diff --git a/ghostscript.spec b/ghostscript.spec index 78c3eef3cc89f4e159d285c70a8bc81908f29d77..ae497d5884ce09a5cb45be3e8a7cfa4516aa1f30 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.52 -Release: 3 +Release: 4 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -41,6 +41,9 @@ Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch Patch25: Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch +Patch26: oss-fuzz-22182-validate-glyph-offset-length-values.patch +Patch27: oss-fuzz-23637-Fix-error-code-confusion.patch +Patch28: oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -201,6 +204,12 @@ make check %{_bindir}/dvipdf %changelog +* Sat Oct 31 2020 Liquor - 9.52-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix problems detected by oss-fuzz test + * Thu Sep 10 2020 yangzhuangzhuang - 9.52-3 - Type:bugfix - ID:CVE-2020-15900 diff --git a/oss-fuzz-22182-validate-glyph-offset-length-values.patch b/oss-fuzz-22182-validate-glyph-offset-length-values.patch new file mode 100644 index 0000000000000000000000000000000000000000..0b9d93539758733848d9527609247b0313ffb955 --- /dev/null +++ b/oss-fuzz-22182-validate-glyph-offset-length-values.patch @@ -0,0 +1,50 @@ +From 889df15d7c69e1fc90c6491f574352cacf9bc065 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 11 Jun 2020 11:54:32 +0100 +Subject: [PATCH] oss-fuzz 22182: validate glyph offset/length values + +Check if the glyph offset and offset + length are larger than the size of the +font stream before we can use it. +--- + psi/zfapi.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/psi/zfapi.c b/psi/zfapi.c +index eac2ce3e2..5193aff74 100644 +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -1694,19 +1694,29 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, int char_code, byte *buf, + glyph_length = gs_fapi_glyph_invalid_index; + } + else { +- ulong noffs; ++ ulong noffs, endoffs; ++ int code; + /* If we haven't got a len_glyphs array, try using the offset of the next glyph offset + * to work out the length + */ + error = sfnt_get_glyph_offset(pdr, pfont42, char_code + 1, &noffs); + if (error == 0) { + glyph_length = noffs - offset0; ++ code = sfnt_get_sfnt_length(pdr, &endoffs); ++ if (code < 0) { ++ glyph_length = gs_fapi_glyph_invalid_index; ++ } ++ else { ++ if (glyph_length + offset0 > endoffs) { ++ glyph_length = gs_fapi_glyph_invalid_index; ++ } ++ } + } + else { + /* And if we can't get the next glyph offset, use the end of the sfnt data + * to work out the length. + */ +- int code = sfnt_get_sfnt_length(pdr, &noffs); ++ code = sfnt_get_sfnt_length(pdr, &noffs); + if (code < 0) { + glyph_length = gs_fapi_glyph_invalid_index; + } +-- +2.27.0 + diff --git a/oss-fuzz-23637-Fix-error-code-confusion.patch b/oss-fuzz-23637-Fix-error-code-confusion.patch new file mode 100644 index 0000000000000000000000000000000000000000..74fd271b5af66384402c284379ed4151adbd7e9d --- /dev/null +++ b/oss-fuzz-23637-Fix-error-code-confusion.patch @@ -0,0 +1,47 @@ +From bbd106e8f9345296cb5b5a452487bda603d54173 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 21 Sep 2020 22:16:34 +0100 +Subject: [PATCH] oss-fuzz 23637: Fix error code confusion + +Confusion of error codes meant we were allocating space for glyph data, +but never copying the data into it. Thus the memory sanitizer error. +--- + psi/zfapi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/psi/zfapi.c b/psi/zfapi.c +index aa988ed6e..d38f56498 100644 +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -2118,15 +2118,14 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, gs_glyph char_code, byte *buf, int buf_lengt + } + else { + ulong noffs, endoffs; +- int code; + /* If we haven't got a len_glyphs array, try using the offset of the next glyph offset + * to work out the length + */ + error = sfnt_get_glyph_offset(pdr, pfont42, char_code + 1, &noffs); + if (error == 0) { + glyph_length = noffs - offset0; +- code = sfnt_get_sfnt_length(pdr, &endoffs); +- if (code < 0) { ++ error = sfnt_get_sfnt_length(pdr, &endoffs); ++ if (error < 0) { + glyph_length = gs_fapi_glyph_invalid_index; + } + else { +@@ -2139,8 +2138,8 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, gs_glyph char_code, byte *buf, int buf_lengt + /* And if we can't get the next glyph offset, use the end of the sfnt data + * to work out the length. + */ +- code = sfnt_get_sfnt_length(pdr, &noffs); +- if (code < 0) { ++ error = sfnt_get_sfnt_length(pdr, &noffs); ++ if (error < 0) { + glyph_length = gs_fapi_glyph_invalid_index; + } + else { +-- +2.27.0 + diff --git a/oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch b/oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch new file mode 100644 index 0000000000000000000000000000000000000000..618c415d567cf0c7a16fe22e051f380fc35f1051 --- /dev/null +++ b/oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch @@ -0,0 +1,41 @@ +From fd902c6702ef81008d7c91b09a0723661c0f9201 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 1 Oct 2020 16:06:31 +0100 +Subject: [PATCH] oss-fuzz 23946: Move buffer bounds check to *before* using + it! + +ASCII85Decode filter: We correctly bounds check the buffer size, but dumbly +were doing so *after* we'd used the relevant indices into the buffer. Change +that order, and add another check. +--- + base/sa85d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/sa85d.c b/base/sa85d.c +index f9fa57fed..0fbef465a 100644 +--- a/base/sa85d.c ++++ b/base/sa85d.c +@@ -135,9 +135,9 @@ s_A85D_process(stream_state * st, stream_cursor_read * pr, + * So we allow CR/LF between them. */ + /* PDF further relaxes the requirements and accepts bare '~'. + */ +- while ((p[i] == 13 || p[i] == 10) && (p+i <= rlimit)) ++ while ((p + i <= rlimit) && (p[i] == 13 || p[i] == 10)) + i++; +- if (p[i] != '>') { ++ if (p + i <= rlimit && p[i] != '>') { + if (ss->pdf_rules) { + if (p[i] == 13 || p[i] == 10) { + if (!last) +@@ -146,7 +146,7 @@ s_A85D_process(stream_state * st, stream_cursor_read * pr, + p--; + } + } else { +- if (p+i == rlimit) { ++ if (p + i == rlimit) { + if (last) + status = ERRC; + else +-- +2.27.0 +