Added fix for vulnerability CVE-2021-45949
Resolves: rhbz#2049767
This commit is contained in:
Richard Lescak
parent
6ff8c068c8
commit
4239d4ea14
@ -0,0 +1,64 @@
|
|||||||
|
From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Chris Liddell <chris.liddell@artifex.com>
|
||||||
|
Date: Tue, 1 Jun 2021 19:57:16 +0100
|
||||||
|
Subject: [PATCH] Bug 703902: Fix op stack management in
|
||||||
|
sampled_data_continue()
|
||||||
|
|
||||||
|
Replace pop() (which does no checking, and doesn't handle stack extension
|
||||||
|
blocks) with ref_stack_pop() which does do all that.
|
||||||
|
|
||||||
|
We still use pop() in one case (it's faster), but we have to later use
|
||||||
|
ref_stack_pop() before calling sampled_data_sample() which also accesses the
|
||||||
|
op stack.
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
|
||||||
|
---
|
||||||
|
psi/zfsample.c | 16 ++++++++++------
|
||||||
|
1 file changed, 10 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/psi/zfsample.c b/psi/zfsample.c
|
||||||
|
index 0e8e4bc8d..00cd0cfdd 100644
|
||||||
|
--- a/psi/zfsample.c
|
||||||
|
+++ b/psi/zfsample.c
|
||||||
|
@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
|
||||||
|
for (j = 0; j < bps; j++)
|
||||||
|
data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
|
||||||
|
}
|
||||||
|
- pop(num_out); /* Move op to base of result values */
|
||||||
|
|
||||||
|
- /* Check if we are done collecting data. */
|
||||||
|
+ pop(num_out); /* Move op to base of result values */
|
||||||
|
|
||||||
|
+ /* From here on, we have to use ref_stack_pop() rather than pop()
|
||||||
|
+ so that it handles stack extension blocks properly, before calling
|
||||||
|
+ sampled_data_sample() which also uses the op stack.
|
||||||
|
+ */
|
||||||
|
+ /* Check if we are done collecting data. */
|
||||||
|
if (increment_cube_indexes(params, penum->indexes)) {
|
||||||
|
if (stack_depth_adjust == 0)
|
||||||
|
- pop(O_STACK_PAD); /* Remove spare stack space */
|
||||||
|
+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
|
||||||
|
else
|
||||||
|
- pop(stack_depth_adjust - num_out);
|
||||||
|
+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
|
||||||
|
/* Execute the closing procedure, if given */
|
||||||
|
code = 0;
|
||||||
|
if (esp_finish_proc != 0)
|
||||||
|
@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
|
||||||
|
if ((O_STACK_PAD - stack_depth_adjust) < 0) {
|
||||||
|
stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
|
||||||
|
check_op(stack_depth_adjust);
|
||||||
|
- pop(stack_depth_adjust);
|
||||||
|
+ ref_stack_pop(&o_stack, stack_depth_adjust);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
check_ostack(O_STACK_PAD - stack_depth_adjust);
|
||||||
|
- push(O_STACK_PAD - stack_depth_adjust);
|
||||||
|
+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
|
||||||
|
for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
|
||||||
|
make_null(op - i);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
@ -42,7 +42,7 @@
|
|||||||
Name: ghostscript
|
Name: ghostscript
|
||||||
Summary: Interpreter for PostScript language & PDF
|
Summary: Interpreter for PostScript language & PDF
|
||||||
Version: 9.54.0
|
Version: 9.54.0
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
|
|
||||||
License: AGPLv3+
|
License: AGPLv3+
|
||||||
|
|
||||||
@ -102,7 +102,10 @@ BuildRequires: make
|
|||||||
#Patch000: example000.patch
|
#Patch000: example000.patch
|
||||||
Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch
|
Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch
|
||||||
Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch
|
Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch
|
||||||
|
#2032789 - coverity warnings fixes
|
||||||
Patch003: ghostscript-9.54.0-covscan-fixes.patch
|
Patch003: ghostscript-9.54.0-covscan-fixes.patch
|
||||||
|
#2049767 - CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
|
||||||
|
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
|
||||||
|
|
||||||
# Downstream patches -- these should be always included when doing rebase:
|
# Downstream patches -- these should be always included when doing rebase:
|
||||||
# ------------------
|
# ------------------
|
||||||
@ -436,7 +439,10 @@ done
|
|||||||
# =============================================================================
|
# =============================================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Feb 21 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
|
* Tue Feb 22 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-6
|
||||||
|
- Added fix for vulnerability CVE-2021-45949 (#2049767)
|
||||||
|
|
||||||
|
* Mon Feb 21 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
|
||||||
- Added coverity fixes (#2032789)
|
- Added coverity fixes (#2032789)
|
||||||
|
|
||||||
* Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-4
|
* Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-4
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user