ghostscript/backport-CVE-2025-27836.patch

From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 13 Jan 2025 09:07:57 +0000
Subject: Bug 708192: Fix potential print buffer overflow

CVE-2025-27836
---
 contrib/japanese/gdev10v.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
index 0bd3cec02..9d27573dc 100644
--- a/contrib/japanese/gdev10v.c
+++ b/contrib/japanese/gdev10v.c
@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
         int bytes_per_column = bits_per_column / 8;
         int x_skip_unit = bytes_per_column * (xres / 180);
         int y_skip_unit = (yres / 180);
-        byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
-        /* We need one extra byte in <out> for our sentinel. */
-        byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+        byte *in, *out;
         int lnum = 0;
         int y_skip = 0;
         int code = 0;
         int blank_lines = 0;
         int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
 
-        if ( in == 0 || out == 0 )
-                return -1;
+        if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
+            code = gs_note_error(gs_error_rangecheck);
+            goto error;
+        }
+
+        in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
+        /* We need one extra byte in <out> for our sentinel. */
+        out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+        if ( in == NULL || out == NULL ) {
+            code = gs_note_error(gs_error_VMerror);
+            goto error;
+        }
 
         /* Initialize the printer. */
         prn_puts(pdev, "\033@");
@@ -320,8 +328,10 @@ notz:
            }
 
         /* Eject the page */
-xit:	prn_putc(pdev, 014);	/* form feed */
+xit:
+        prn_putc(pdev, 014); /* form feed */
         prn_flush(pdev);
+error:
         gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
         gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
         return code;
-- 
cgit v1.2.3
fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27833, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836 2025-03-27 12:45:19 +08:00			`From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001`
			`From: Zdenek Hutyra <zhutyra@centrum.cz>`
			`Date: Mon, 13 Jan 2025 09:07:57 +0000`
			`Subject: Bug 708192: Fix potential print buffer overflow`

			`CVE-2025-27836`
			`---`
			`contrib/japanese/gdev10v.c \| 22 ++++++++++++++++------`
			`1 file changed, 16 insertions(+), 6 deletions(-)`

			`diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c`
			`index 0bd3cec02..9d27573dc 100644`
			`--- a/contrib/japanese/gdev10v.c`
			`+++ b/contrib/japanese/gdev10v.c`
			`@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer pdev, gp_file prn_stream)`
			`int bytes_per_column = bits_per_column / 8;`
			`int x_skip_unit = bytes_per_column * (xres / 180);`
			`int y_skip_unit = (yres / 180);`
			`- byte in = (byte )gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");`
			`- /* We need one extra byte in <out> for our sentinel. */`
			`- byte out = (byte )gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");`
			`+ byte in, out;`
			`int lnum = 0;`
			`int y_skip = 0;`
			`int code = 0;`
			`int blank_lines = 0;`
			`int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;`

			`- if ( in == 0 \|\| out == 0 )`
			`- return -1;`
			`+ if (bits_per_column == 0 \|\| line_size > (max_int - 1) / bits_per_column) {`
			`+ code = gs_note_error(gs_error_rangecheck);`
			`+ goto error;`
			`+ }`
			`+`
			`+ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");`
			`+ /* We need one extra byte in <out> for our sentinel. */`
			`+ out = (byte )gs_malloc(pdev->memory->non_gc_memory, bits_per_column line_size + 1, 1, "bj10v_print_page(out)");`
			`+ if ( in == NULL \|\| out == NULL ) {`
			`+ code = gs_note_error(gs_error_VMerror);`
			`+ goto error;`
			`+ }`

			`/* Initialize the printer. */`
			`prn_puts(pdev, "\033@");`
			`@@ -320,8 +328,10 @@ notz:`
			`}`

			`/* Eject the page */`
			`-xit: prn_putc(pdev, 014); /* form feed */`
			`+xit:`
			`+ prn_putc(pdev, 014); /* form feed */`
			`prn_flush(pdev);`
			`+error:`
			`gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");`
			`gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");`
			`return code;`
			`--`
			`cgit v1.2.3`