mirror of
https://git.yoctoproject.org/poky
synced 2026-02-28 12:29:40 +01:00
5970acb3fe
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 (From OE-Core rev: 6679a4d4379f6f18554ed0042546cce94d5d0b19) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
56 lines
2.4 KiB
Diff
56 lines
2.4 KiB
Diff
From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
|
|
From: Ken Sharp <ken.sharp@artifex.com>
|
|
Date: Wed, 21 Dec 2016 16:54:14 +0000
|
|
Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
|
|
|
|
Bug #697450 "Null pointer dereference in gx_device_finalize()"
|
|
|
|
The problem here is that the code to finalise a device unconditionally
|
|
frees the icc_struct member of the device structure. However this
|
|
particular (weird) device is not setup as a normal device, probably
|
|
because its very, very ancient. Its possible for the initialisation
|
|
of the device to abort with an error before calling gs_make_mem_device()
|
|
which is where the icc_struct member gets allocated (or set to NULL).
|
|
|
|
If that happens, then the cleanup code tries to free the device, which
|
|
calls finalize() which tries to free a garbage pointer.
|
|
|
|
Setting the device memory to 0x00 after we allocate it means that the
|
|
icc_struct member will be NULL< and our memory manager allows for that
|
|
happily enough, which avoids the problem.
|
|
|
|
Upstream-Status: Backport
|
|
CVE: CVE-2016-10220
|
|
|
|
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
|
|
---
|
|
base/gsdevmem.c | 12 ++++++++++++
|
|
1 file changed, 12 insertions(+)
|
|
|
|
diff --git a/base/gsdevmem.c b/base/gsdevmem.c
|
|
index 97b9cf4..fe75bcc 100644
|
|
--- a/base/gsdevmem.c
|
|
+++ b/base/gsdevmem.c
|
|
@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
|
|
|
|
if (pnew == 0)
|
|
return_error(gs_error_VMerror);
|
|
+
|
|
+ /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
|
|
+ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
|
|
+ * initialisation will fail, crucially it will fail *before* it calls
|
|
+ * gs_make_mem_device() which initialises the device. This means that the
|
|
+ * icc_struct member will be uninitialsed, but the device finalise method
|
|
+ * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
|
|
+ * Apparently we do still need makeimagedevice to be available from
|
|
+ * PostScript, so in here just zero the device memory, which means that
|
|
+ * the finalise routine won't have a problem.
|
|
+ */
|
|
+ memset(pnew, 0x00, st_device_memory.ssize);
|
|
code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
|
|
colors, num_colors, word_oriented,
|
|
page_device, mem);
|
|
--
|
|
2.10.2
|
|
|