From f2fcc98430b2827e064dbf21eb6292875128b456 Mon Sep 17 00:00:00 2001 From: "David Kaspar [Dee'Kej]" Date: Thu, 3 Nov 2016 16:58:02 +0100 Subject: [PATCH] Handle GlyphDirectory as an array Upstream BZ: http://bugs.ghostscript.com/show_bug.cgi?id=697286 --- ...9.20-handle-glyphdirectory-correctly.patch | 52 +++++++++++++++++++ ghostscript.spec | 10 +++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 ghostscript-9.20-handle-glyphdirectory-correctly.patch diff --git a/ghostscript-9.20-handle-glyphdirectory-correctly.patch b/ghostscript-9.20-handle-glyphdirectory-correctly.patch new file mode 100644 index 0000000..831b2e8 --- /dev/null +++ b/ghostscript-9.20-handle-glyphdirectory-correctly.patch @@ -0,0 +1,52 @@ +From 329e0a6d187cc5b5698689d76636ed3214d7efa7 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 3 Nov 2016 13:09:27 +0000 +Subject: [PATCH] Bug 697286: handle GlyphDirectory as an array + +For high level devices that need to copy CIDFonts, we need to establish the +highest CID in a given CIDFont. If the font has a GlyphDirectory dictionary +the only way to do so is to iterate through the keys to find the highest. + +The code handling this ignored that the GlyphDirectory could be an array, +which confused the dictionary content iterator, and caused a segfault. + +In the case of an array, set the high CID to the highest index available in the +array. +--- + psi/zfcid.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/psi/zfcid.c b/psi/zfcid.c +index ce583af..3098a22 100644 +--- a/psi/zfcid.c ++++ b/psi/zfcid.c +@@ -76,15 +76,19 @@ cid_font_data_param(os_ptr op, gs_font_cid_data *pdata, ref *pGlyphDirectory) + * the number of CIDs in the font. We need to know the maximum CID + * when copying fonts, so calculate and store it now. + */ +- index = dict_first(pgdir); +- while (index >= 0) { +- index = dict_next(pgdir, index, (ref *)&element); +- if (index >= 0) { +- if (element[0].value.intval > pdata->MaxCID) +- pdata->MaxCID = element[0].value.intval; ++ if (r_has_type(pgdir, t_dictionary)) { ++ index = dict_first(pgdir); ++ while (index >= 0) { ++ index = dict_next(pgdir, index, (ref *)&element); ++ if (index >= 0) { ++ if (element[0].value.intval > pdata->MaxCID) ++ pdata->MaxCID = element[0].value.intval; ++ } + } + } +- ++ else { ++ pdata->MaxCID = r_size(pgdir) - 1; ++ } + return code; + } else { + return_error(gs_error_typecheck); +-- +2.7.4 + diff --git a/ghostscript.spec b/ghostscript.spec index 1a3a760..8d52f90 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer Name: ghostscript Version: %{gs_ver} -Release: 4%{?dist} +Release: 5%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -20,6 +20,7 @@ Patch1: ghostscript-9.20-fix-openjpeg-system-build.patch Patch2: ghostscript-9.20-runlibfileifexists.patch Patch3: ghostscript-9.20-run-dvipdf-securely.patch Patch4: ghostscript-9.20-urw-fonts-naming.patch +Patch10: ghostscript-9.20-handle-glyphdirectory-correctly.patch # Security patches: Patch5: ghostscript-9.20-cve-2016-7979.patch @@ -143,6 +144,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib # Honor -dSAFER in .libfile (bug #1380415): %patch9 -p1 +# handle GlyphDirectory as an array (http://bugs.ghostscript.com/show_bug.cgi?id=697286): +%patch10 -p1 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -339,6 +343,10 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Thu Nov 3 2016 David Kaspar [Dee'Kej] - 9.20-5 +- Added fix to avoid SIGSEGV for some *.ps files. More info here: + + * Tue Nov 1 2016 David Kaspar [Dee'Kej] - 9.20-4 - Added security fix for CVE-2016-7977 (bug #1380415)