RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
Resolves: RHEL-46076
This commit is contained in:
Zdenek Dohnal
parent
0b6d25ee22
commit
2960ec7887
@ -0,0 +1,46 @@
|
||||
From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
|
||||
From: Ken Sharp <Ken.Sharp@artifex.com>
|
||||
Date: Thu, 25 Jan 2024 11:55:49 +0000
|
||||
Subject: [PATCH] Bug 707510 - don't allow PDF files with bad Filters to
|
||||
overflow the debug buffer
|
||||
|
||||
Item #2 of the report.
|
||||
|
||||
Allocate a buffer to hold the filter name, instead of assuming it will
|
||||
fit in a fixed buffer.
|
||||
|
||||
Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like
|
||||
this.
|
||||
---
|
||||
pdf/pdf_file.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c
|
||||
index 6680ae2db..4b04e3582 100644
|
||||
--- a/pdf/pdf_file.c
|
||||
+++ b/pdf/pdf_file.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* Copyright (C) 2018-2023 Artifex Software, Inc.
|
||||
+/* Copyright (C) 2018-2024 Artifex Software, Inc.
|
||||
All Rights Reserved.
|
||||
|
||||
This software is provided AS-IS with no warranty, either express or
|
||||
@@ -777,10 +777,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_
|
||||
|
||||
if (ctx->args.pdfdebug)
|
||||
{
|
||||
- char str[100];
|
||||
+ char *str;
|
||||
+ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug");
|
||||
+ if (str == NULL)
|
||||
+ return_error(gs_error_VMerror);
|
||||
memcpy(str, (const char *)n->data, n->length);
|
||||
str[n->length] = '\0';
|
||||
dmprintf1(ctx->memory, "FILTER NAME:%s\n", str);
|
||||
+ gs_free_object(ctx->memory, str, "temp string for debug");
|
||||
}
|
||||
|
||||
if (pdfi_name_is(n, "RunLengthDecode")) {
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -123,6 +123,8 @@ Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
|
||||
Patch: 0001-Bug-707510-review-printing-of-pointers.patch
|
||||
# RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
||||
Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
|
||||
# RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
|
||||
Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
|
||||
|
||||
# Downstream patches -- these should be always included when doing rebase:
|
||||
# ------------------
|
||||
@ -443,6 +445,7 @@ done
|
||||
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
|
||||
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
||||
- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
||||
- RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
|
||||
|
||||
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
||||
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
||||
|
||||
Loading…
Reference in New Issue
Block a user