Added security patch for CVE-2016-10219

Resolves: #1441569
This commit is contained in:
David Kaspar [Dee'Kej] 2017-04-27 18:20:26 +02:00
parent c929cf8ecd
commit 007868af59
2 changed files with 49 additions and 0 deletions

View File

@ -0,0 +1,44 @@
From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 29 Dec 2016 15:57:43 +0000
Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.
Arithmetic overflow due to extreme values in the scan conversion
code can cause a division by 0.
Avoid this with a simple extra check.
dx_old=cf814d81
endp->x_next=b0e859b9
alp->x_next=8069a73a
leads to dx_den = 0
---
base/gxfill.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/gxfill.c b/base/gxfill.c
index 99196c0..2f81bb0 100644
--- a/base/gxfill.c
+++ b/base/gxfill.c
@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
fixed dx_old = alp->x_current - endp->x_current;
fixed dx_den = dx_old + endp->x_next - alp->x_next;
- if (dx_den <= dx_old)
+ if (dx_den <= dx_old || dx_den == 0)
return false; /* Intersection isn't possible. */
dy = y1 - y;
if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
/* Do the computation in single precision */
/* if the values are small enough. */
y_new =
- ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
+ (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
dy * dx_old / dx_den :
(INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
+ y;
--
2.9.3

View File

@ -33,6 +33,7 @@ Patch12: ghostscript-9.20-cve-2016-9601.patch
Patch13: ghostscript-9.20-cve-2017-7207.patch
Patch14: ghostscript-9.20-cve-2016-10217.patch
Patch15: ghostscript-9.20-cve-2016-10218.patch
Patch16: ghostscript-9.20-cve-2016-10219.patch
Requires: %{name}-core%{?_isa} = %{version}-%{release}
Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@ -167,6 +168,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib
# CVE-2016-10218 (bug #1441568):
%patch15 -p1
# CVE-2016-10219 (bug #1441569):
%patch16 -p1
# Convert manual pages to UTF-8
from8859_1() {
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -367,6 +371,7 @@ rm -rf $RPM_BUILD_ROOT
- Added security fixes for:
- CVE-2016-10217 (bug #1441564)
- CVE-2016-10218 (bug #1441568)
- CVE-2016-10219 (bug #1441569)
* Thu Apr 06 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-8
Added security fix for CVE-2017-7207 (bug #1434497)