ghostscript/backport-CVE-2025-27832.patch

From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Wed, 20 Nov 2024 11:42:31 +0000
Subject: Bug 708133: Avoid integer overflow leading to buffer overflow

The calculation of the buffer size was being done with int values, and
overflowing that data type. By leaving the total size calculation to the
memory manager, the calculation ends up being done in size_t values, and
avoiding the overflow in this case, but also meaning the memory manager
overflow protection will be effective.

CVE-2025-27832
---
 contrib/japanese/gdevnpdl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
index 60065bacf..4967282bd 100644
--- a/contrib/japanese/gdevnpdl.c
+++ b/contrib/japanese/gdevnpdl.c
@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
     int code;
     int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
 
-    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
+    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
         return_error(gs_error_VMerror);
 
         /* Initialize printer */
@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
     /* Form Feed */
     gp_fputs("\014", prn_stream);
 
-    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
+    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
     return 0;
 }
 
-- 
cgit v1.2.3
fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27833, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836 2025-03-27 12:45:19 +08:00			`From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001`
			`From: Zdenek Hutyra <zhutyra@centrum.cz>`
			`Date: Wed, 20 Nov 2024 11:42:31 +0000`
			`Subject: Bug 708133: Avoid integer overflow leading to buffer overflow`

			`The calculation of the buffer size was being done with int values, and`
			`overflowing that data type. By leaving the total size calculation to the`
			`memory manager, the calculation ends up being done in size_t values, and`
			`avoiding the overflow in this case, but also meaning the memory manager`
			`overflow protection will be effective.`

			`CVE-2025-27832`
			`---`
			`contrib/japanese/gdevnpdl.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c`
			`index 60065bacf..4967282bd 100644`
			`--- a/contrib/japanese/gdevnpdl.c`
			`+++ b/contrib/japanese/gdevnpdl.c`
			`@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c`
			`int code;`
			`int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;`

			`- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))`
			`+ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))`
			`return_error(gs_error_VMerror);`

			`/* Initialize printer */`
			`@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c`
			`/* Form Feed */`
			`gp_fputs("\014", prn_stream);`

			`- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");`
			`+ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");`
			`return 0;`
			`}`

			`--`
			`cgit v1.2.3`