mirror of
https://git.yoctoproject.org/poky
synced 2026-02-28 20:39:39 +01:00
5970acb3fe
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 (From OE-Core rev: 6679a4d4379f6f18554ed0042546cce94d5d0b19) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
|
|
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Thu, 6 Apr 2017 16:44:54 +0100
|
|
Subject: [PATCH] Bug 697548: use the correct param list enumerator
|
|
|
|
When we encountered dictionary in a ref_param_list, we were using the enumerator
|
|
for the "parent" param_list, rather than the enumerator for the param_list
|
|
we just created for the dictionary. That parent was usually the stack
|
|
list enumerator, and caused a segfault.
|
|
|
|
Using the correct enumerator works better.
|
|
|
|
Upstream-Status: Backport
|
|
CVE: CVE-2017-5951
|
|
|
|
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
|
|
---
|
|
psi/iparam.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/psi/iparam.c b/psi/iparam.c
|
|
index 4e63b6d..b2fa85f 100644
|
|
--- a/psi/iparam.c
|
|
+++ b/psi/iparam.c
|
|
@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
|
|
gs_param_enumerator_t enumr;
|
|
gs_param_key_t key;
|
|
ref_type keytype;
|
|
+ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
|
|
|
|
param_init_enumerator(&enumr);
|
|
- if (!(*((iparam_list *) plist)->enumerate)
|
|
- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
|
|
+ if (!(*(dlist->enumerate))
|
|
+ ((iparam_list *) dlist, &enumr, &key, &keytype)
|
|
&& keytype == t_integer) {
|
|
- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
|
|
+ dlist->int_keys = 1;
|
|
pvalue->type = gs_param_type_dict_int_keys;
|
|
}
|
|
}
|
|
--
|
|
2.10.2
|
|
|