import CS ghostscript-9.27-11.el8

This commit is contained in:
eabdullin 2023-09-27 12:59:44 +00:00
parent 112b94ac93
commit 902d50fe75
6 changed files with 294 additions and 1 deletions

View File

@ -0,0 +1,44 @@
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Mar 2023 13:19:57 +0000
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
Bug #706494 "Buffer Overflow in s_xBCPE_process"
As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.
This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).
Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
base/sbcp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/base/sbcp.c b/base/sbcp.c
index 979ae0992..47fc233ec 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;
--
2.39.2

View File

@ -0,0 +1,27 @@
From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 17 Jul 2023 14:06:37 +0100
Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
devices/gdevpcx.c
Bounds check the buffer, before dereferencing the pointer.
---
base/gdevdevn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/gdevdevn.c b/base/gdevdevn.c
index 7b14d9c71..6351fb77a 100644
--- a/base/gdevdevn.c
+++ b/base/gdevdevn.c
@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
putc(0xc1, file);
} else {
--
2.41.0

View File

@ -0,0 +1,28 @@
From 2793769ff107d8d22dadd30c6e68cd781b569550 Mon Sep 17 00:00:00 2001
From: Julian Smith <jules@op59.net>
Date: Mon, 4 Nov 2019 12:30:33 +0000
Subject: [PATCH] Bug 701819: fixed ordering in if expression to avoid
out-of-bounds access.
Fixes:
./sanbin/gs -dBATCH -dNOPAUSE -r965 -sOutputFile=tmp -sDEVICE=pcx16 ../bug-701819.pdf
---
devices/gdevpcx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/devices/gdevpcx.c b/devices/gdevpcx.c
index 1735851d2..91de4abb6 100644
--- a/devices/gdevpcx.c
+++ b/devices/gdevpcx.c
@@ -442,7 +442,7 @@ pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file)
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
putc(0xc1, file);
} else {
--
2.41.0

View File

@ -0,0 +1,63 @@
diff -Napur ghostscript-9.27.old/base/fapi_ft.c ghostscript-9.27.new/base/fapi_ft.c
--- ghostscript-9.27.old/base/fapi_ft.c 2019-04-04 00:43:14.000000000 -0700
+++ ghostscript-9.27.new/base/fapi_ft.c 2023-03-07 16:41:56.217995052 -0800
@@ -974,13 +974,19 @@ make_rotation(FT_Matrix * a_transform, c
*/
static void
transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp,
- FT_Fixed * a_x_scale, FT_Fixed * a_y_scale)
+ FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM)
{
double scalex, scaley, fact = 1.0;
double factx = 1.0, facty = 1.0;
FT_Matrix ftscale_mat;
FT_UInt xres;
FT_UInt yres;
+ /* We have to account for units_per_EM as we fiddle with the scaling
+ * in order to avoid underflow (mostly in the TTF hinting code), but
+ * we also want to clamp to a lower value (512, admittedly arrived at
+ * via experimentation) in order to preserve the fidelity of the outlines.
+ */
+ double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0;
scalex = hypot((double)a_transform->xx, (double)a_transform->xy);
scaley = hypot((double)a_transform->yx, (double)a_transform->yy);
@@ -1067,10 +1073,25 @@ transform_decompose(FT_Matrix * a_transf
scalex *= fact;
}
- ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex);
- ftscale_mat.xy = (FT_Fixed) 0;
- ftscale_mat.yx = (FT_Fixed) 0;
- ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley);
+ /* see above */
+ fact = 1.0;
+ while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0)
+ && (scalex > 0.0 && scaley > 0.0)) {
+ if (scaley < yres) {
+ xres >>= 1;
+ yres >>= 1;
+ fact *= 2.0;
+ }
+ else {
+ scalex /= 1.25;
+ scaley /= 1.25;
+ }
+ }
+
+ ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact);
+ ftscale_mat.xy = 0;
+ ftscale_mat.yx = 0;
+ ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact);
FT_Matrix_Multiply(a_transform, &ftscale_mat);
memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix));
@@ -1315,7 +1336,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_serve
* transform.
*/
transform_decompose(&face->ft_transform, &face->horz_res,
- &face->vert_res, &face->width, &face->height);
+ &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM);
ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height,
face->horz_res, face->vert_res);

