From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 13 Jan 2025 09:07:57 +0000
Subject: Bug 708192: Fix potential print buffer overflow

CVE-2025-27836
---
 contrib/japanese/gdev10v.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
index 0bd3cec02..9d27573dc 100644
--- a/contrib/japanese/gdev10v.c
+++ b/contrib/japanese/gdev10v.c
@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
         int bytes_per_column = bits_per_column / 8;
         int x_skip_unit = bytes_per_column * (xres / 180);
         int y_skip_unit = (yres / 180);
-        byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
-        /* We need one extra byte in <out> for our sentinel. */
-        byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+        byte *in, *out;
         int lnum = 0;
         int y_skip = 0;
         int code = 0;
         int blank_lines = 0;
         int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
 
-        if ( in == 0 || out == 0 )
-                return -1;
+        if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
+            code = gs_note_error(gs_error_rangecheck);
+            goto error;
+        }
+
+        in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
+        /* We need one extra byte in <out> for our sentinel. */
+        out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+        if ( in == NULL || out == NULL ) {
+            code = gs_note_error(gs_error_VMerror);
+            goto error;
+        }
 
         /* Initialize the printer. */
         prn_puts(pdev, "\033@");
@@ -320,8 +328,10 @@ notz:
            }
 
         /* Eject the page */
-xit:	prn_putc(pdev, 014);	/* form feed */
+xit:
+        prn_putc(pdev, 014); /* form feed */
         prn_flush(pdev);
+error:
         gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
         gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
         return code;
-- 
cgit v1.2.3