RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
Resolves: RHEL-46112
This commit is contained in:
parent
e4a4fdf933
commit
0b6d25ee22
@ -0,0 +1,76 @@
|
||||
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
|
||||
index 5f82b7f..6819cb7 100644
|
||||
--- a/pdf/pdf_font.c
|
||||
+++ b/pdf/pdf_font.c
|
||||
@@ -297,22 +297,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context *ctx, pdf_dict *font_dict, pdf_dic
|
||||
memcpy(fontfname, fsprefix, fsprefixlen);
|
||||
}
|
||||
else {
|
||||
- memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size);
|
||||
- fsprefixlen = ctx->args.cidfsubstpath.size;
|
||||
+ if (ctx->args.cidfsubstpath.size + 1 > gp_file_name_sizeof) {
|
||||
+ code = gs_note_error(gs_error_rangecheck);
|
||||
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstPath parameter too long");
|
||||
+ if (ctx->args.pdfstoponwarning != 0) {
|
||||
+ goto exit;
|
||||
+ }
|
||||
+ code = 0;
|
||||
+ memcpy(fontfname, fsprefix, fsprefixlen);
|
||||
+ }
|
||||
+ else {
|
||||
+ memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size);
|
||||
+ fsprefixlen = ctx->args.cidfsubstpath.size;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (ctx->args.cidfsubstfont.data == NULL) {
|
||||
int len = 0;
|
||||
- if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) {
|
||||
- (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
|
||||
+ if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0) {
|
||||
+ if (len + fsprefixlen + 1 > gp_file_name_sizeof) {
|
||||
+ code = gs_note_error(gs_error_rangecheck);
|
||||
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSUBSTFONT environment variable too long");
|
||||
+ if (ctx->args.pdfstoponwarning != 0) {
|
||||
+ goto exit;
|
||||
+ }
|
||||
+ code = 0;
|
||||
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
|
||||
+ }
|
||||
+ else {
|
||||
+ (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
|
||||
+ }
|
||||
}
|
||||
else {
|
||||
memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
|
||||
}
|
||||
}
|
||||
else {
|
||||
- memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size);
|
||||
- defcidfallacklen = ctx->args.cidfsubstfont.size;
|
||||
+ if (ctx->args.cidfsubstfont.size > gp_file_name_sizeof - 1) {
|
||||
+ code = gs_note_error(gs_error_rangecheck);
|
||||
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstFont parameter too long");
|
||||
+ if (ctx->args.pdfstoponwarning != 0) {
|
||||
+ goto exit;
|
||||
+ }
|
||||
+ code = 0;
|
||||
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
|
||||
+ }
|
||||
+ else {
|
||||
+ memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size);
|
||||
+ defcidfallacklen = ctx->args.cidfsubstfont.size;
|
||||
+ }
|
||||
}
|
||||
fontfname[fsprefixlen + defcidfallacklen] = '\0';
|
||||
|
||||
diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h
|
||||
index 6402d8f..d1e0019 100644
|
||||
--- a/pdf/pdf_warnings.h
|
||||
+++ b/pdf/pdf_warnings.h
|
||||
@@ -97,4 +97,5 @@ PARAM(W_PDF_MISMATCH_GENERATION, "The generation number of an indirectly refe
|
||||
PARAM(W_PDF_BAD_RENDERINGINTENT, "A ri or /RI used an unknown named rendering intent"),
|
||||
PARAM(W_PDF_BAD_VIEW, "Couldn't read the initial document view"),
|
||||
PARAM(W_PDF_BAD_WMODE, "A Font or CMap has a WMode which is neither 0 (horizontal) nor 1 (vertical)"),
|
||||
+PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."),
|
||||
#undef PARAM
|
@ -121,6 +121,8 @@ Patch: 0001-Bug-707686.patch
|
||||
Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
|
||||
# RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
||||
Patch: 0001-Bug-707510-review-printing-of-pointers.patch
|
||||
# RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
||||
Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
|
||||
|
||||
# Downstream patches -- these should be always included when doing rebase:
|
||||
# ------------------
|
||||
@ -440,6 +442,7 @@ done
|
||||
* Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
||||
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
|
||||
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
||||
- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
||||
|
||||
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
||||
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
||||
|
Loading…
Reference in New Issue
Block a user