ghostscript/backport-CVE-2025-27833.patch

From 477e36cfa1faa0037069a22eeeb4fc750733f120 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 20 Jan 2025 09:38:59 +0000
Subject: Bug 708259: Check TTF name size before copying to buffer.

CVE-2025-27833
---
 pdf/pdf_fmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c
index ee05af1..4458b5b 100644
--- a/pdf/pdf_fmap.c
+++ b/pdf/pdf_fmap.c
@@ -539,7 +539,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
                     if (u16(rec + 6) == 6) {
                         int nl = u16(rec + 8);
                         int noffs = u16(rec + 10);
-                        if (nl + noffs + storageOffset > table_len) {
+                        if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
                             break;
                         }
                         memcpy(pname, namet + storageOffset + noffs, nl);
@@ -559,7 +559,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
                         if (u16(rec + 6) == 4) {
                             int nl = u16(rec + 8);
                             int noffs = u16(rec + 10);
-                            if (nl + noffs + storageOffset > table_len) {
+                            if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
                                 break;
                             }
                             memcpy(pname, namet + storageOffset + noffs, nl);
fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27833, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836 2025-03-27 12:45:19 +08:00			`From 477e36cfa1faa0037069a22eeeb4fc750733f120 Mon Sep 17 00:00:00 2001`
			`From: Zdenek Hutyra <zhutyra@centrum.cz>`
			`Date: Mon, 20 Jan 2025 09:38:59 +0000`
			`Subject: Bug 708259: Check TTF name size before copying to buffer.`

			`CVE-2025-27833`
			`---`
			`pdf/pdf_fmap.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c`
			`index ee05af1..4458b5b 100644`
			`--- a/pdf/pdf_fmap.c`
			`+++ b/pdf/pdf_fmap.c`
			`@@ -539,7 +539,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context ctx, stream f, byte magic[4]`
			`if (u16(rec + 6) == 6) {`
			`int nl = u16(rec + 8);`
			`int noffs = u16(rec + 10);`
			`- if (nl + noffs + storageOffset > table_len) {`
			`+ if (nl + noffs + storageOffset > table_len \|\| nl >= pname_size) {`
			`break;`
			`}`
			`memcpy(pname, namet + storageOffset + noffs, nl);`
			`@@ -559,7 +559,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context ctx, stream f, byte magic[4]`
			`if (u16(rec + 6) == 4) {`
			`int nl = u16(rec + 8);`
			`int noffs = u16(rec + 10);`
			`- if (nl + noffs + storageOffset > table_len) {`
			`+ if (nl + noffs + storageOffset > table_len \|\| nl >= pname_size) {`
			`break;`
			`}`
			`memcpy(pname, namet + storageOffset + noffs, nl);`