ghostscript/backport-CVE-2025-27834.patch

From 3885f8307726fa7611b39fa1376403406bdbd55c Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 20 Jan 2025 16:13:46 +0000
Subject: PDF interpreter - Guard against unsigned int overflow

Bug #708253 - see bug report for details.

CVE-2025-27834
---
 pdf/pdf_func.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
index 635fdac54..93492c783 100644
--- a/pdf/pdf_func.c
+++ b/pdf/pdf_func.c
@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in
     byte *p = (ops ? ops + *size : NULL);
 
     while (1) {
+        if (*size > max_uint / 2)
+            return gs_note_error(gs_error_VMerror);
+
         c = pdfi_read_byte(ctx, function_stream);
         if (c < 0)
             break;
@@ -321,6 +324,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR,
     if (code < 0)
         goto function_4_error;
 
+    if (size > max_uint - 1) {
+        code = gs_note_error(gs_error_VMerror);
+        goto function_4_error;
+    }
+
     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
     if (ops == NULL) {
         code = gs_error_VMerror;
@@ -825,6 +833,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte *
     if (code < 0)
         goto halftone_function_error;
 
+    if (size > max_uint - 1) {
+        code = gs_note_error(gs_error_VMerror);
+        goto halftone_function_error;
+    }
+
     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
     if (ops == NULL) {
         code = gs_error_VMerror;
-- 
cgit v1.2.3
fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27833, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836 2025-03-27 12:45:19 +08:00			`From 3885f8307726fa7611b39fa1376403406bdbd55c Mon Sep 17 00:00:00 2001`
			`From: Zdenek Hutyra <zhutyra@centrum.cz>`
			`Date: Mon, 20 Jan 2025 16:13:46 +0000`
			`Subject: PDF interpreter - Guard against unsigned int overflow`

			`Bug #708253 - see bug report for details.`

			`CVE-2025-27834`
			`---`
			`pdf/pdf_func.c \| 13 +++++++++++++`
			`1 file changed, 13 insertions(+)`

			`diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c`
			`index 635fdac54..93492c783 100644`
			`--- a/pdf/pdf_func.c`
			`+++ b/pdf/pdf_func.c`
			`@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context ctx, pdf_c_stream function_stream, in`
			`byte p = (ops ? ops + size : NULL);`

			`while (1) {`
			`+ if (*size > max_uint / 2)`
			`+ return gs_note_error(gs_error_VMerror);`
			`+`
			`c = pdfi_read_byte(ctx, function_stream);`
			`if (c < 0)`
			`break;`
			`@@ -321,6 +324,11 @@ pdfi_build_function_4(pdf_context ctx, gs_function_params_t mnDR,`
			`if (code < 0)`
			`goto function_4_error;`

			`+ if (size > max_uint - 1) {`
			`+ code = gs_note_error(gs_error_VMerror);`
			`+ goto function_4_error;`
			`+ }`
			`+`
			`ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");`
			`if (ops == NULL) {`
			`code = gs_error_VMerror;`
			`@@ -825,6 +833,11 @@ int pdfi_build_halftone_function(pdf_context ctx, gs_function_t * ppfn, byte *`
			`if (code < 0)`
			`goto halftone_function_error;`

			`+ if (size > max_uint - 1) {`
			`+ code = gs_note_error(gs_error_VMerror);`
			`+ goto halftone_function_error;`
			`+ }`
			`+`
			`ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");`
			`if (ops == NULL) {`
			`code = gs_error_VMerror;`
			`--`
			`cgit v1.2.3`