packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:fd05d51f048f648f90da58d8c43e777f74b34eb0
Branches Tags
packages:main
...
compare: packages:e59ff0c83ece8d9b984ab95410f6e4072faa4dd2
Branches Tags
packages:main

10 Commits
fd05d51f04 ... e59ff0c83e

Author SHA1 Message Date
openeuler-ci-bot
e59ff0c83e
!176 [sync] PR-172: Fix CVE-2025-27831 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2025-04-02 08:01:13 +00:00
Funda Wang
53779a224b Fix CVE-2025-27831 
(cherry picked from commit c9fc48282a98797459501057eb28dc1e3f97e246)
 2025-04-02 15:19:33 +08:00
openeuler-ci-bot
af9969dfce
!171 [sync] PR-167: Add CJK Chinese font mappings 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2025-04-01 01:28:44 +00:00
hdliu
6c6d9e17a6 Add CJK Chinese font mappings 
Signed-off-by: hdliu <dev03108@linx-info.com>
(cherry picked from commit d26845f097808d572123ab3ef80a156517f75b72)
 2025-03-31 15:11:40 +08:00
openeuler-ci-bot
fe4554b298
!160 fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27833, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836 
From: @fundawang 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2025-03-28 03:12:47 +00:00
Funda Wang
f5d02858f6 fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27833, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836 2025-03-27 12:45:19 +08:00
openeuler-ci-bot
88b95b6e53
!145 Fix CVE-2024-46955 
From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-11-11 02:15:33 +00:00
李宁杰
9f2ec902ba
Fix CVE-2024-46955 2024-11-08 03:19:03 +00:00
openeuler-ci-bot
a27b85f940
!141 Fix CVE-2024-46952 
From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-11-05 07:30:26 +00:00
李宁杰
ab32865dc1
Fix CVE-2024-46952 2024-11-05 02:24:02 +00:00
15 changed files with 637 additions and 62 deletions
Show Stats Expand all files Collapse all files

31
Add-CJK-Chinese-font-mappings.patch Normal file
View File

@ -0,0 +1,31 @@
From 5c20134b8fe5ea683f5f546c467bed8469115d04 Mon Sep 17 00:00:00 2001
From: hdliu <dev03108@linx-info.com>
Date: Fri, 28 Mar 2025 13:15:56 +0800
Subject: [PATCH 2/2] Add CJK font mappings
Modify the Resource/Init/cidfmap file, add font mappings so that the PS interpreter can rasterize Chinese content using the two fonts STKaiti-Regular and STheiti-Regular.
Signed-off-by: hdliu <dev03108@linx-info.com>
---
Resource/Init/cidfmap | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/Resource/Init/cidfmap b/Resource/Init/cidfmap
index df9b625..d787a62 100644
--- a/Resource/Init/cidfmap
+++ b/Resource/Init/cidfmap
@@ -46,3 +46,11 @@
%
% Note the use of a string to cope with the name containing a space.
%
+/BousungEG-Heiti-GB << /FileType /TrueType /Path (/usr/share/fonts/wqy-zenhei/wqy-zenhei.ttc) /SubfontID 0 /CSI [(GB1) 4] >> ;
+/BousungEG-Kaiti-GB << /FileType /TrueType /Path (/usr/share/fonts/cjkuni-ukai/ukai.ttc) /SubfontID 1 /CSI [(GB1) 2] >> ;
+
+
+/STHeiti-Regular /BousungEG-Heiti-GB ;
+/STKaiti-Regular /BousungEG-Kaiti-GB ;
+
+
--
2.33.0

4
CVE-2023-28879.patch
View File

@ -1,5 +1,5 @@
--- base/sbcp.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ base/sbcp.c 2023-04-03 12:36:26.024927229 +0200
--- a/base/sbcp.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ b/base/sbcp.c 2023-04-03 12:36:26.024927229 +0200
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea
byte ch = *++p;

8
CVE-2023-36664.patch
View File

@ -1,5 +1,5 @@
--- base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200
--- a/base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ b/base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
@ -38,8 +38,8 @@
while (1) {
switch (mode[0])
{
--- base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200
--- a/base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ b/base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m
return gs_error_rangecheck;
}

4
CVE-2023-38559.patch
View File

@ -1,5 +1,5 @@
--- base/gdevdevn.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gdevdevn.c 2023-07-26 11:31:03.873226054 +0200
--- a/base/gdevdevn.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ b/base/gdevdevn.c 2023-07-26 11:31:03.873226054 +0200
@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co
byte data = *from;

