mirror of
https://git.yoctoproject.org/poky
synced 2026-05-09 05:29:32 +00:00
ghostscript: Fix CVE-2025-27832
Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41] (From OE-Core rev: a1cd1e6275cc5ae3c100a3259e24d03937a4b78d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
committed by
Steve Sakoman
Steve Sakoman
parent
09870c8cce
commit
bfe8ae1a38
@@ -0,0 +1,45 @@
|
|||||||
|
From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
||||||
|
Date: Wed, 20 Nov 2024 11:42:31 +0000
|
||||||
|
Subject: Bug 708133: Avoid integer overflow leading to buffer overflow
|
||||||
|
|
||||||
|
The calculation of the buffer size was being done with int values, and
|
||||||
|
overflowing that data type. By leaving the total size calculation to the
|
||||||
|
memory manager, the calculation ends up being done in size_t values, and
|
||||||
|
avoiding the overflow in this case, but also meaning the memory manager
|
||||||
|
overflow protection will be effective.
|
||||||
|
|
||||||
|
CVE-2025-27832
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41]
|
||||||
|
CVE: CVE-2025-27832
|
||||||
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||||
|
---
|
||||||
|
contrib/japanese/gdevnpdl.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
|
||||||
|
index 60065bacf..4967282bd 100644
|
||||||
|
--- a/contrib/japanese/gdevnpdl.c
|
||||||
|
+++ b/contrib/japanese/gdevnpdl.c
|
||||||
|
@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
|
||||||
|
int code;
|
||||||
|
int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
|
||||||
|
|
||||||
|
- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
|
||||||
|
+ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
|
||||||
|
return_error(gs_error_VMerror);
|
||||||
|
|
||||||
|
/* Initialize printer */
|
||||||
|
@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
|
||||||
|
/* Form Feed */
|
||||||
|
gp_fputs("\014", prn_stream);
|
||||||
|
|
||||||
|
- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
|
||||||
|
+ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
cgit v1.2.3
|
||||||
|
|
||||||
@@ -65,6 +65,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
|
|||||||
file://CVE-2025-27830.patch \
|
file://CVE-2025-27830.patch \
|
||||||
file://CVE-2025-27831-pre1.patch \
|
file://CVE-2025-27831-pre1.patch \
|
||||||
file://CVE-2025-27831.patch \
|
file://CVE-2025-27831.patch \
|
||||||
|
file://CVE-2025-27832.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI = "${SRC_URI_BASE} \
|
SRC_URI = "${SRC_URI_BASE} \
|
||||||
|
|||||||
Reference in New Issue
Block a user