Added security patch for CVE-2016-10220

Resolves: #1441571

ghostscript-9.20-cve-2016-10220.patch

@@ -0,0 +1,50 @@
+From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 21 Dec 2016 16:54:14 +0000
+Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
+
+Bug #697450 "Null pointer dereference in gx_device_finalize()"
+
+The problem here is that the code to finalise a device unconditionally
+frees the icc_struct member of the device structure. However this
+particular (weird) device is not setup as a normal device, probably
+because its very, very ancient. Its possible for the initialisation
+of the device to abort with an error before calling gs_make_mem_device()
+which is where the icc_struct member gets allocated (or set to NULL).
+
+If that happens, then the cleanup code tries to free the device, which
+calls finalize() which tries to free a garbage pointer.
+
+Setting the device memory to 0x00 after we allocate it means that the
+icc_struct member will be NULL< and our memory manager allows for that
+happily enough, which avoids the problem.
+---
+ base/gsdevmem.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/base/gsdevmem.c b/base/gsdevmem.c
+index 97b9cf4..fe75bcc 100644
+--- a/base/gsdevmem.c
++++ b/base/gsdevmem.c
+@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
+ 
+     if (pnew == 0)
+         return_error(gs_error_VMerror);
++
++    /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
++     * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
++     * initialisation will fail, crucially it will fail *before* it calls
++     * gs_make_mem_device() which initialises the device. This means that the
++     * icc_struct member will be uninitialsed, but the device finalise method
++     * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
++     * Apparently we do still need makeimagedevice to be available from
++     * PostScript, so in here just zero the device memory, which means that
++     * the finalise routine won't have a problem.
++     */
++    memset(pnew, 0x00, st_device_memory.ssize);
+     code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
+                                          colors, num_colors, word_oriented,
+                                          page_device, mem);
+-- 
+2.9.3
+

ghostscript.spec

@@ -34,6 +34,7 @@ Patch13: ghostscript-9.20-cve-2017-7207.patch
 Patch14: ghostscript-9.20-cve-2016-10217.patch
 Patch15: ghostscript-9.20-cve-2016-10218.patch
 Patch16: ghostscript-9.20-cve-2016-10219.patch
+Patch17: ghostscript-9.20-cve-2016-10220.patch
 
 Requires: %{name}-core%{?_isa} = %{version}-%{release}
 Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@@ -171,6 +172,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib
 # CVE-2016-10219 (bug #1441569):
 %patch16 -p1
 
+# CVE-2016-10220 (bug #1441571):
+%patch17 -p1
+
 # Convert manual pages to UTF-8
 from8859_1() {
         iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -372,6 +376,7 @@ rm -rf $RPM_BUILD_ROOT
   - CVE-2016-10217 (bug #1441564)
   - CVE-2016-10218 (bug #1441568)
   - CVE-2016-10219 (bug #1441569)
+  - CVE-2016-10220 (bug #1441571)
 
 * Thu Apr 06 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-8
   Added security fix for CVE-2017-7207 (bug #1434497)