rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Added fix for vulnerability CVE-2021-45949

Browse Source 
Resolves: rhbz#2049767
This commit is contained in:
Richard Lescak 2022-02-23 10:12:30 +01:00
parent 6ff8c068c8
commit 4239d4ea14
2 changed files with 72 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch Normal file
View File

@ -0,0 +1,64 @@
From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 1 Jun 2021 19:57:16 +0100
Subject: [PATCH] Bug 703902: Fix op stack management in
sampled_data_continue()
Replace pop() (which does no checking, and doesn't handle stack extension
blocks) with ref_stack_pop() which does do all that.
We still use pop() in one case (it's faster), but we have to later use
ref_stack_pop() before calling sampled_data_sample() which also accesses the
op stack.
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
---
psi/zfsample.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/psi/zfsample.c b/psi/zfsample.c
index 0e8e4bc8d..00cd0cfdd 100644
--- a/psi/zfsample.c
+++ b/psi/zfsample.c
@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
for (j = 0; j < bps; j++)
data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
}
- pop(num_out); /* Move op to base of result values */
- /* Check if we are done collecting data. */
+ pop(num_out); /* Move op to base of result values */
+ /* From here on, we have to use ref_stack_pop() rather than pop()
+ so that it handles stack extension blocks properly, before calling
+ sampled_data_sample() which also uses the op stack.
+ */
+ /* Check if we are done collecting data. */
if (increment_cube_indexes(params, penum->indexes)) {
if (stack_depth_adjust == 0)
- pop(O_STACK_PAD); /* Remove spare stack space */
+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
else
- pop(stack_depth_adjust - num_out);
+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
/* Execute the closing procedure, if given */
code = 0;
if (esp_finish_proc != 0)
@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
if ((O_STACK_PAD - stack_depth_adjust) < 0) {
stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
check_op(stack_depth_adjust);
- pop(stack_depth_adjust);
+ ref_stack_pop(&o_stack, stack_depth_adjust);
}
else {
check_ostack(O_STACK_PAD - stack_depth_adjust);
- push(O_STACK_PAD - stack_depth_adjust);
+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
make_null(op - i);
}
--
2.35.1

10
ghostscript.spec
View File

@ -42,7 +42,7 @@
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 9.54.0
Release: 5%{?dist}
Release: 6%{?dist}
License: AGPLv3+
@ -102,7 +102,10 @@ BuildRequires: make
#Patch000: example000.patch
Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch
Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch
#2032789 - coverity warnings fixes
Patch003: ghostscript-9.54.0-covscan-fixes.patch
#2049767 - CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
@ -436,7 +439,10 @@ done
# =============================================================================
%changelog
* Mon Feb 21 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
* Tue Feb 22 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-6
- Added fix for vulnerability CVE-2021-45949 (#2049767)
* Mon Feb 21 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
- Added coverity fixes (#2032789)
* Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-4