mirror of
https://git.yoctoproject.org/poky
synced 2026-06-03 01:40:07 +00:00
ghostscript: Fix CVE-2023-28879
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179] (From OE-Core rev: ec0c6f941826903b763be76c450f1d4e0e67908e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
committed by
Steve Sakoman
Steve Sakoman
parent
f51b7f407d
commit
34d7cb536a
@@ -0,0 +1,54 @@
|
|||||||
|
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ken Sharp <ken.sharp@artifex.com>
|
||||||
|
Date: Fri, 24 Mar 2023 13:19:57 +0000
|
||||||
|
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
|
||||||
|
|
||||||
|
Bug #706494 "Buffer Overflow in s_xBCPE_process"
|
||||||
|
|
||||||
|
As described in detail in the bug report, if the write buffer is filled
|
||||||
|
to one byte less than full, and we then try to write an escaped
|
||||||
|
character, we overrun the buffer because we don't check before
|
||||||
|
writing two bytes to it.
|
||||||
|
|
||||||
|
This just checks if we have two bytes before starting to write an
|
||||||
|
escaped character and exits if we don't (replacing the consumed byte
|
||||||
|
of the input).
|
||||||
|
|
||||||
|
Up for further discussion; why do we even permit a BCP encoding filter
|
||||||
|
anyway ? I think we should remove this, at least when SAFER is true.
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179]
|
||||||
|
CVE: CVE-2023-28879
|
||||||
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||||
|
---
|
||||||
|
base/sbcp.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/base/sbcp.c b/base/sbcp.c
|
||||||
|
index 6b0383c..90784b5 100644
|
||||||
|
--- a/base/sbcp.c
|
||||||
|
+++ b/base/sbcp.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* Copyright (C) 2001-2019 Artifex Software, Inc.
|
||||||
|
+/* Copyright (C) 2001-2023 Artifex Software, Inc.
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
This software is provided AS-IS with no warranty, either express or
|
||||||
|
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
|
||||||
|
byte ch = *++p;
|
||||||
|
|
||||||
|
if (ch <= 31 && escaped[ch]) {
|
||||||
|
+ /* Make sure we have space to store two characters in the write buffer,
|
||||||
|
+ * if we don't then exit without consuming the input character, we'll process
|
||||||
|
+ * that on the next time round.
|
||||||
|
+ */
|
||||||
|
+ if (pw->limit - q < 2) {
|
||||||
|
+ p--;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
if (p == rlimit) {
|
||||||
|
p--;
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@@ -39,6 +39,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
|
|||||||
file://CVE-2021-3781_1.patch \
|
file://CVE-2021-3781_1.patch \
|
||||||
file://CVE-2021-3781_2.patch \
|
file://CVE-2021-3781_2.patch \
|
||||||
file://CVE-2021-3781_3.patch \
|
file://CVE-2021-3781_3.patch \
|
||||||
|
file://CVE-2023-28879.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI = "${SRC_URI_BASE} \
|
SRC_URI = "${SRC_URI_BASE} \
|
||||||
|
|||||||
Reference in New Issue
Block a user