ghostscript/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch

From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 24 Jan 2024 18:25:12 +0000
Subject: [PATCH 3/7] Bug 707510(3): Bounds checks when using CIDFont related 
 params
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514

Specifically, for CIDFont substitution.
---
 pdf/pdf_font.c     | 45 +++++++++++++++++++++++++++++++++++++++------
 pdf/pdf_warnings.h |  2 +-
 2 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index fa71605..89c13ab 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -228,22 +228,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di
                     memcpy(fontfname, fsprefix, fsprefixlen);
                 }
                 else {
-                    memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size);
-                    fsprefixlen = ctx->args.cidsubstpath.size;
+                    if (ctx->args.cidsubstpath.size + 1 > gp_file_name_sizeof) {
+                        code = gs_note_error(gs_error_rangecheck);
+                        pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long");
+                        if (ctx->args.pdfstoponwarning != 0) {
+                            goto exit;
+                        }
+                        code = 0;
+                        memcpy(fontfname, fsprefix, fsprefixlen);
+                    }
+                    else {
+                        memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size);
+                        fsprefixlen = ctx->args.cidsubstpath.size;
+                    }
                 }
 
                 if (ctx->args.cidsubstfont.data == NULL) {
                     int len = 0;
-                    if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) {
-                        (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
+                    if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0) {
+                        if (len + fsprefixlen + 1 > gp_file_name_sizeof) {
+                            code = gs_note_error(gs_error_rangecheck);
+                            pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSUBSTFONT environment variable too long");
+                            if (ctx->args.pdfstoponwarning != 0) {
+                                goto exit;
+                            }
+                            code = 0;
+                            memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+                        }
+                        else {
+                            (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
+                        }
                     }
                     else {
                         memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
                     }
                 }
                 else {
-                    memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size);
-                    defcidfallacklen = ctx->args.cidsubstfont.size;
+                    if (ctx->args.cidsubstfont.size > gp_file_name_sizeof - 1) {
+                        code = gs_note_error(gs_error_rangecheck);
+                        pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstFont parameter too long");
+                        if (ctx->args.pdfstoponwarning != 0) {
+                            goto exit;
+                        }
+                        code = 0;
+                        memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+                    }
+                    else {
+                        memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size);
+                        defcidfallacklen = ctx->args.cidsubstfont.size;
+                    }
                 }
                 fontfname[fsprefixlen + defcidfallacklen] = '\0';
 
diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h
index 21b2403..bfbc3a7 100644
--- a/pdf/pdf_warnings.h
+++ b/pdf/pdf_warnings.h
@@ -58,5 +58,5 @@ PARAM(W_PDF_CA_OUTOFRANGE,          "CA or ca value not in range 0.0 to 1.0, cla
 PARAM(W_PDF_INVALID_DEFAULTSPACE,   "Invalid DefaultGray, DefaultRGB or DefaultCMYK space specified, ignored."),
 PARAM(W_PDF_INVALID_DECRYPT_LEN,    "Invalid /Length supplied in Encryption dictionary."),
 PARAM(W_PDF_INVALID_FONT_BASEENC,   "Ignoring invalid BaseEncoding name in font"),
-
+PARAM(W_PDF_BAD_CONFIG,             "A configuration or command line parameter was invalid or incorrect."),
 #undef PARAM
-- 
2.43.0
fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 (cherry picked from commit 6a34364e0a141b71f487687411b7ec62203903e4) 2024-06-27 15:09:46 +08:00			`From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001`
			`From: Chris Liddell <chris.liddell@artifex.com>`
			`Date: Wed, 24 Jan 2024 18:25:12 +0000`
Fix CVE-2024-29511 (cherry picked from commit 4843a060331367cf1583665d1035f6b0f38e777d) 2024-07-12 18:03:07 +08:00			`Subject: [PATCH 3/7] Bug 707510(3): Bounds checks when using CIDFont related`
fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 (cherry picked from commit 6a34364e0a141b71f487687411b7ec62203903e4) 2024-06-27 15:09:46 +08:00			`params`
Fix CVE-2024-29511 (cherry picked from commit 4843a060331367cf1583665d1035f6b0f38e777d) 2024-07-12 18:03:07 +08:00			`https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514`
fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 (cherry picked from commit 6a34364e0a141b71f487687411b7ec62203903e4) 2024-06-27 15:09:46 +08:00
			`Specifically, for CIDFont substitution.`
			`---`
			`pdf/pdf_font.c \| 45 +++++++++++++++++++++++++++++++++++++++------`
			`pdf/pdf_warnings.h \| 2 +-`
			`2 files changed, 40 insertions(+), 7 deletions(-)`

			`diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c`
			`index fa71605..89c13ab 100644`
			`--- a/pdf/pdf_font.c`
			`+++ b/pdf/pdf_font.c`
			`@@ -228,22 +228,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di`
			`memcpy(fontfname, fsprefix, fsprefixlen);`
			`}`
			`else {`
			`- memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size);`
			`- fsprefixlen = ctx->args.cidsubstpath.size;`
			`+ if (ctx->args.cidsubstpath.size + 1 > gp_file_name_sizeof) {`
			`+ code = gs_note_error(gs_error_rangecheck);`
			`+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long");`
			`+ if (ctx->args.pdfstoponwarning != 0) {`
			`+ goto exit;`
			`+ }`
			`+ code = 0;`
			`+ memcpy(fontfname, fsprefix, fsprefixlen);`
			`+ }`
			`+ else {`
			`+ memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size);`
			`+ fsprefixlen = ctx->args.cidsubstpath.size;`
			`+ }`
			`}`

			`if (ctx->args.cidsubstfont.data == NULL) {`
			`int len = 0;`
			`- if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) {`
			`- (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);`
			`+ if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0) {`
			`+ if (len + fsprefixlen + 1 > gp_file_name_sizeof) {`
			`+ code = gs_note_error(gs_error_rangecheck);`
			`+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSUBSTFONT environment variable too long");`
			`+ if (ctx->args.pdfstoponwarning != 0) {`
			`+ goto exit;`
			`+ }`
			`+ code = 0;`
			`+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);`
			`+ }`
			`+ else {`
			`+ (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);`
			`+ }`
			`}`
			`else {`
			`memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);`
			`}`
			`}`
			`else {`
			`- memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size);`
			`- defcidfallacklen = ctx->args.cidsubstfont.size;`
			`+ if (ctx->args.cidsubstfont.size > gp_file_name_sizeof - 1) {`
			`+ code = gs_note_error(gs_error_rangecheck);`
			`+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstFont parameter too long");`
			`+ if (ctx->args.pdfstoponwarning != 0) {`
			`+ goto exit;`
			`+ }`
			`+ code = 0;`
			`+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);`
			`+ }`
			`+ else {`
			`+ memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size);`
			`+ defcidfallacklen = ctx->args.cidsubstfont.size;`
			`+ }`
			`}`
			`fontfname[fsprefixlen + defcidfallacklen] = '\0';`

			`diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h`
			`index 21b2403..bfbc3a7 100644`
			`--- a/pdf/pdf_warnings.h`
			`+++ b/pdf/pdf_warnings.h`
			`@@ -58,5 +58,5 @@ PARAM(W_PDF_CA_OUTOFRANGE, "CA or ca value not in range 0.0 to 1.0, cla`
			`PARAM(W_PDF_INVALID_DEFAULTSPACE, "Invalid DefaultGray, DefaultRGB or DefaultCMYK space specified, ignored."),`
			`PARAM(W_PDF_INVALID_DECRYPT_LEN, "Invalid /Length supplied in Encryption dictionary."),`
			`PARAM(W_PDF_INVALID_FONT_BASEENC, "Ignoring invalid BaseEncoding name in font"),`
			`-`
			`+PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."),`
			`#undef PARAM`
			`--`
			`2.43.0`