View File

@ -0,0 +1,106 @@
From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 15 Mar 2023 15:38:29 +0000
Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling
The PS interpreter callback that handles converting a CID to a TTF GID did
not handle the case of substituted CIDFonts.
It requires looking up the CID on the Decoding (to get a Unicode code point),
and then looking up the code point in the TTF cmap table to get the GID.
The rendering code already handled it.
---
psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++-------------------
1 file changed, 46 insertions(+), 27 deletions(-)
diff --git a/psi/zfcid1.c b/psi/zfcid1.c
index fd502ff12..55de85d45 100644
--- a/psi/zfcid1.c
+++ b/psi/zfcid1.c
@@ -77,37 +77,56 @@
int gdbytes = pfont->cidata.common.GDBytes;
int gnum = 0;
const byte *data;
- int i, code;
+ int i, code = -1;
ref rcid;
ref *prgnum;
+ ref *p, *fdict = pfont_dict(pfont);
+
+ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) {
+ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type;
+ uint c;
+
+ code = dict_find_string(fdict, "Decoding", &Decoding);
+ if (code > 0)
+ code = dict_find_string(fdict, "TT_cmap", &TT_cmap);
+ if (code > 0)
+ code = dict_find_string(fdict, "SubstNWP", &SubstNWP);
+ if (code > 0) {
+ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type);
+ if (code >= 0)
+ gnum = c;
+ }
+ }
- switch (r_type(pcidmap)) {
- case t_string:
- if (cid >= r_size(pcidmap) / gdbytes)
- return_error(gs_error_rangecheck);
- data = pcidmap->value.const_bytes + cid * gdbytes;
- break;
- case t_integer:
- return cid + pcidmap->value.intval;
- case t_dictionary:
- make_int(&rcid, cid);
- code = dict_find(pcidmap, &rcid, &prgnum);
- if (code <= 0)
- return (code < 0 ? code : gs_note_error(gs_error_undefined));
- if (!r_has_type(prgnum, t_integer))
- return_error(gs_error_typecheck);
- return prgnum->value.intval;
- default: /* array type */
- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
- gdbytes, NULL, NULL, &data);
+ if (code < 0) {
+ switch (r_type(pcidmap)) {
+ case t_string:
+ if (cid >= r_size(pcidmap) / gdbytes)
+ return_error(gs_error_rangecheck);
+ data = pcidmap->value.const_bytes + cid * gdbytes;
+ break;
+ case t_integer:
+ return cid + pcidmap->value.intval;
+ case t_dictionary:
+ make_int(&rcid, cid);
+ code = dict_find(pcidmap, &rcid, &prgnum);
+ if (code <= 0)
+ return (code < 0 ? code : gs_note_error(gs_error_undefined));
+ if (!r_has_type(prgnum, t_integer))
+ return_error(gs_error_typecheck);
+ return prgnum->value.intval;
+ default: /* array type */
+ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
+ gdbytes, NULL, NULL, &data);
- if (code < 0)
- return code;
- if ( code > 0 )
- return_error(gs_error_invalidfont);
+ if (code < 0)
+ return code;
+ if ( code > 0 )
+ return_error(gs_error_invalidfont);
+ }
+ for (i = 0; i < gdbytes; ++i)
+ gnum = (gnum << 8) + data[i];
}
- for (i = 0; i < gdbytes; ++i)
- gnum = (gnum << 8) + data[i];
if (gnum >= pfont->data.trueNumGlyphs)
return_error(gs_error_invalidfont);
return gnum;
--
2.39.2

View File

@ -37,7 +37,7 @@
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 9.27
Release: 6%{?dist}
Release: 11%{?dist}
License: AGPLv3+
@ -107,6 +107,11 @@ Patch014: ghostscript-cve-2020-16301.patch
Patch015: ghostscript-9.27-fix-use-of-HWMargins.patch
Patch016: ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch
Patch017: ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch
Patch018: ghostscript-9.27-fix-bbox.patch
Patch019: ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch020: ghostscript-9.27-CVE-2023-28879.patch
Patch021: ghostscript-9.27-CVE-2023-38559.patch
Patch022: ghostscript-9.27-CVE-2023-4042.patch
# Downstream patches -- these should be always included when doing rebase:
@ -447,6 +452,26 @@ done
# =============================================================================
%changelog
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-11
- fix for CVE-2023-4042
- Resolves: rhbz#2228153
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-10
- fix for CVE-2023-38559
- Resolves: rhbz#2224371
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.27-9
- fix for CVE-2023-28879
- Resolves: rhbz#2188297
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.27-8
- fix embedding of CIDFonts
- Resolves: rhbz#2169890
* Wed Mar 15 2023 Richard Lescak <rlescak@redhat.com> - 9.27-7
- fix bbox device calculating bounding box incorrectly
- Resolves: rhbz#2176327
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.27-6
- set the page size for A4 correctly in ESC/Page driver
- Resolves: rhbz#2164603