mirror of
https://git.yoctoproject.org/poky
synced 2026-03-19 13:49:41 +01:00
ghostscript: fix CVE-2020-15900
(From OE-Core rev: d70012e8971a4762ea402c3c843938640b9ab9fc) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Lee Chee Yang
committed by
Richard Purdie
Richard Purdie
parent
ddd3e25679
commit
6ec51d096e
@@ -0,0 +1,54 @@
|
||||
From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
|
||||
From: Ray Johnston <ray.johnston@artifex.com>
|
||||
Date: Wed, 22 Jul 2020 09:57:54 -0700
|
||||
Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
|
||||
9.52
|
||||
|
||||
Fix the 'rsearch' calculation for the 'post' size to give the correct
|
||||
size. Previous calculation would result in a size that was too large,
|
||||
and could underflow to max uint32_t. Also fix 'rsearch' to return the
|
||||
correct 'pre' string with empty string match.
|
||||
|
||||
A future change may 'undefine' this undocumented, non-standard operator
|
||||
during initialization as we do with the many other non-standard internal
|
||||
PostScript operators and procedures.
|
||||
|
||||
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
|
||||
CVE: CVE-2020-15900
|
||||
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
|
||||
---
|
||||
psi/zstring.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/psi/zstring.c b/psi/zstring.c
|
||||
index 33662dafa..58e1af2b3 100644
|
||||
--- a/psi/zstring.c
|
||||
+++ b/psi/zstring.c
|
||||
@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
|
||||
return 0;
|
||||
found:
|
||||
op->tas.type_attrs = op1->tas.type_attrs;
|
||||
- op->value.bytes = ptr;
|
||||
- r_set_size(op, size);
|
||||
+ op->value.bytes = ptr; /* match */
|
||||
+ op->tas.rsize = size; /* match */
|
||||
push(2);
|
||||
- op[-1] = *op1;
|
||||
- r_set_size(op - 1, ptr - op[-1].value.bytes);
|
||||
- op1->value.bytes = ptr + size;
|
||||
- r_set_size(op1, count + (!forward ? (size - 1) : 0));
|
||||
+ op[-1] = *op1; /* pre */
|
||||
+ op[-3].value.bytes = ptr + size; /* post */
|
||||
+ if (forward) {
|
||||
+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
|
||||
+ op[-3].tas.rsize = count; /* post */
|
||||
+ } else {
|
||||
+ op[-1].tas.rsize = count; /* pre */
|
||||
+ op[-3].tas.rsize -= count + size; /* post */
|
||||
+ }
|
||||
make_true(op);
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
||||
@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
|
||||
SRC_URI = "${SRC_URI_BASE} \
|
||||
file://ghostscript-9.21-prevent_recompiling.patch \
|
||||
file://cups-no-gcrypt.patch \
|
||||
file://CVE-2020-15900.patch \
|
||||
"
|
||||
|
||||
SRC_URI_class-native = "${SRC_URI_BASE} \
|
||||
|
||||
Reference in New Issue
Block a user