RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
Resolves: RHEL-46076
This commit is contained in:
parent
0b6d25ee22
commit
2960ec7887
@ -0,0 +1,46 @@
|
|||||||
|
From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ken Sharp <Ken.Sharp@artifex.com>
|
||||||
|
Date: Thu, 25 Jan 2024 11:55:49 +0000
|
||||||
|
Subject: [PATCH] Bug 707510 - don't allow PDF files with bad Filters to
|
||||||
|
overflow the debug buffer
|
||||||
|
|
||||||
|
Item #2 of the report.
|
||||||
|
|
||||||
|
Allocate a buffer to hold the filter name, instead of assuming it will
|
||||||
|
fit in a fixed buffer.
|
||||||
|
|
||||||
|
Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like
|
||||||
|
this.
|
||||||
|
---
|
||||||
|
pdf/pdf_file.c | 8 ++++++--
|
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c
|
||||||
|
index 6680ae2db..4b04e3582 100644
|
||||||
|
--- a/pdf/pdf_file.c
|
||||||
|
+++ b/pdf/pdf_file.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* Copyright (C) 2018-2023 Artifex Software, Inc.
|
||||||
|
+/* Copyright (C) 2018-2024 Artifex Software, Inc.
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
This software is provided AS-IS with no warranty, either express or
|
||||||
|
@@ -777,10 +777,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_
|
||||||
|
|
||||||
|
if (ctx->args.pdfdebug)
|
||||||
|
{
|
||||||
|
- char str[100];
|
||||||
|
+ char *str;
|
||||||
|
+ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug");
|
||||||
|
+ if (str == NULL)
|
||||||
|
+ return_error(gs_error_VMerror);
|
||||||
|
memcpy(str, (const char *)n->data, n->length);
|
||||||
|
str[n->length] = '\0';
|
||||||
|
dmprintf1(ctx->memory, "FILTER NAME:%s\n", str);
|
||||||
|
+ gs_free_object(ctx->memory, str, "temp string for debug");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (pdfi_name_is(n, "RunLengthDecode")) {
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -123,6 +123,8 @@ Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
|
|||||||
Patch: 0001-Bug-707510-review-printing-of-pointers.patch
|
Patch: 0001-Bug-707510-review-printing-of-pointers.patch
|
||||||
# RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
# RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
||||||
Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
|
Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
|
||||||
|
# RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
|
||||||
|
Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
|
||||||
|
|
||||||
# Downstream patches -- these should be always included when doing rebase:
|
# Downstream patches -- these should be always included when doing rebase:
|
||||||
# ------------------
|
# ------------------
|
||||||
@ -443,6 +445,7 @@ done
|
|||||||
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
|
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
|
||||||
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
|
||||||
- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
|
||||||
|
- RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
|
||||||
|
|
||||||
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
|
||||||
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
||||||
|
Loading…
Reference in New Issue
Block a user