44,12 @@ gp_fopen_impl(gs_memory_t *mem, const char *fname, const char *mode) - if (uni == NULL) - return NULL; - gp_utf8_to_uint16(uni, fname); -- gp_utf8_to_uint16(wmode, mode); -- file = _wfopen(uni, wmode); -+ -+ len = gp_utf8_to_uint16(NULL, mode); -+ if (len >= 0) { -+ gp_utf8_to_uint16(wmode, mode); -+ file = _wfopen(uni, wmode); -+ } - gs_free_object(mem, uni, "gs_fopen_impl"); - - return file; -diff --git a/base/gsdparam.c b/base/gsdparam.c -index 5552ee4cb..80ba7cfcb 100644 ---- a/base/gsdparam.c -+++ b/base/gsdparam.c -@@ -1532,7 +1532,7 @@ gx_default_put_icc_colorants(gs_param_string *colorants, gx_device * dev) - char *tempstr; - int code; - int len; -- unsigned short *tempstr2; -+ unsigned short *tempstr2 = NULL; - unsigned short *s; - char *d; - -@@ -1554,7 +1554,8 @@ gx_default_put_icc_colorants(gs_param_string *colorants, gx_device * dev) - * UTF-8 chars that do not decode to 8 bits will be flagged up as a rangecheck. - */ - len = gp_utf8_to_uint16(NULL, tempstr); -- tempstr2 = (unsigned short *)gs_alloc_bytes(dev->memory, len * sizeof(unsigned short), -+ if (len >= 0) -+ tempstr2 = (unsigned short *)gs_alloc_bytes(dev->memory, len * sizeof(unsigned short), - "gx_default_put_icc_colorants"); - if (tempstr2 == NULL) - { -diff --git a/base/winrtsup.cpp b/base/winrtsup.cpp -index 937825201..e607130c5 100644 ---- a/base/winrtsup.cpp -+++ b/base/winrtsup.cpp -@@ -78,7 +78,7 @@ extern "C" UINT GetTempFileNameWRT(LPCWSTR lpPathName, LPCWSTR lpPrefixString, L - path.push_back('\\'); - - if (path.length() > _MAX_PATH - 14) -- return ERROR_BUFFER_OVERFLOW; -+ return 0; - - GetSystemTimeAsFileTime(&systemTimeAsFileTime); - -@@ -110,11 +110,11 @@ extern "C" UINT GetTempFileNameWRT(LPCWSTR lpPathName, LPCWSTR lpPrefixString, L - time++; - } - -- return ERROR_BUFFER_OVERFLOW; -+ return 0; - } - catch(...) - { -- return ERROR_BUFFER_OVERFLOW; -+ return 0; - } - } - -diff --git a/devices/gdevwpr2.c b/devices/gdevwpr2.c -index 666280a69..e7edbc616 100644 ---- a/devices/gdevwpr2.c -+++ b/devices/gdevwpr2.c -@@ -1079,7 +1079,7 @@ win_pr2_getdc(gx_device_win_pr2 * wdev) - HANDLE hprinter = NULL; - - /* fall back to prompting user */ -- int result = FALSE; -+ int result = FALSE, size; - - WCHAR* unidev = NULL; - WCHAR* unidriver = NULL; -@@ -1103,7 +1103,10 @@ win_pr2_getdc(gx_device_win_pr2 * wdev) - wchar_t *devices; - wchar_t *p; - int devices_size = 128, returned_length = 0; -- unidev = malloc(gp_utf8_to_uint16(NULL, device)*sizeof(wchar_t)); -+ -+ size = gp_utf8_to_uint16(NULL, device); -+ if (size >= 0) -+ unidev = malloc(size*sizeof(wchar_t)); - if (unidev == NULL) - goto cleanup; - gp_utf8_to_uint16(unidev, device); -@@ -1144,12 +1147,16 @@ win_pr2_getdc(gx_device_win_pr2 * wdev) - driver = gs_strtok(driverbuf, ",", &dbuflast); - output = gs_strtok(NULL, ",", &dbuflast); - -- unidriver = malloc(gp_utf8_to_uint16(NULL, driver) * sizeof(wchar_t)); -+ size = gp_utf8_to_uint16(NULL, driver); -+ if (size >= 0) -+ unidriver = malloc(size * sizeof(wchar_t)); - if (unidriver == NULL) - goto cleanup; - gp_utf8_to_uint16(unidriver, driver); - -- unioutput = malloc(gp_utf8_to_uint16(NULL, output) * sizeof(wchar_t)); -+ size = gp_utf8_to_uint16(NULL, output); -+ if (size >= 0) -+ unioutput = malloc(size * sizeof(wchar_t)); - if (unioutput == NULL) - goto cleanup; - gp_utf8_to_uint16(unioutput, output); --- -cgit v1.2.3 - diff --git a/bugfix-for-cve-2025-46646.patch b/bugfix-for-cve-2025-46646.patch deleted file mode 100644 index 779acfc8e76965fb06dab4502e04576848d1da98..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-46646.patch +++ /dev/null @@ -1,152 +0,0 @@ -From f14ea81e6c3d2f51593f23cdf13c4679a18f1a3f Mon Sep 17 00:00:00 2001 -From: Robin Watts -Date: Tue, 4 Mar 2025 16:24:33 +0000 -Subject: Bug 708311: Fix the fix for CVE-2024-46954. - -The previous fix for CVE-2024-46954 was still failing to -spot a certain subset of 2 byte sequences as being overlong. - -1 byte sequences (0xxxxxxx) encode 7 payload bits. - -2 byte sequences (110xxxxx 10xxxxxx) only manage to encode 6 -payload bits in the second (lowest) byte. - -Thus the test for an overlong 2 byte encoding is not "is the -value of the payload bits in the first byte 0", but rather -"is the value of the payload bits in the first byte smaller -than 2". - -Credit for spotting the problem and the initial version of the -fix is due to truff (https://x.com/truffzor). - -Another issue spotted, and fixed here, is that it's illegal to -encode high/low surrogates within UTF-8 (as the values they -represent should be encoded directly). - -Finally, we need 21 bits of coverage to get all possible -unicode values. 