61
backport-CVE-2024-46951.patch
View File

@ -1,31 +1,30 @@
From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:16:39 +0100
Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
Bug #707991
See bug report for details.
CVE-2024-46951
---
psi/zcolor.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index d4e7a4438..d3384d75d 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
code = array_get(imemory, pImpl, 0, &pPatInst);
if (code < 0)
return code;
+
+ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+ return_error(gs_error_typecheck);
cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
if (pattern_instance_uses_base_space(cc.pattern))
*n = n_comps;
--
2.34.1
From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:16:39 +0100
Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
Bug #707991
See bug report for details.
CVE-2024-46951
---
psi/zcolor.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index d4e7a4438..d3384d75d 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
code = array_get(imemory, pImpl, 0, &pPatInst);
if (code < 0)
return code;
+
+ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+ return_error(gs_error_typecheck);
cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
if (pattern_instance_uses_base_space(cc.pattern))
*n = n_comps;
--
2.34.1

61
backport-CVE-2024-46952.patch Normal file
View File

@ -0,0 +1,61 @@
From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Mon, 2 Sep 2024 15:14:01 +0100
Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams
Bug #708001 "Buffer overflow in PDF XRef stream"
See bug report. I've chosen to fix this by checking the values in the
W array; these can (currently at least) only have certain relatively
small values.
As a future proofing fix I've also updated field_size in
pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger
than required, but matches the W array values and so prevents the
mismatch which could lead to a buffer overrun.
CVE-2024-46952
---
pdf/pdf_xref.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
index 7e61113..ad45852 100644
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size)
static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W)
{
uint i, j;
- uint field_width = 0;
+ uint64_t field_width = 0;
uint32_t type = 0;
uint64_t objnum = 0, gen = 0;
byte *Buffer;
@@ -297,6 +297,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd
}
pdfi_countdown(a);
+ /* W[0] is either:
+ * 0 (no type field) or a single byte with the type.
+ * W[1] is either:
+ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored.
+ * W[2] is either:
+ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream.
+ *
+ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually
+ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number.
+ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits.
+ */
+ if (W[0] > 1 || W[1] > 8 || W[2] > 8) {
+ pdfi_close_file(ctx, XRefStrm);
+ pdfi_countdown(ctx->xref_table);
+ ctx->xref_table = NULL;
+ return code;
+ }
+
code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a);
if (code == gs_error_undefined) {
code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W);
--
2.43.0

59
backport-CVE-2024-46955.patch Normal file
View File

@ -0,0 +1,59 @@
From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:11:53 +0100
Subject: [PATCH] PS interpreter - check Indexed colour space index
Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
Check the 'index' is in the valid range (0 to hival) for the colour
space.
Also a couple of additional checks on the type of the 'proc' for
Indexed, DeviceN and Separation spaces. Make sure these really are
procs in case the user changed the colour space array.
CVE-2024-46955
---
psi/zcolor.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index c0d73c2..7d15ec7 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -3629,6 +3629,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int
code = array_get(imemory, sepspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4450,6 +4451,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna
code = array_get(imemory, devicenspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4865,6 +4867,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
code = array_get(imemory, space, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*ep = proc; /* lookup proc */
return o_push_estack;
} else {
@@ -4878,6 +4881,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
if (!r_has_type(op, t_integer))
return_error (gs_error_typecheck);
index = op->value.intval;
+ /* Ensure it is in range. See bug #707990 */
+ if (index < 0 || index > pcs->params.indexed.hival)
+ return_error(gs_error_rangecheck);
/* And remove it from the stack. */
ref_stack_pop(&o_stack, 1);
op = osp;
--
2.27.0

