From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001 From: Zdenek Hutyra Date: Wed, 20 Nov 2024 11:42:31 +0000 Subject: Bug 708133: Avoid integer overflow leading to buffer overflow The calculation of the buffer size was being done with int values, and overflowing that data type. By leaving the total size calculation to the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this case, but also meaning the memory manager overflow protection will be effective. CVE-2025-27832 --- contrib/japanese/gdevnpdl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c index 60065bacf..4967282bd 100644 --- a/contrib/japanese/gdevnpdl.c +++ b/contrib/japanese/gdevnpdl.c @@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c int code; int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; - if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) + if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) return_error(gs_error_VMerror); /* Initialize printer */ @@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c /* Form Feed */ gp_fputs("\014", prn_stream); - gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); + gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); return 0; } -- cgit v1.2.3