From 2e84257b372352281d1ceb6ea1adae3ccc9fc26b Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Thu, 5 Aug 2010 16:15:23 +0100 Subject: [PATCH] Avoid another NULL pointer dereference in jbig2 code (bug #621569). --- ghostscript-jbig2-image-refcount.patch | 25 +++++++++++++++++++++++++ ghostscript.spec | 9 ++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 ghostscript-jbig2-image-refcount.patch diff --git a/ghostscript-jbig2-image-refcount.patch b/ghostscript-jbig2-image-refcount.patch new file mode 100644 index 0000000..6054273 --- /dev/null +++ b/ghostscript-jbig2-image-refcount.patch @@ -0,0 +1,25 @@ +diff -up ghostscript-8.71/jbig2dec/jbig2_image.c.jbig2-image-refcount ghostscript-8.71/jbig2dec/jbig2_image.c +--- ghostscript-8.71/jbig2dec/jbig2_image.c.jbig2-image-refcount 2010-08-05 14:55:56.417043303 +0100 ++++ ghostscript-8.71/jbig2dec/jbig2_image.c 2010-08-05 14:56:46.796169065 +0100 +@@ -60,15 +60,18 @@ Jbig2Image* jbig2_image_new(Jbig2Ctx *ct + /* clone an image pointer by bumping its reference count */ + Jbig2Image* jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image) + { +- image->refcount++; ++ if (image) ++ image->refcount++; + return image; + } + + /* release an image pointer, freeing it it appropriate */ + void jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image) + { +- image->refcount--; +- if (!image->refcount) jbig2_image_free(ctx, image); ++ if (image) { ++ image->refcount--; ++ if (!image->refcount) jbig2_image_free(ctx, image); ++ } + } + + /* free a Jbig2Image structure and its associated memory */ diff --git a/ghostscript.spec b/ghostscript.spec index 31db348..996ca3a 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer. Name: ghostscript Version: %{gs_ver} -Release: 7%{?dist} +Release: 8%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -36,6 +36,7 @@ Patch17: ghostscript-tif-fail-close.patch Patch18: ghostscript-tiff-default-strip-size.patch Patch19: ghostscript-tiff-fixes.patch Patch20: ghostscript-CVE-2010-1628.patch +Patch21: ghostscript-jbig2-image-refcount.patch Requires: urw-fonts >= 1.1, ghostscript-fonts BuildRequires: xz @@ -169,6 +170,9 @@ rm -rf libpng zlib jpeg jasper # overflow, bug #592492). %patch20 -p1 -b .CVE-2010-1628 +# Avoid another NULL pointer dereference in jbig2 code (bug #621569). +%patch21 -p1 -b .jbig2-image-refcount + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -357,6 +361,9 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Thu Aug 5 2010 Tim Waugh 8.71-8 +- Avoid another NULL pointer dereference in jbig2 code (bug #621569). + * Fri Jul 16 2010 Tim Waugh 8.71-7 - Applied patch to fix CVE-2010-1628 (memory corruption at PS stack overflow, bug #592492).