rpms/ghostscript
6
0
Fork 0
Code Issues Pull Requests Releases Activity
07c9e4554d
ghostscript/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch

64 lines
2.0 KiB
Diff
Raw Blame History

From 282f691f5e57b6bf55ba51ad8c2be2cce8edb938 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Tue, 18 Jun 2024 18:22:55 +0100
Subject: [PATCH] Bug 707788: Fix decode_utf8 to forbid overlong encodings.
These can be used by malicious code to escape directories.
CVE-2024-46954
---
base/gp_utf8.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/base/gp_utf8.c b/base/gp_utf8.c
index c33fc3550..b78977e37 100644
--- a/base/gp_utf8.c
+++ b/base/gp_utf8.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -25,12 +25,16 @@ decode_utf8(const char **inp, unsigned int i)
if (i < 0x80) {
} else if ((i & 0xE0) == 0xC0) {
i &= 0x1F;
+ if (i == 0)
+ goto fail_overlong;
c = (unsigned char)*in++;
if ((c & 0xC0) != 0x80)
goto fail;
i = (i<<6) | (c & 0x3f);
} else if ((i & 0xF0) == 0xE0) {
i &= 0xF;
+ if (i == 0)
+ goto fail_overlong;
c = (unsigned char)*in++;
if ((c & 0xC0) != 0x80)
goto fail;
@@ -41,6 +45,8 @@ decode_utf8(const char **inp, unsigned int i)
i = (i<<6) | (c & 0x3f);
} else if ((i & 0xF8) == 0xF0) {
i &= 0x7;
+ if (i == 0)
+ goto fail_overlong;
c = (unsigned char)*in++;
if ((c & 0xC0) != 0x80)
goto fail;
@@ -59,6 +65,11 @@ decode_utf8(const char **inp, unsigned int i)
/* If we fail, unread the last one, and return the unicode replacement char. */
fail:
in--;
+fail_overlong:
+ /* If we jump to here it's because we've detected an 'overlong' encoding.
+ * While this seems harmless, it's actually illegal, for good reason;
+ * this is typically an attempt to sneak stuff past security checks, like
+ * "../" in paths. Fail this. */
i = 0xfffd;
}
*inp = in;
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink