David Kaspar [Dee'Kej]
parent
007868af59
commit
e76b7b9160
|
|
@ -0,0 +1,50 @@
|
|||
From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
|
||||
From: Ken Sharp <ken.sharp@artifex.com>
|
||||
Date: Wed, 21 Dec 2016 16:54:14 +0000
|
||||
Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
|
||||
|
||||
Bug #697450 "Null pointer dereference in gx_device_finalize()"
|
||||
|
||||
The problem here is that the code to finalise a device unconditionally
|
||||
frees the icc_struct member of the device structure. However this
|
||||
particular (weird) device is not setup as a normal device, probably
|
||||
because its very, very ancient. Its possible for the initialisation
|
||||
of the device to abort with an error before calling gs_make_mem_device()
|
||||
which is where the icc_struct member gets allocated (or set to NULL).
|
||||
|
||||
If that happens, then the cleanup code tries to free the device, which
|
||||
calls finalize() which tries to free a garbage pointer.
|
||||
|
||||
Setting the device memory to 0x00 after we allocate it means that the
|
||||
icc_struct member will be NULL< and our memory manager allows for that
|
||||
happily enough, which avoids the problem.
|
||||
---
|
||||
base/gsdevmem.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/base/gsdevmem.c b/base/gsdevmem.c
|
||||
index 97b9cf4..fe75bcc 100644
|
||||
--- a/base/gsdevmem.c
|
||||
+++ b/base/gsdevmem.c
|
||||
@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
|
||||
|
||||
if (pnew == 0)
|
||||
return_error(gs_error_VMerror);
|
||||
+
|
||||
+ /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
|
||||
+ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
|
||||
+ * initialisation will fail, crucially it will fail *before* it calls
|
||||
+ * gs_make_mem_device() which initialises the device. This means that the
|
||||
+ * icc_struct member will be uninitialsed, but the device finalise method
|
||||
+ * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
|
||||
+ * Apparently we do still need makeimagedevice to be available from
|
||||
+ * PostScript, so in here just zero the device memory, which means that
|
||||
+ * the finalise routine won't have a problem.
|
||||
+ */
|
||||
+ memset(pnew, 0x00, st_device_memory.ssize);
|
||||
code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
|
||||
colors, num_colors, word_oriented,
|
||||
page_device, mem);
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
|
@ -34,6 +34,7 @@ Patch13: ghostscript-9.20-cve-2017-7207.patch
|
|||
Patch14: ghostscript-9.20-cve-2016-10217.patch
|
||||
Patch15: ghostscript-9.20-cve-2016-10218.patch
|
||||
Patch16: ghostscript-9.20-cve-2016-10219.patch
|
||||
Patch17: ghostscript-9.20-cve-2016-10220.patch
|
||||
|
||||
Requires: %{name}-core%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}-x11%{?_isa} = %{version}-%{release}
|
||||
|
|
@ -171,6 +172,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib
|
|||
# CVE-2016-10219 (bug #1441569):
|
||||
%patch16 -p1
|
||||
|
||||
# CVE-2016-10220 (bug #1441571):
|
||||
%patch17 -p1
|
||||
|
||||
# Convert manual pages to UTF-8
|
||||
from8859_1() {
|
||||
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
|
||||
|
|
@ -372,6 +376,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
- CVE-2016-10217 (bug #1441564)
|
||||
- CVE-2016-10218 (bug #1441568)
|
||||
- CVE-2016-10219 (bug #1441569)
|
||||
- CVE-2016-10220 (bug #1441571)
|
||||
|
||||
* Thu Apr 06 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-8
|
||||
Added security fix for CVE-2017-7207 (bug #1434497)
|
||||
|
|
|
|||
Loading…
Reference in New Issue