mirror of
https://git.yoctoproject.org/poky
synced 2026-03-04 14:29:40 +01:00
5970acb3fe
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 (From OE-Core rev: 6679a4d4379f6f18554ed0042546cce94d5d0b19) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
50 lines
1.6 KiB
Diff
50 lines
1.6 KiB
Diff
From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
|
|
From: Robin Watts <Robin.Watts@artifex.com>
|
|
Date: Thu, 29 Dec 2016 15:57:43 +0000
|
|
Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.
|
|
|
|
Arithmetic overflow due to extreme values in the scan conversion
|
|
code can cause a division by 0.
|
|
|
|
Avoid this with a simple extra check.
|
|
|
|
dx_old=cf814d81
|
|
endp->x_next=b0e859b9
|
|
alp->x_next=8069a73a
|
|
|
|
leads to dx_den = 0
|
|
|
|
Upstream-Status: Backport
|
|
CVE: CVE-2016-10219
|
|
|
|
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
|
|
---
|
|
base/gxfill.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/base/gxfill.c b/base/gxfill.c
|
|
index 99196c0..2f81bb0 100644
|
|
--- a/base/gxfill.c
|
|
+++ b/base/gxfill.c
|
|
@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
|
|
fixed dx_old = alp->x_current - endp->x_current;
|
|
fixed dx_den = dx_old + endp->x_next - alp->x_next;
|
|
|
|
- if (dx_den <= dx_old)
|
|
+ if (dx_den <= dx_old || dx_den == 0)
|
|
return false; /* Intersection isn't possible. */
|
|
dy = y1 - y;
|
|
if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
|
|
@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
|
|
/* Do the computation in single precision */
|
|
/* if the values are small enough. */
|
|
y_new =
|
|
- ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
|
|
+ (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
|
|
dy * dx_old / dx_den :
|
|
(INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
|
|
+ y;
|
|
--
|
|
2.10.2
|
|
|