!114 Fix CVE-2024-46953

From: @li_ning_jie Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2024-10-25 09:03:42 +00:00 · 2024-10-25 09:03:42 +00:00 · fc0384a61d
commit fc0384a61d
parent ceab929748 2713d38749
2 changed files with 75 additions and 2 deletions
--- a/backport-CVE-2024-46953.patch
+++ b/backport-CVE-2024-46953.patch
@ -0,0 +1,66 @@
 From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001
 From: Zdenek Hutyra <zhutyra@centrum.cz>
 Date: Mon, 27 May 2024 13:38:36 +0100
 Subject: [PATCH] Bug 707793: Check for overflow validating format string
 for the output file name
 CVE-2024-46953
 ---
 base/gsdevice.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)
 diff --git a/base/gsdevice.c b/base/gsdevice.c
 index 90e699ab4..c1eaedd85 100644
 --- a/base/gsdevice.c
 +++ b/base/gsdevice.c
@@ -1070,7 +1070,7 @@ static int
 gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
 {
     bool have_format = false, field;
 -    int width[2], int_width = sizeof(int) * 3, w = 0;
 +    uint width[2], int_width = sizeof(int) * 3, w = 0;
     uint i;
     /* Scan the file name for a format string, and validate it if present. */
@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
                         default: /* width (field = 0) and precision (field = 1) */
                             if (strchr("0123456789", pfn->fname[i])) {
                                 width[field] = width[field] * 10 + pfn->fname[i] - '0';
 +                                if (width[field] > max_int)
 +	                                return_error(gs_error_undefinedfilename);
                                 continue;
                             } else if (0 == field && '.' == pfn->fname[i]) {
                                 field++;
@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
         /* Calculate a conservative maximum width. */
         w = max(width[0], width[1]);
         w = max(w, int_width) + 5;
 +        if (w > max_int)
 +            return_error(gs_error_undefinedfilename);
     }
 -    return w;
 +    return (int)w;
 }
 /*
@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt,
     if (!pfn->fname)
         return 0;
     code = gx_parse_output_format(pfn, pfmt);
 -    if (code < 0)
 +    if (code < 0) {
         return code;
 -    if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
 +    }
 +
 +    if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
 +        code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
         return_error(gs_error_undefinedfilename);
 +    }
 +
     return 0;
 }
 -- 
 2.34.1
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -9,7 +9,7 @@
 Name:             ghostscript
 Version:          9.56.1
-Release:          8
+Release:          9
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@ -64,6 +64,7 @@ Patch116:  Bug-707510-fix-LIBIDN-usage.patch
 # See bug thread for details
 #This is the second part of the fix for CVE-2024-33869
 Patch117:  fix-CVE-2024-33869-second.patch
 Patch118:   backport-CVE-2024-46953.patch
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -149,7 +150,7 @@ PDF files using Ghostscript and dvips
 %patch115 -p1
 %patch116 -p1
 %patch117 -p1
-
+%patch118 -p1
 # Libraries that we already have packaged(see Build Requirements):
 rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
@ -243,6 +244,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 %changelog
 * Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.56.1-9
 - Type:CVE
 - ID:NA
 - SUG:NA
 - DECS: Fix CVE-2024-46953
 * Fri Jul 12 2024 zhangxianting <zhangxianting@uniontech.com> - 9.56.1-8
 - Type:CVE
 - ID:NA