packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-15900

Browse Source
This commit is contained in:
yang_zhuang_zhuang 2020-09-10 09:30:50 +08:00
parent 5e72427c6c
commit 55ea825aa0
2 changed files with 58 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch Normal file
View File

@ -0,0 +1,50 @@
From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
From: Ray Johnston <ray.johnston@artifex.com>
Date: Wed, 22 Jul 2020 09:57:54 -0700
Subject: [PATCH 410/532] Bug 702582, CVE 2020-15900 Memory Corruption in
Ghostscript 9.52
Fix the 'rsearch' calculation for the 'post' size to give the correct
size. Previous calculation would result in a size that was too large,
and could underflow to max uint32_t. Also fix 'rsearch' to return the
correct 'pre' string with empty string match.
A future change may 'undefine' this undocumented, non-standard operator
during initialization as we do with the many other non-standard internal
PostScript operators and procedures.
---
psi/zstring.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/psi/zstring.c b/psi/zstring.c
index 33662da..58e1af2 100644
--- a/psi/zstring.c
+++ b/psi/zstring.c
@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
return 0;
found:
op->tas.type_attrs = op1->tas.type_attrs;
- op->value.bytes = ptr;
- r_set_size(op, size);
+ op->value.bytes = ptr; /* match */
+ op->tas.rsize = size; /* match */
push(2);
- op[-1] = *op1;
- r_set_size(op - 1, ptr - op[-1].value.bytes);
- op1->value.bytes = ptr + size;
- r_set_size(op1, count + (!forward ? (size - 1) : 0));
+ op[-1] = *op1; /* pre */
+ op[-3].value.bytes = ptr + size; /* post */
+ if (forward) {
+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
+ op[-3].tas.rsize = count; /* post */
+ } else {
+ op[-1].tas.rsize = count; /* pre */
+ op[-3].tas.rsize -= count + size; /* post */
+ }
make_true(op);
return 0;
}
--
1.8.3.1

9
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript Name: ghostscript
Version: 9.52 Version: 9.52
Release: 2 Release: 3
Summary: An interpreter for PostScript and PDF files Summary: An interpreter for PostScript and PDF files
License: AGPLv3+ License: AGPLv3+
URL: https://ghostscript.com/ URL: https://ghostscript.com/
@ -40,6 +40,7 @@ Patch21: Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-h
Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch
Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch
Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch
Patch25: Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch
BuildRequires: automake gcc BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -200,6 +201,12 @@ make check
%{_bindir}/dvipdf %{_bindir}/dvipdf
%changelog %changelog
* Thu Sep 10 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 9.52-3
- Type:bugfix
- ID:CVE-2020-15900
- SUG:NA
- DESC:fix CVE-2020-15900
* Thu Sep 3 2020 wangchen <wangchen137@huawei.com> - 9.52-2 * Thu Sep 3 2020 wangchen <wangchen137@huawei.com> - 9.52-2
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA