From d20a0b2d7b753fcdcb35a8ac345f075fc7e984d9 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Fri, 28 Mar 2025 12:57:52 +0800 Subject: [PATCH] Fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836 --- backport-CVE-2024-46951.patch | 60 ++++++++--------- backport-CVE-2024-46952.patch | 122 +++++++++++++++++----------------- backport-CVE-2024-46955.patch | 118 ++++++++++++++++---------------- backport-CVE-2025-27830.patch | 72 ++++++++++++++++++++ backport-CVE-2025-27832.patch | 41 ++++++++++++ backport-CVE-2025-27834.patch | 49 ++++++++++++++ backport-CVE-2025-27835.patch | 30 +++++++++ backport-CVE-2025-27836.patch | 60 +++++++++++++++++ ghostscript.spec | 26 +++++--- 9 files changed, 420 insertions(+), 158 deletions(-) create mode 100644 backport-CVE-2025-27830.patch create mode 100644 backport-CVE-2025-27832.patch create mode 100644 backport-CVE-2025-27834.patch create mode 100644 backport-CVE-2025-27835.patch create mode 100644 backport-CVE-2025-27836.patch diff --git a/backport-CVE-2024-46951.patch b/backport-CVE-2024-46951.patch index e00a3f7..58b01e1 100644 --- a/backport-CVE-2024-46951.patch +++ b/backport-CVE-2024-46951.patch @@ -1,30 +1,30 @@ -From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Fri, 30 Aug 2024 13:16:39 +0100 -Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation - -Bug #707991 - -See bug report for details. - -CVE-2024-46951 ---- - psi/zcolor.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/psi/zcolor.c b/psi/zcolor.c -index d4e7a4438..d3384d75d 100644 ---- a/psi/zcolor.c -+++ b/psi/zcolor.c -@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n) - code = array_get(imemory, pImpl, 0, &pPatInst); - if (code < 0) - return code; -+ -+ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance))) -+ return_error(gs_error_typecheck); - cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t); - if (pattern_instance_uses_base_space(cc.pattern)) - *n = n_comps; --- -2.34.1 +From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Fri, 30 Aug 2024 13:16:39 +0100 +Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation + +Bug #707991 + +See bug report for details. + +CVE-2024-46951 +--- + psi/zcolor.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/psi/zcolor.c b/psi/zcolor.c +index d4e7a4438..d3384d75d 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n) + code = array_get(imemory, pImpl, 0, &pPatInst); + if (code < 0) + return code; ++ ++ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance))) ++ return_error(gs_error_typecheck); + cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t); + if (pattern_instance_uses_base_space(cc.pattern)) + *n = n_comps; +-- +2.34.1 diff --git a/backport-CVE-2024-46952.patch b/backport-CVE-2024-46952.patch index e4ff84c..0e2681f 100644 --- a/backport-CVE-2024-46952.patch +++ b/backport-CVE-2024-46952.patch @@ -1,61 +1,61 @@ -From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001 -From: Ken Sharp -Date: Mon, 2 Sep 2024 15:14:01 +0100 -Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams - -Bug #708001 "Buffer overflow in PDF XRef stream" - -See bug report. I've chosen to fix this by checking the values in the -W array; these can (currently at least) only have certain relatively -small values. - -As a future proofing fix I've also updated field_size in -pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger -than required, but matches the W array values and so prevents the -mismatch which could lead to a buffer overrun. - -CVE-2024-46952 ---- - pdf/pdf_xref.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c -index 7e61113..ad45852 100644 ---- a/pdf/pdf_xref.c -+++ b/pdf/pdf_xref.c -@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size) - static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W) - { - uint i, j; -- uint field_width = 0; -+ uint64_t field_width = 0; - uint32_t type = 0; - uint64_t objnum = 0, gen = 0; - byte *Buffer; -@@ -297,6 +297,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd - } - pdfi_countdown(a); - -+ /* W[0] is either: -+ * 0 (no type field) or a single byte with the type. -+ * W[1] is either: -+ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored. -+ * W[2] is either: -+ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream. -+ * -+ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually -+ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number. -+ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits. -+ */ -+ if (W[0] > 1 || W[1] > 8 || W[2] > 8) { -+ pdfi_close_file(ctx, XRefStrm); -+ pdfi_countdown(ctx->xref_table); -+ ctx->xref_table = NULL; -+ return code; -+ } -+ - code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a); - if (code == gs_error_undefined) { - code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W); --- -2.43.0 +From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 2 Sep 2024 15:14:01 +0100 +Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams + +Bug #708001 "Buffer overflow in PDF XRef stream" + +See bug report. I've chosen to fix this by checking the values in the +W array; these can (currently at least) only have certain relatively +small values. + +As a future proofing fix I've also updated field_size in +pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger +than required, but matches the W array values and so prevents the +mismatch which could lead to a buffer overrun. + +CVE-2024-46952 +--- + pdf/pdf_xref.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c +index 7e61113..ad45852 100644 +--- a/pdf/pdf_xref.c ++++ b/pdf/pdf_xref.c +@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size) + static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W) + { + uint i, j; +- uint field_width = 0; ++ uint64_t field_width = 0; + uint32_t type = 0; + uint64_t objnum = 0, gen = 0; + byte *Buffer; +@@ -297,6 +297,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd + } + pdfi_countdown(a); + ++ /* W[0] is either: ++ * 0 (no type field) or a single byte with the type. ++ * W[1] is either: ++ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored. ++ * W[2] is either: ++ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream. ++ * ++ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually ++ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number. ++ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits. ++ */ ++ if (W[0] > 1 || W[1] > 8 || W[2] > 8) { ++ pdfi_close_file(ctx, XRefStrm); ++ pdfi_countdown(ctx->xref_table); ++ ctx->xref_table = NULL; ++ return code; ++ } ++ + code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a); + if (code == gs_error_undefined) { + code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W); +-- +2.43.0 diff --git a/backport-CVE-2024-46955.patch b/backport-CVE-2024-46955.patch index bb789e7..dd3b22d 100644 --- a/backport-CVE-2024-46955.patch +++ b/backport-CVE-2024-46955.patch @@ -1,59 +1,59 @@ -From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001 -From: Zdenek Hutyra -Date: Fri, 30 Aug 2024 13:11:53 +0100 -Subject: [PATCH] PS interpreter - check Indexed colour space index - -Bug #707990 "Out of bounds read when reading color in "Indexed" color space" - -Check the 'index' is in the valid range (0 to hival) for the colour -space. - -Also a couple of additional checks on the type of the 'proc' for -Indexed, DeviceN and Separation spaces. Make sure these really are -procs in case the user changed the colour space array. - -CVE-2024-46955 ---- - psi/zcolor.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/psi/zcolor.c b/psi/zcolor.c -index c0d73c2..7d15ec7 100644 ---- a/psi/zcolor.c -+++ b/psi/zcolor.c -@@ -3629,6 +3629,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int - code = array_get(imemory, sepspace, 3, &proc); - if (code < 0) - return code; -+ check_proc(proc); - *esp = proc; - return o_push_estack; - } -@@ -4450,6 +4451,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna - code = array_get(imemory, devicenspace, 3, &proc); - if (code < 0) - return code; -+ check_proc(proc); - *esp = proc; - return o_push_estack; - } -@@ -4865,6 +4867,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, - code = array_get(imemory, space, 3, &proc); - if (code < 0) - return code; -+ check_proc(proc); - *ep = proc; /* lookup proc */ - return o_push_estack; - } else { -@@ -4878,6 +4881,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, - if (!r_has_type(op, t_integer)) - return_error (gs_error_typecheck); - index = op->value.intval; -+ /* Ensure it is in range. See bug #707990 */ -+ if (index < 0 || index > pcs->params.indexed.hival) -+ return_error(gs_error_rangecheck); - /* And remove it from the stack. */ - ref_stack_pop(&o_stack, 1); - op = osp; --- -2.27.0 +From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Fri, 30 Aug 2024 13:11:53 +0100 +Subject: [PATCH] PS interpreter - check Indexed colour space index + +Bug #707990 "Out of bounds read when reading color in "Indexed" color space" + +Check the 'index' is in the valid range (0 to hival) for the colour +space. + +Also a couple of additional checks on the type of the 'proc' for +Indexed, DeviceN and Separation spaces. Make sure these really are +procs in case the user changed the colour space array. + +CVE-2024-46955 +--- + psi/zcolor.