From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001 From: Zdenek Hutyra Date: Wed, 20 Nov 2024 11:42:31 +0000 Subject: [PATCH] Bug 708133: Avoid integer overflow leading to buffer overflow The calculation of the buffer size was being done with int values, and overflowing that data type. By leaving the total size calculation to the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this case, but also meaning the memory manager overflow protection will be effective. CVE-2025-27832 --- contrib/japanese/gdevnpdl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c index 60065bacf..4967282bd 100644 --- a/contrib/japanese/gdevnpdl.c +++ b/contrib/japanese/gdevnpdl.c @@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c int code; int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; - if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) + if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) return_error(gs_error_VMerror); /* Initialize printer */ @@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c /* Form Feed */ gp_fputs("\014", prn_stream); - gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); + gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); return 0; } -- 2.49.0