RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
Resolves: RHEL-46112
This commit is contained in:
parent
e4a4fdf933
commit
0b6d25ee22
@ -0,0 +1,76 @@
|
|||||||
|
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
|
||||||
|
index 5f82b7f..6819cb7 100644
|
||||||
|
--- a/pdf/pdf_font.c
|
||||||
|
+++ b/pdf/pdf_font.c
|
||||||
|
@@ -297,22 +297,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context *ctx, pdf_dict *font_dict, pdf_dic
|
||||||
|
memcpy(fontfname, fsprefix, fsprefixlen);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size);
|
||||||
|
- fsprefixlen = ctx->args.cidfsubstpath.size;
|
||||||
|
+ if (ctx->args.cidfsubstpath.size + 1 > gp_file_name_sizeof) {
|
||||||
|
+ code = gs_note_error(gs_error_rangecheck);
|
||||||
|
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstPath parameter too long");
|
||||||
|
+ if (ctx->args.pdfstoponwarning != 0) {
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
+ code = 0;
|
||||||
|
+ memcpy(fontfname, fsprefix, fsprefixlen);
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size);
|
||||||
|
+ fsprefixlen = ctx->args.cidfsubstpath.size;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ctx->args.cidfsubstfont.data == NULL) {
|
||||||
|
int len = 0;
|
||||||
|
- if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) {
|
||||||
|
- (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
|
||||||
|
+ if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0) {
|
||||||
|
+ if (len + fsprefixlen + 1 > gp_file_name_sizeof) {
|
||||||
|
+ code = gs_note_error(gs_error_rangecheck);
|
||||||
|
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSUBSTFONT environment variable too long");
|
||||||
|
+ if (ctx->args.pdfstoponwarning != 0) {
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
+ code = 0;
|
||||||
|
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size);
|
||||||
|
- defcidfallacklen = ctx->args.cidfsubstfont.size;
|
||||||
|
+ if (ctx->args.cidfsubstfont.size > gp_file_name_sizeof - 1) {
|
||||||
|
+ code = gs_note_error(gs_error_rangecheck);
|
||||||
|
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstFont parameter too long");
|
||||||
|
+ if (ctx->args.pdfstoponwarning != 0) {
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
+ code = 0;
|
||||||
|
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size);
|
||||||
|
+ defcidfallacklen = ctx->args.cidfsubstfont.size;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
fontfname[fsprefixlen + defcidfallacklen] = '\0';
|
||||||
|
|
||||||
|
diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h
|
||||||
|
index 6402d8f..d1e0019 100644
|
||||||
|
--- a/pdf/pdf_warnings.h
|
||||||
|
+++ b/pdf/pdf_warnings.h
|
||||||
|
@@ -97,4 +97,5 @@ PARAM(W_PDF_MISMATCH_GENERATION, "The generation number of an indirectly refe
|
||||||
|
PARAM(W_PDF_BAD_RENDERINGINTENT, "A ri or /RI used an unknown named rendering intent"),
|
||||||
|
PARAM(W_PDF_BAD_VIEW, "Couldn't read the initial document view"),
|
||||||
|
PARAM(W_PDF_BAD_WMODE, "A Font or CMap has a WMode which is neither 0 (horizontal) nor 1 (vertical)"),
|
||||||
|
+PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."),
|
||||||
|
#undef PARAM
|
@ -121,6 +121,8 @@ Patch: 0001-Bug-707686.patch
|
|||||||
Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
|
Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
|
||||||
# RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
# RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
||||||
Patch: 0001-Bug-707510-review-printing-of-pointers.patch
|
Patch: 0001-Bug-707510-review-printing-of-pointers.patch
|
||||||
|
# RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
||||||
|
Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
|
||||||
|
|
||||||
# Downstream patches -- these should be always included when doing rebase:
|
# Downstream patches -- these should be always included when doing rebase:
|
||||||
# ------------------
|
# ------------------
|
||||||
@ -440,6 +442,7 @@ done
|
|||||||
* Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
* Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
||||||
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
|
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
|
||||||
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
||||||
|
- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
||||||
|
|
||||||
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
||||||
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
||||||
|
Loading…
Reference in New Issue
Block a user