packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix problems detected by oss-fuzz test

Browse Source
This commit is contained in:
Liquor 2020-10-31 09:53:30 +08:00
parent 96a982af3c
commit 1e2629b0ea
4 changed files with 148 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.52
Release: 3
Release: 4
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -41,6 +41,9 @@ Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch
Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch
Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch
Patch25: Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch
Patch26: oss-fuzz-22182-validate-glyph-offset-length-values.patch
Patch27: oss-fuzz-23637-Fix-error-code-confusion.patch
Patch28: oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -201,6 +204,12 @@ make check
%{_bindir}/dvipdf
%changelog
* Sat Oct 31 2020 Liquor <lirui130@huawei.com> - 9.52-4
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix problems detected by oss-fuzz test
* Thu Sep 10 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 9.52-3
- Type:bugfix
- ID:CVE-2020-15900

50
oss-fuzz-22182-validate-glyph-offset-length-values.patch Normal file
View File

@ -0,0 +1,50 @@
From 889df15d7c69e1fc90c6491f574352cacf9bc065 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 11 Jun 2020 11:54:32 +0100
Subject: [PATCH] oss-fuzz 22182: validate glyph offset/length values
Check if the glyph offset and offset + length are larger than the size of the
font stream before we can use it.
---
psi/zfapi.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/psi/zfapi.c b/psi/zfapi.c
index eac2ce3e2..5193aff74 100644
--- a/psi/zfapi.c
+++ b/psi/zfapi.c
@@ -1694,19 +1694,29 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, int char_code, byte *buf,
glyph_length = gs_fapi_glyph_invalid_index;
}
else {
- ulong noffs;
+ ulong noffs, endoffs;
+ int code;
/* If we haven't got a len_glyphs array, try using the offset of the next glyph offset
* to work out the length
*/
error = sfnt_get_glyph_offset(pdr, pfont42, char_code + 1, &noffs);
if (error == 0) {
glyph_length = noffs - offset0;
+ code = sfnt_get_sfnt_length(pdr, &endoffs);
+ if (code < 0) {
+ glyph_length = gs_fapi_glyph_invalid_index;
+ }
+ else {
+ if (glyph_length + offset0 > endoffs) {
+ glyph_length = gs_fapi_glyph_invalid_index;
+ }
+ }
}
else {
/* And if we can't get the next glyph offset, use the end of the sfnt data
* to work out the length.
*/
- int code = sfnt_get_sfnt_length(pdr, &noffs);
+ code = sfnt_get_sfnt_length(pdr, &noffs);
if (code < 0) {
glyph_length = gs_fapi_glyph_invalid_index;
}
--
2.27.0

47
oss-fuzz-23637-Fix-error-code-confusion.patch Normal file
View File

@ -0,0 +1,47 @@
From bbd106e8f9345296cb5b5a452487bda603d54173 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 21 Sep 2020 22:16:34 +0100
Subject: [PATCH] oss-fuzz 23637: Fix error code confusion
Confusion of error codes meant we were allocating space for glyph data,
but never copying the data into it. Thus the memory sanitizer error.
---
psi/zfapi.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/psi/zfapi.c b/psi/zfapi.c
index aa988ed6e..d38f56498 100644
--- a/psi/zfapi.c
+++ b/psi/zfapi.c
@@ -2118,15 +2118,14 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, gs_glyph char_code, byte *buf, int buf_lengt
}
else {
ulong noffs, endoffs;
- int code;
/* If we haven't got a len_glyphs array, try using the offset of the next glyph offset
* to work out the length
*/
error = sfnt_get_glyph_offset(pdr, pfont42, char_code + 1, &noffs);
if (error == 0) {
glyph_length = noffs - offset0;
- code = sfnt_get_sfnt_length(pdr, &endoffs);
- if (code < 0) {
+ error = sfnt_get_sfnt_length(pdr, &endoffs);
+ if (error < 0) {
glyph_length = gs_fapi_glyph_invalid_index;
}
else {
@@ -2139,8 +2138,8 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, gs_glyph char_code, byte *buf, int buf_lengt
/* And if we can't get the next glyph offset, use the end of the sfnt data
* to work out the length.
*/
- code = sfnt_get_sfnt_length(pdr, &noffs);
- if (code < 0) {
+ error = sfnt_get_sfnt_length(pdr, &noffs);
+ if (error < 0) {
glyph_length = gs_fapi_glyph_invalid_index;
}
else {
--
2.27.0

41
oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch Normal file
View File

@ -0,0 +1,41 @@
From fd902c6702ef81008d7c91b09a0723661c0f9201 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 1 Oct 2020 16:06:31 +0100
Subject: [PATCH] oss-fuzz 23946: Move buffer bounds check to *before* using
it!
ASCII85Decode filter: We correctly bounds check the buffer size, but dumbly
were doing so *after* we'd used the relevant indices into the buffer. Change
that order, and add another check.
---
base/sa85d.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/base/sa85d.c b/base/sa85d.c
index f9fa57fed..0fbef465a 100644
--- a/base/sa85d.c
+++ b/base/sa85d.c
@@ -135,9 +135,9 @@ s_A85D_process(stream_state * st, stream_cursor_read * pr,
* So we allow CR/LF between them. */
/* PDF further relaxes the requirements and accepts bare '~'.
*/
- while ((p[i] == 13 || p[i] == 10) && (p+i <= rlimit))
+ while ((p + i <= rlimit) && (p[i] == 13 || p[i] == 10))
i++;
- if (p[i] != '>') {
+ if (p + i <= rlimit && p[i] != '>') {
if (ss->pdf_rules) {
if (p[i] == 13 || p[i] == 10) {
if (!last)
@@ -146,7 +146,7 @@ s_A85D_process(stream_state * st, stream_cursor_read * pr,
p--;
}
} else {
- if (p+i == rlimit) {
+ if (p + i == rlimit) {
if (last)
status = ERRC;
else
--
2.27.0