From e695cd0efba04209f1a552f9a1f368ef4be98693 Mon Sep 17 00:00:00 2001 From: Linux_zhang Date: Wed, 22 Oct 2025 14:46:18 +0800 Subject: [PATCH] Fix CVE-2025-59798,CVE-2025-59799,CVE-2025-59800 --- ...-59798-pdfwrite-avoid-buffer-overrun.patch | 133 ++++++++++++++++++ ...9-pdfwrite-bounds-check-some-strings.patch | 40 ++++++ ...-PDF-OCR-8-bit-device-avoid-overflow.patch | 35 +++++ ghostscript.spec | 11 +- 4 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-59798-pdfwrite-avoid-buffer-overrun.patch create mode 100644 backport-CVE-2025-59799-pdfwrite-bounds-check-some-strings.patch create mode 100644 backport-CVE-2025-59800-PDF-OCR-8-bit-device-avoid-overflow.patch diff --git a/backport-CVE-2025-59798-pdfwrite-avoid-buffer-overrun.patch b/backport-CVE-2025-59798-pdfwrite-avoid-buffer-overrun.patch new file mode 100644 index 0000000..e016891 --- /dev/null +++ b/backport-CVE-2025-59798-pdfwrite-avoid-buffer-overrun.patch @@ -0,0 +1,133 @@ +From 0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 22 May 2025 12:25:41 +0100 +Subject: [PATCH] pdfwrite - avoid buffer overrun + +Bug #708539 "Buffer overflow in pdf_write_cmap" + +The proposed fix in the report solves the buffer overrun, but does not +tackle a number of other problems. + +This commit checks the result of stream_puts() in +pdf_write_cid_system_info_to_stream() and correctly signals an error to +the caller if that fails. + +In pdf_write_cid_system_info we replace a (rather small!) fixed size +buffer with a dynamically allocated one using the lengths of the strings +which pdf_write_cid_system_info_to_stream() will write, and a small +fixed overhead to deal with the keys and initial byte '/'. + +Because 'buf' is used in the stream 's', if it is too small to hold all +the CIDSystemInfo then we would get an error which was simply discarded +previously. + +We now should avoid the potential error by ensuring the buffer is large +enough for all the information, and if we do get an error we no longer +silently ignore it, which would write an invalid PDF file. +--- + devices/vector/gdevpdtw.c | 52 ++++++++++++++++++++++++++++++--------- + 1 file changed, 41 insertions(+), 11 deletions(-) + +diff --git a/devices/vector/gdevpdtw.c b/devices/vector/gdevpdtw.c +index ced15c9b2..fe24dd73a 100644 +--- a/devices/vector/gdevpdtw.c ++++ b/devices/vector/gdevpdtw.c +@@ -703,7 +703,8 @@ static int + pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s, + const gs_cid_system_info_t *pcidsi, gs_id object_id) + { +- byte *Registry, *Ordering; ++ byte *Registry = NULL, *Ordering = NULL; ++ int code = 0; + + Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry"); + if (!Registry) +@@ -734,14 +735,19 @@ pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s, + } + s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size); + } +- stream_puts(s, "<<\n/Registry"); ++ code = stream_puts(s, "<<\n/Registry"); ++ if (code < 0) ++ goto error; + s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK); +- stream_puts(s, "\n/Ordering"); ++ code = stream_puts(s, "\n/Ordering"); ++ if(code < 0) ++ goto error; + s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK); ++error: + pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement); + gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer"); + gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer"); +- return 0; ++ return code; + } + + int +@@ -786,31 +792,55 @@ pdf_write_cmap(gx_device_pdf *pdev, const gs_cmap_t *pcmap, + *ppres = writer.pres; + writer.pres->where_used = 0; /* CMap isn't a PDF resource. */ + if (!pcmap->ToUnicode) { +- byte buf[200]; ++ byte *buf = NULL; ++ uint64_t buflen = 0; + cos_dict_t *pcd = (cos_dict_t *)writer.pres->object; + stream s; + ++ /* We use 'buf' for the stream 's' below and that needs to have some extra ++ * space for the CIDSystemInfo. We also need an extra byte for the leading '/' ++ * 100 bytes is ample for the overhead. ++ */ ++ buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100; ++ if (buflen > max_uint) ++ return_error(gs_error_limitcheck); ++ ++ buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap"); ++ if (buf == NULL) ++ return_error(gs_error_VMerror); ++ + code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + