42 lines
1.7 KiB
Diff
42 lines
1.7 KiB
Diff
From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
|
Date: Wed, 20 Nov 2024 11:42:31 +0000
|
|
Subject: [PATCH] Bug 708133: Avoid integer overflow leading to buffer overflow
|
|
|
|
The calculation of the buffer size was being done with int values, and
|
|
overflowing that data type. By leaving the total size calculation to the
|
|
memory manager, the calculation ends up being done in size_t values, and
|
|
avoiding the overflow in this case, but also meaning the memory manager
|
|
overflow protection will be effective.
|
|
|
|
CVE-2025-27832
|
|
---
|
|
contrib/japanese/gdevnpdl.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
|
|
index 60065bacf..4967282bd 100644
|
|
--- a/contrib/japanese/gdevnpdl.c
|
|
+++ b/contrib/japanese/gdevnpdl.c
|
|
@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
|
|
int code;
|
|
int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
|
|
|
|
- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
|
|
+ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
|
|
return_error(gs_error_VMerror);
|
|
|
|
/* Initialize printer */
|
|
@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
|
|
/* Form Feed */
|
|
gp_fputs("\014", prn_stream);
|
|
|
|
- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
|
|
+ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
2.49.0
|
|
|