72
backport-CVE-2025-27830.patch Normal file
View File

@ -0,0 +1,72 @@
From dc17ab3fe8cd43eeaf3f2da9bcaa30a2be69e57b Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 13 Jan 2025 09:15:01 +0000
Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend
During serializing a multiple master font for passing to Freetype.
Use CVE-2025-27830
---
base/write_t1.c | 9 +++++----
psi/zfapi.c | 9 +++++++--
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/base/write_t1.c b/base/write_t1.c
index 50af7ea..1b17aae 100644
--- a/base/write_t1.c
+++ b/base/write_t1.c
@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
WRF_wbyte(a_fapi_font->memory, a_output, '\n');
if (is_MM_font(a_fapi_font)) {
short x, x2;
+ unsigned short ux;
float x1;
uint i, j, entries;
char Buffer[255];
@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
*/
code = a_fapi_font->get_word(a_fapi_font,
gs_fapi_font_feature_DollarBlend_length,
- 0, (unsigned short *)&x);
+ 0, &ux);
if (code < 0)
return code;
- if (x > 0) {
+ if (ux > 0) {
int len;
WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
if (a_output->m_count)
- a_output->m_count += x;
+ a_output->m_count += ux;
len = a_fapi_font->get_proc(a_fapi_font,
gs_fapi_font_feature_DollarBlend, 0,
(char *)a_output->m_pos);
diff --git a/psi/zfapi.c b/psi/zfapi.c
index 6927e60..05bf9dc 100644
--- a/psi/zfapi.c
+++ b/psi/zfapi.c
@@ -683,7 +683,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
}
for (i = 0; i < r_size(DBlend); i++) {
if (array_get(ff->memory, DBlend, i, &Element) < 0) {
- *ret = 0;
+ length = 0;
break;
}
switch (r_btype(&Element)) {
@@ -710,7 +710,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
default:
break;
}
- }
+
+ if (length > max_ushort) {
+ length = 0;
+ break;
+ }
+ }
*ret = length;
break;
}

121
backport-CVE-2025-27831.patch Normal file
View File

@ -0,0 +1,121 @@
Partial backport of:
From bf79b61cb1677d6865c45d397435848a21e8a647 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 27 Sep 2022 13:03:57 +0100
Subject: [PATCH] PCL interpreter - fix decode_glyph for Unicode
The text extraction (and pdfwrite family) expect that decode_glyph
should always return pairs of bytes (an assumption that Unicode code
points are 2 bytes), and the return value from the routine should be
the number of bytes required to hold the value.
The PCL decode_glyph routine however was simply returning 1, which
caused the text extraction code some difficulty since it wasn't
expecting that.
This commit firstly alters the text extraction code to cope 'better'
with a decode_glyph routine which returns an odd value (basically
ignore it and fall back to using the character code).
We also alter the pl_decode_glyph routine to return 2 instead of 1,
so that it correctly tells the caller that it is returning 2 bytes.
Finally we make sure that the returned value is big-endian, because the
text extraction code assumes it will be.
---
devices/vector/doc_common.c | 8 ++++++++
pcl/pl/plfont.c | 12 +++++++++---
2 files changed, 17 insertions(+), 3 deletions(-)
--- a/devices/vector/doc_common.c
+++ b/devices/vector/doc_common.c
@@ -513,6 +513,14 @@ int txt_get_unicode(gx_device *dev, gs_f
char *b, *u;
int l = length - 1;
+ /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly
+ * 2 bytes. If we got an odd number, give up and return the character code.
+ */
+ if (length & 1) {
+ *Buffer = fallback;
+ return 1;
+ }
+
unicode = (ushort *)gs_alloc_bytes(dev->memory, length, "temporary Unicode array");
length = font->procs.decode_glyph((gs_font *)font, glyph, ch, unicode, length);
#if ARCH_IS_BIG_ENDIAN
From d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Thu, 21 Nov 2024 10:04:17 +0000
Subject: Prevent Unicode decoding overrun
Bug #708132 "Text buffer overflow with long characters"
The txt_get_unicode function was copying too few bytes from the
fixed glyph name to unicode mapping tables. This was probably
causing incorrect Unicode code points in relatively rare cases but
not otherwise a problem.
However, a badly formed GlyphNames2Unicode array attached to a font
could cause the decoding to spill over the assigned buffer.
We really should rewrite the Unicode handling, but until we do just
checking that the length is no more than 4 Unicode code points is
enough to prevent an overrun. All the current clients allocate at least
4 code points per character code.
Added a comment to explain the magic number.
CVE-2025-27831
---
devices/vector/doc_common.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/devices/vector/doc_common.c
+++ b/devices/vector/doc_common.c
@@ -463,7 +463,7 @@ int txt_get_unicode(gx_device *dev, gs_f
}
if (strlen(dentry->Glyph) == gnstr.size) {
if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, dentry->Unicode, 2);
+ memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short));
return 2;
}
}
@@ -481,7 +481,7 @@ int txt_get_unicode(gx_device *dev, gs_f
}
if (strlen(tentry->Glyph) == gnstr.size) {
if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, tentry->Unicode, 3);
+ memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short));
return 3;
}
}
@@ -499,7 +499,7 @@ int txt_get_unicode(gx_device *dev, gs_f
}
if (strlen(qentry->Glyph) == gnstr.size) {
if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, qentry->Unicode, 4);
+ memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short));
return 4;
}
}
@@ -511,12 +511,16 @@ int txt_get_unicode(gx_device *dev, gs_f
return 1;
} else {
char *b, *u;
- int l = length - 1;
+ int l;
/* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly
* 2 bytes. If we got an odd number, give up and return the character code.
+ *
+ * The magic number here is due to the clients calling this code. Currently txtwrite and docxwrite
+ * allow up to 4 Unicode values per character/glyph, if the length would exceed that we can't
+ * write it. For now, again, fall back to the character code.
*/
- if (length & 1) {
+ if (length & 1 || length > 4 * sizeof(unsigned short)) {
*Buffer = fallback;
return 1;
}

41
backport-CVE-2025-27832.patch Normal file
View File

@ -0,0 +1,41 @@
From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Wed, 20 Nov 2024 11:42:31 +0000
Subject: Bug 708133: Avoid integer overflow leading to buffer overflow
The calculation of the buffer size was being done with int values, and
overflowing that data type. By leaving the total size calculation to the
memory manager, the calculation ends up being done in size_t values, and
avoiding the overflow in this case, but also meaning the memory manager
overflow protection will be effective.
CVE-2025-27832
---
contrib/japanese/gdevnpdl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
index 60065bacf..4967282bd 100644
--- a/contrib/japanese/gdevnpdl.c
+++ b/contrib/japanese/gdevnpdl.c
@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
int code;
int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
+ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
return_error(gs_error_VMerror);
/* Initialize printer */
@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
/* Form Feed */
gp_fputs("\014", prn_stream);
- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
+ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
return 0;
}
--
cgit v1.2.3

32
backport-CVE-2025-27833.patch Normal file
View File

@ -0,0 +1,32 @@
From 477e36cfa1faa0037069a22eeeb4fc750733f120 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 20 Jan 2025 09:38:59 +0000
Subject: Bug 708259: Check TTF name size before copying to buffer.
CVE-2025-27833
---
pdf/pdf_fmap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c
index ee05af1..4458b5b 100644
--- a/pdf/pdf_fmap.c
+++ b/pdf/pdf_fmap.c
@@ -539,7 +539,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
if (u16(rec + 6) == 6) {
int nl = u16(rec + 8);
int noffs = u16(rec + 10);
- if (nl + noffs + storageOffset > table_len) {
+ if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
break;
}
memcpy(pname, namet + storageOffset + noffs, nl);
@@ -559,7 +559,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
if (u16(rec + 6) == 4) {
int nl = u16(rec + 8);
int noffs = u16(rec + 10);
- if (nl + noffs + storageOffset > table_len) {
+ if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
break;
}
memcpy(pname, namet + storageOffset + noffs, nl);

53
backport-CVE-2025-27834.patch Normal file
View File

@ -0,0 +1,53 @@
From 3885f8307726fa7611b39fa1376403406bdbd55c Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 20 Jan 2025 16:13:46 +0000
Subject: PDF interpreter - Guard against unsigned int overflow
Bug #708253 - see bug report for details.
CVE-2025-27834
---
pdf/pdf_func.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
index 635fdac54..93492c783 100644
--- a/pdf/pdf_func.c
+++ b/pdf/pdf_func.c
@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in
byte *p = (ops ? ops + *size : NULL);
while (1) {
+ if (*size > max_uint / 2)
+ return gs_note_error(gs_error_VMerror);
+
c = pdfi_read_byte(ctx, function_stream);
if (c < 0)
break;
@@ -321,6 +324,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR,
if (code < 0)
goto function_4_error;
+ if (size > max_uint - 1) {
+ code = gs_note_error(gs_error_VMerror);
+ goto function_4_error;
+ }
+
ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
if (ops == NULL) {
code = gs_error_VMerror;
@@ -825,6 +833,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte *
if (code < 0)
goto halftone_function_error;
+ if (size > max_uint - 1) {
+ code = gs_note_error(gs_error_VMerror);
+ goto halftone_function_error;
+ }
+
ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
if (ops == NULL) {
code = gs_error_VMerror;
--
cgit v1.2.3

30
backport-CVE-2025-27835.patch Normal file
View File

@ -0,0 +1,30 @@
From 920fae688705b3a25a1f8925f3837219a6243565 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Wed, 20 Nov 2024 11:27:52 +0000
Subject: Bug 708131: Fix confusion between bytes and shorts
We were copying data from a string in multiple of shorts, rather than multiple
of bytes, leading to both an read (probably benign, given the memory manager)
and write buffer overflow.
CVE-2025-27835
---
psi/zbfont.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/psi/zbfont.c b/psi/zbfont.c
index acffb39ef..5850ab54d 100644
--- a/psi/zbfont.c
+++ b/psi/zbfont.c
@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
if (l > length)
return l;
- memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
+ memcpy(unicode_return, v->value.const_bytes, l);
return l;
}
if (r_type(v) == t_integer) {
--
cgit v1.2.3

60
backport-CVE-2025-27836.patch Normal file
View File

@ -0,0 +1,60 @@
From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 13 Jan 2025 09:07:57 +0000
Subject: Bug 708192: Fix potential print buffer overflow
CVE-2025-27836
---
contrib/japanese/gdev10v.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
index 0bd3cec02..9d27573dc 100644
--- a/contrib/japanese/gdev10v.c
+++ b/contrib/japanese/gdev10v.c
@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
int bytes_per_column = bits_per_column / 8;
int x_skip_unit = bytes_per_column * (xres / 180);
int y_skip_unit = (yres / 180);
- byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
- /* We need one extra byte in <out> for our sentinel. */
- byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+ byte *in, *out;
int lnum = 0;
int y_skip = 0;
int code = 0;
int blank_lines = 0;
int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
- if ( in == 0 || out == 0 )
- return -1;
+ if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
+ code = gs_note_error(gs_error_rangecheck);
+ goto error;
+ }
+
+ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
+ /* We need one extra byte in <out> for our sentinel. */
+ out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+ if ( in == NULL || out == NULL ) {
+ code = gs_note_error(gs_error_VMerror);
+ goto error;
+ }
/* Initialize the printer. */
prn_puts(pdev, "\033@");
@@ -320,8 +328,10 @@ notz:
}
/* Eject the page */
-xit: prn_putc(pdev, 014); /* form feed */
+xit:
+ prn_putc(pdev, 014); /* form feed */
prn_flush(pdev);
+error:
gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
return code;
--
cgit v1.2.3

62
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.56.1
Release: 11
Release: 16
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -67,6 +67,16 @@ Patch117: fix-CVE-2024-33869-second.patch
Patch118: backport-CVE-2024-46953.patch
Patch119: backport-CVE-2024-46956.patch
Patch120: backport-CVE-2024-46951.patch
Patch121: backport-CVE-2024-46952.patch
Patch122: backport-CVE-2024-46955.patch
Patch123: backport-CVE-2025-27830.patch
Patch124: backport-CVE-2025-27831.patch
Patch125: backport-CVE-2025-27832.patch
Patch126: backport-CVE-2025-27833.patch
Patch127: backport-CVE-2025-27834.patch
Patch128: backport-CVE-2025-27835.patch
Patch129: backport-CVE-2025-27836.patch
Patch130: Add-CJK-Chinese-font-mappings.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -133,28 +143,7 @@ This package provides the utility 'dvipdf' for converting of TeX DVI files into
PDF files using Ghostscript and dvips
%prep
%setup -q -n %{name}-%{version}
%patch0 -p1
%patch101 -p0
%patch102 -p0
%patch103 -p0
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
%patch109 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch113 -p1
%patch114 -p1
%patch115 -p1
%patch116 -p1
%patch117 -p1
%patch118 -p1
%patch119 -p1
%patch120 -p1
%autosetup -p1 -n %{name}-%{version}
# Libraries that we already have packaged(see Build Requirements):
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
@ -248,6 +237,33 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Tue Apr 01 2025 Funda Wang <fundawang@yeah.net> - 9.56.1-16
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2025-27831
* Fri Mar 28 2025 hdliu <dev03108@linx-info.com> - 9.56.1-15
- Add font mappings so that the PS interpreter can rasterize Chinese content using the two fonts STKaiti-Regular and STheiti-Regular.
* Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 9.56.1-14
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27833, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836
* Fri Nov 08 2024 liningjie <liningjie@xfusion.com> - 9.56.1-13
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46955
* Tue Nov 05 2024 liningjie <liningjie@xfusion.com> - 9.56.1-12
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46952
* Fri Nov 01 2024 liningjie <liningjie@xfusion.com> - 9.56.1-11
- Type:CVE
- ID:NA