buf[0] = '/'; + memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size); + code = cos_dict_put_c_key_string(pcd, "/CMapName", + buf, pcmap->CMapName.size + 1); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + s_init(&s, pdev->memory); +- swrite_string(&s, buf, sizeof(buf)); ++ swrite_string(&s, buf, buflen); + code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo", + buf, stell(&s)); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + code = cos_dict_put_string_copy(pcd, "/Type", "/CMap"); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + } + if (pcmap->CMapName.size == 0) { + /* Create an arbitrary name (for ToUnicode CMap). */ +-- +2.43.0 + diff --git a/backport-CVE-2025-59799-pdfwrite-bounds-check-some-strings.patch b/backport-CVE-2025-59799-pdfwrite-bounds-check-some-strings.patch new file mode 100644 index 0000000..11e680e --- /dev/null +++ b/backport-CVE-2025-59799-pdfwrite-bounds-check-some-strings.patch @@ -0,0 +1,40 @@ +From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001 +From: Piotr Kajda +Date: Thu, 8 May 2025 11:37:09 +0100 +Subject: [PATCH] pdfwrite - bounds check some strings + +Bug #708517 + +This differs very slightly from the proposed patch in the bug report, I +had a quick scout through the C file and found another similar case. + +Both fixed here. +--- + devices/vector/gdevpdfm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c +index 5aa3644e2..4b1d7d89c 100644 +--- a/devices/vector/gdevpdfm.c ++++ b/devices/vector/gdevpdfm.c +@@ -200,6 +200,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING]) + { + const byte *data = dstr->data; + uint size = dstr->size; ++ if (size > MAX_DEST_STRING) ++ return_error(gs_error_limitcheck); + if (size == 0 || data[0] != '(') + return 0; + /****** HANDLE ESCAPES ******/ +@@ -868,6 +870,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd, + char buf[30]; + int d0, d1; + ++ if (Action[1].size > 29) ++ return_error(gs_error_rangecheck); + memcpy(buf, Action[1].data, Action[1].size); + buf[Action[1].size] = 0; + if (sscanf(buf, "%d %d R", &d0, &d1) == 2) +-- +2.43.0 + diff --git a/backport-CVE-2025-59800-PDF-OCR-8-bit-device-avoid-overflow.patch b/backport-CVE-2025-59800-PDF-OCR-8-bit-device-avoid-overflow.patch new file mode 100644 index 0000000..f6d6cac --- /dev/null +++ b/backport-CVE-2025-59800-PDF-OCR-8-bit-device-avoid-overflow.patch @@ -0,0 +1,35 @@ +From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Tue, 1 Jul 2025 10:31:17 +0100 +Subject: [PATCH] PDF OCR 8 bit device - avoid overflow + +Bug 708602 "Heap overflow in ocr_line8" + +Make sure the calculation of the required raster size does not overflow +an int. +--- + devices/gdevpdfocr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c +index f27dc11db..6362f4104 100644 +--- a/devices/gdevpdfocr.c ++++ b/devices/gdevpdfocr.c +@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image *dev, void *row) + static int + ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp) + { +- int raster = (w+3)&~3; ++ int64_t raster = (w + 3) & ~3; + +- dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page"); ++ raster = raster * (int64_t)h; ++ if (raster < 0 || raster > max_size_t) ++ return gs_note_error(gs_error_VMerror); ++ dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page"); + if (dev->ocr.data == NULL) + return_error(gs_error_VMerror); + dev->ocr.w = w; +-- +2.43.0 + diff --git a/ghostscript.spec b/ghostscript.spec index b019f4c..34f1530 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 21 +Release: 22 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -56,6 +56,9 @@ Patch29: backport-CVE-2025-27835.patch Patch30: backport-CVE-2025-27836.patch Patch40: Add-CJK-Chinese-font-mappings.patch Patch41: backport-CVE-2025-48708.patch +Patch42: backport-CVE-2025-59798-pdfwrite-avoid-buffer-overrun.patch +Patch43: backport-CVE-2025-59799-pdfwrite-bounds-check-some-strings.patch +Patch44: backport-CVE-2025-59800-PDF-OCR-8-bit-device-avoid-overflow.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -216,6 +219,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Wed Oct 22 2025 Linux_zhang - 9.55.0-22 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2025-59798,CVE-2025-59799,CVE-2025-59800 + * Fri May 23 2025 Funda Wang - 9.55.0-21 - Type:CVE - ID:NA -- Gitee