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/psi/zcolor.c b/psi/zcolor.c +index c0d73c2..7d15ec7 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -3629,6 +3629,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int + code = array_get(imemory, sepspace, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *esp = proc; + return o_push_estack; + } +@@ -4450,6 +4451,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna + code = array_get(imemory, devicenspace, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *esp = proc; + return o_push_estack; + } +@@ -4865,6 +4867,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, + code = array_get(imemory, space, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *ep = proc; /* lookup proc */ + return o_push_estack; + } else { +@@ -4878,6 +4881,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, + if (!r_has_type(op, t_integer)) + return_error (gs_error_typecheck); + index = op->value.intval; ++ /* Ensure it is in range. See bug #707990 */ ++ if (index < 0 || index > pcs->params.indexed.hival) ++ return_error(gs_error_rangecheck); + /* And remove it from the stack. */ + ref_stack_pop(&o_stack, 1); + op = osp; +-- +2.27.0 diff --git a/backport-CVE-2025-27830.patch b/backport-CVE-2025-27830.patch new file mode 100644 index 0000000..76e8215 --- /dev/null +++ b/backport-CVE-2025-27830.patch @@ -0,0 +1,72 @@ +From dc17ab3fe8cd43eeaf3f2da9bcaa30a2be69e57b Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:15:01 +0000 +Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend + +During serializing a multiple master font for passing to Freetype. + +Use CVE-2025-27830 +--- + base/write_t1.c | 9 +++++---- + psi/zfapi.c | 9 +++++++-- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/base/write_t1.c b/base/write_t1.c +index 50af7ea..1b17aae 100644 +--- a/base/write_t1.c ++++ b/base/write_t1.c +@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri + WRF_wbyte(a_fapi_font->memory, a_output, '\n'); + if (is_MM_font(a_fapi_font)) { + short x, x2; ++ unsigned short ux; + float x1; + uint i, j, entries; + char Buffer[255]; +@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri + */ + code = a_fapi_font->get_word(a_fapi_font, + gs_fapi_font_feature_DollarBlend_length, +- 0, (unsigned short *)&x); ++ 0, &ux); + if (code < 0) + return code; + +- if (x > 0) { ++ if (ux > 0) { + int len; + WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); + + if (a_output->m_count) +- a_output->m_count += x; ++ a_output->m_count += ux; + len = a_fapi_font->get_proc(a_fapi_font, + gs_fapi_font_feature_DollarBlend, 0, + (char *)a_output->m_pos); +diff --git a/psi/zfapi.c b/psi/zfapi.c +index 6927e60..05bf9dc 100644 +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -683,7 +683,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig + } + for (i = 0; i < r_size(DBlend); i++) { + if (array_get(ff->memory, DBlend, i, &Element) < 0) { +- *ret = 0; ++ length = 0; + break; + } + switch (r_btype(&Element)) { +@@ -710,7 +710,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig + default: + break; + } +- } ++ ++ if (length > max_ushort) { ++ length = 0; ++ break; ++ } ++ } + *ret = length; + break; + } diff --git a/backport-CVE-2025-27832.patch b/backport-CVE-2025-27832.patch new file mode 100644 index 0000000..4451a32 --- /dev/null +++ b/backport-CVE-2025-27832.patch @@ -0,0 +1,41 @@ +From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: Bug 708133: Avoid integer overflow leading to buffer overflow + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf..4967282bd 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +cgit v1.2.3 + diff --git a/backport-CVE-2025-27834.patch b/backport-CVE-2025-27834.patch new file mode 100644 index 0000000..8025fd5 --- /dev/null +++ b/backport-CVE-2025-27834.patch @@ -0,0 +1,49 @@ +From 3885f8307726fa7611b39fa1376403406bdbd55c Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 20 Jan 2025 16:13:46 +0000 +Subject: PDF interpreter - Guard against unsigned int overflow + +Bug #708253 - see bug report for details. + +CVE-2025-27834 +--- + pdf/pdf_func.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c +index 9b7d5bb..9fba5e1 100644 +--- a/pdf/pdf_func.c ++++ b/pdf/pdf_func.c +@@ -153,6 +153,8 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in + byte *p = (ops ? ops + *size : NULL); + + do { ++ if (*size > max_uint / 2) ++ return gs_note_error(gs_error_VMerror); + code = pdfi_read_bytes(ctx, &c, 1, 1, function_stream); + if (code < 0) + break; +@@ -318,6 +320,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR, + if (code < 0) + goto function_4_error; + ++ if (size > max_uint - 1) { ++ code = gs_note_error(gs_error_VMerror); ++ goto function_4_error; ++ } ++ + ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)"); + if (ops == NULL) { + code = gs_error_VMerror; +@@ -816,6 +823,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte * + if (code < 0) + goto halftone_function_error; + ++ if (size > max_uint - 1) { ++ code = gs_note_error(gs_error_VMerror); ++ goto halftone_function_error; ++ } ++ + ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)"); + if (ops == NULL) { + code = gs_error_VMerror; diff --git a/backport-CVE-2025-27835.patch b/backport-CVE-2025-27835.patch new file mode 100644 index 0000000..c955a3a --- /dev/null +++ b/backport-CVE-2025-27835.patch @@ -0,0 +1,30 @@ +From 920fae688705b3a25a1f8925f3837219a6243565 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:27:52 +0000 +Subject: Bug 708131: Fix confusion between bytes and shorts + +We were copying data from a string in multiple of shorts, rather than multiple +of bytes, leading to both an read (probably benign, given the memory manager) +and write buffer overflow. + +CVE-2025-27835 +--- + psi/zbfont.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/psi/zbfont.c b/psi/zbfont.c +index acffb39ef..5850ab54d 100644 +--- a/psi/zbfont.c ++++ b/psi/zbfont.c +@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u + if (l > length) + return l; + +- memcpy(unicode_return, v->value.const_bytes, l * sizeof(short)); ++ memcpy(unicode_return, v->value.const_bytes, l); + return l; + } + if (r_type(v) == t_integer) { +-- +cgit v1.2.3 + diff --git a/backport-CVE-2025-27836.patch b/backport-CVE-2025-27836.patch new file mode 100644 index 0000000..6b52215 --- /dev/null +++ b/backport-CVE-2025-27836.patch @@ -0,0 +1,60 @@ +From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:07:57 +0000 +Subject: Bug 708192: Fix potential print buffer overflow + +CVE-2025-27836 +--- + contrib/japanese/gdev10v.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c +index 0bd3cec02..9d27573dc 100644 +--- a/contrib/japanese/gdev10v.c ++++ b/contrib/japanese/gdev10v.c +@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream) + int bytes_per_column = bits_per_column / 8; + int x_skip_unit = bytes_per_column * (xres / 180); + int y_skip_unit = (yres / 180); +- byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)"); +- /* We need one extra byte in for our sentinel. */ +- byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)"); ++ byte *in, *out; + int lnum = 0; + int y_skip = 0; + int code = 0; + int blank_lines = 0; + int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3; + +- if ( in == 0 || out == 0 ) +- return -1; ++ if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) { ++ code = gs_note_error(gs_error_rangecheck); ++ goto error; ++ } ++ ++ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)"); ++ /* We need one extra byte in for our sentinel. */ ++ out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)"); ++ if ( in == NULL || out == NULL ) { ++ code = gs_note_error(gs_error_VMerror); ++ goto error; ++ } + + /* Initialize the printer. */ + prn_puts(pdev, "\033@"); +@@ -320,8 +328,10 @@ notz: + } + + /* Eject the page */ +-xit: prn_putc(pdev, 014); /* form feed */ ++xit: ++ prn_putc(pdev, 014); /* form feed */ + prn_flush(pdev); ++error: + gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)"); + gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)"); + return code; +-- +cgit v1.2.3 + diff --git a/ghostscript.spec b/ghostscript.spec index 097c734..aa3dc10 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 17 +Release: 18 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -41,14 +41,18 @@ Patch15: Bug-707510-review-printing-of-pointers.patch # CVE-2024-29511 Patch16: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch Patch17: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch - Patch18: Bug-707510-fix-LIBIDN-usage.patch -Patch19: backport-CVE-2024-46953.patch -Patch20: backport-CVE-2024-46956.patch -Patch21: backport-CVE-2024-46955.patch -Patch22: backport-CVE-2024-46951.patch -Patch23: backport-CVE-2024-46952.patch -Patch24: fix-CVE-2024-33871.patch +Patch19: fix-CVE-2024-33871.patch +Patch20: backport-CVE-2024-46953.patch +Patch21: backport-CVE-2024-46956.patch +Patch22: backport-CVE-2024-46955.patch +Patch23: backport-CVE-2024-46951.patch +Patch24: backport-CVE-2024-46952.patch +Patch25: backport-CVE-2025-27830.patch +Patch26: backport-CVE-2025-27832.patch +Patch27: backport-CVE-2025-27834.patch +Patch28: backport-CVE-2025-27835.patch +Patch39: backport-CVE-2025-27836.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -209,6 +213,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Thu Mar 27 2025 Funda Wang - 9.55.0-18 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836 + * Mon Nov 18 2024 liningjie - 9.55.0-17 - Type:CVE - ID:NA -- Gitee