4 byte UTF-8 encodings give us 21 bits of data -as required, but there are values within this 21 bit range -that are not valid unicode chars. So spot these and reject -them too. ---- - base/gp_utf8.c | 69 ++++++++++++++++++++++++++++++++++++++-------------------- - 1 file changed, 46 insertions(+), 23 deletions(-) - -diff --git a/base/gp_utf8.c b/base/gp_utf8.c -index b78977e37..36abab0d6 100644 ---- a/base/gp_utf8.c -+++ b/base/gp_utf8.c -@@ -17,64 +17,87 @@ - #include "gp_utf8.h" - - static int --decode_utf8(const char **inp, unsigned int i) -+decode_utf8(const char **inp, unsigned int leading_byte) - { - const char *in = *inp; - unsigned char c; -- -- if (i < 0x80) { -- } else if ((i & 0xE0) == 0xC0) { -- i &= 0x1F; -- if (i == 0) -+ unsigned int codepoint; -+ -+ if (leading_byte < 0x80) { -+ codepoint = leading_byte; -+ } else if ((leading_byte & 0xE0) == 0xC0) { -+ codepoint = leading_byte & 0x1F; -+ /* Any encoded value that fails to use bit 1 upwards of this -+ * byte would have been better encoded in a short form. */ -+ if (codepoint < 2) - goto fail_overlong; - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; -- i = (i<<6) | (c & 0x3f); -- } else if ((i & 0xF0) == 0xE0) { -- i &= 0xF; -- if (i == 0) -+ codepoint = (codepoint<<6) | (c & 0x3f); -+ } else if ((leading_byte & 0xF0) == 0xE0) { -+ codepoint = leading_byte & 0xF; -+ /* Any encoding that does not use any of the data bits in this -+ * byte would have been better encoded in a shorter form. */ -+ if (codepoint == 0) - goto fail_overlong; - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; -- i = (i<<6) | (c & 0x3f); -+ codepoint = (codepoint<<6) | (c & 0x3f); - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; -- i = (i<<6) | (c & 0x3f); -- } else if ((i & 0xF8) == 0xF0) { -- i &= 0x7; -- if (i == 0) -+ codepoint = (codepoint<<6) | (c & 0x3f); -+ } else if ((leading_byte & 0xF8) == 0xF0) { -+ codepoint = leading_byte & 0x7; -+ /* Any encoding that does not use any of the data bits in this -+ * byte would have been better encoded in a shorter form. */ -+ if (codepoint == 0) - goto fail_overlong; - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; -- i = (i<<6) | (c & 0x3f); -+ codepoint = (codepoint<<6) | (c & 0x3f); - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; -- i = (i<<6) | (c & 0x3f); -+ codepoint = (codepoint<<6) | (c & 0x3f); - c = (unsigned char)*in++; - if ((c & 0xC0) != 0x80) - goto fail; -- i = (i<<6) | (c & 0x3f); -+ codepoint = (codepoint<<6) | (c & 0x3f); -+ /* Check for UTF-16 surrogates which are invalid in UTF-8 */ -+ if (codepoint >= 0xD800 && codepoint <= 0xDFFF) -+ goto fail_overlong; -+ /* Codepoints 0 to 0xFFFF (other than the surrogate pair -+ * ranges) can be coded for trivially. We can code for -+ * codepoints up to 0x10FFFF using surrogate pairs. -+ * Anything higher than that is forbidden. */ -+ if (codepoint > 0x10FFFF) -+ goto fail_overlong; - } -- if (0) -+ else - { -- /* If we fail, unread the last one, and return the unicode replacement char. */ -+ /* Longer UTF-8 encodings give more than 21 bits of data. -+ * The longest we can encode in utf-16 (even using surrogate -+ * pairs is 20 bits, so all these should fail. */ -+ if (0) -+ { -+ /* If we fail, unread the last one, and return the unicode replacement char. */ - fail: -- in--; -+ in--; -+ } - fail_overlong: - /* If we jump to here it's because we've detected an 'overlong' encoding. - * While this seems harmless, it's actually illegal, for good reason; - * this is typically an attempt to sneak stuff past security checks, like - * "../" in paths. Fail this. */ -- i = 0xfffd; -+ codepoint = 0xfffd; - } - *inp = in; - -- return i; -+ return codepoint; - } - - int gp_utf8_to_uint16(unsigned short *out, const char *in) --- -cgit v1.2.3 - diff --git a/ghostscript-10.03.0.tar.xz b/ghostscript-10.05.1.tar.xz similarity index 84% rename from ghostscript-10.03.0.tar.xz rename to ghostscript-10.05.1.tar.xz index 09029738e4b27ed686e0875559e69fc31150ce05..60ed4881ec9a5bd56426841eea93d542c9486a89 100644 Binary files a/ghostscript-10.03.0.tar.xz and b/ghostscript-10.05.1.tar.xz differ diff --git a/ghostscript.spec b/ghostscript.spec index 7224c6eb5d7e58ad6e79310447deadaeb028b5e6..d46fb7aa7bd00a892f167a324bc7c45a6073a39b 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,4 +1,4 @@ -%define anolis_release 7 +%define anolis_release 1 %global _hardened_build 1 %global _docdir_fmt %{name} @@ -9,7 +9,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF -Version: 10.03.0 +Version: 10.05.1 Release: %{anolis_release}%{?dist} License: AGPLv3+ URL: https://ghostscript.com/ @@ -36,63 +36,63 @@ Patch0: ghostscript-10.01.0-fix-linkage.patch # CVE-2024-29510 # Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-29510 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f -Patch1: Bugfix-for-CVE-2024-29510.patch +#Patch1: Bugfix-for-CVE-2024-29510.patch # CVE-2024-33870 # Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33870 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80 -Patch2: Bugfix-for-CVE-2024-33870.patch +#Patch2: Bugfix-for-CVE-2024-33870.patch # CVE-2024-33869 # Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33869 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4 -Patch3: Bugfix-for-CVE-2024-33869.patch +#Patch3: Bugfix-for-CVE-2024-33869.patch # CVE-2024-33871 # Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33871 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 -Patch4: Bugfix-for-CVE-2024-33871.patch +#Patch4: Bugfix-for-CVE-2024-33871.patch # CVE-2025-27830 # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708241 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=dc17ab3fe8c -Patch5: bugfix-for-cve-2025-27830.patch +#Patch5: bugfix-for-cve-2025-27830.patch # CVE-2025-27831 # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708132 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=e4db46d7529a -Patch6: bugfix-for-cve-2025-27831.patch +#Patch6: bugfix-for-cve-2025-27831.patch # CVE-2025-27832 # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708133 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=36ac25fca7b -Patch7: bugfix-for-cve-2025-27832.patch +#Patch7: bugfix-for-cve-2025-27832.patch # CVE-2025-27833 # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708259 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=477e36cfa1f -Patch8: bugfix-for-cve-2025-27833.patch +#Patch8: bugfix-for-cve-2025-27833.patch # CVE-2025-27834 # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708253 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3885f830772 -Patch9: bugfix-for-cve-2025-27834.patch +#Patch9: bugfix-for-cve-2025-27834.patch # CVE-2025-27835 # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708131 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=920fae68870 -Patch10: bugfix-for-cve-2025-27835.patch +#Patch10: bugfix-for-cve-2025-27835.patch # CVE-2025-27836 # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708192 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=db77f4c0ce0 -Patch11: bugfix-for-cve-2025-27836.patch +#Patch11: bugfix-for-cve-2025-27836.patch # CVE-2025-27837 # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708192 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=db77f4c0ce0 -Patch12: bugfix-for-cve-2025-27837.patch +#Patch12: bugfix-for-cve-2025-27837.patch # CVE-2024-46954 (parent) # CVE-2025-46646 @@ -100,8 +100,8 @@ Patch12: bugfix-for-cve-2025-27837.patch # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708311 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=55f587dd039282316f512e1bea64218fd991f934 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f14ea81e6c3d2f51593f23cdf13c4679a18f1a3f -Patch13: bugfix-for-cve-2024-46954.patch -Patch14: bugfix-for-cve-2025-46646.patch +#Patch13: bugfix-for-cve-2024-46954.patch +#Patch14: bugfix-for-cve-2025-46646.patch %description Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files. @@ -296,6 +296,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %changelog +* Fri May 23 2025 yangxinyu - 10.05.1-1 +- New version 10.05.1 + * Thu Apr 29 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.03.0-7 - Fix CVE-2025-46646