packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!131 Fix CVE-2024-46955

Browse Source 
From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-11-01 08:20:13 +00:00 committed by Gitee
commit c224ae2c73
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 68 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
backport-CVE-2024-46955.patch Normal file
View File

@ -0,0 +1,60 @@
From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:11:53 +0100
Subject: [PATCH] PS interpreter - check Indexed colour space index
Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
Check the 'index' is in the valid range (0 to hival) for the colour
space.
Also a couple of additional checks on the type of the 'proc' for
Indexed, DeviceN and Separation spaces. Make sure these really are
procs in case the user changed the colour space array.
CVE-2024-46955
---
psi/zcolor.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index 373bc06..7c00033 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -3635,6 +3635,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int
code = array_get(imemory, sepspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4457,6 +4458,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna
code = array_get(imemory, devicenspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4872,6 +4874,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
code = array_get(imemory, space, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*ep = proc; /* lookup proc */
return o_push_estack;
} else {
@@ -4885,6 +4888,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
if (!r_has_type(op, t_integer))
return_error (gs_error_typecheck);
index = op->value.intval;
+ /* Ensure it is in range. See bug #707990 */
+ if (index < 0 || index > pcs->params.indexed.hival)
+ return_error(gs_error_rangecheck);
/* And remove it from the stack. */
pop(1);
op = osp;
--
2.33.0

9
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript Name: ghostscript
Version: 9.52 Version: 9.52
Release: 18 Release: 19
Summary: An interpreter for PostScript and PDF files Summary: An interpreter for PostScript and PDF files
License: AGPLv3+ License: AGPLv3+
URL: https://ghostscript.com/ URL: https://ghostscript.com/
@ -62,6 +62,7 @@ Patch43: backport-CVE-2024-29508.patch
Patch44: fix-CVE-2024-33871.patch Patch44: fix-CVE-2024-33871.patch
Patch45: backport-CVE-2024-46953.patch Patch45: backport-CVE-2024-46953.patch
Patch46: backport-CVE-2024-46956.patch Patch46: backport-CVE-2024-46956.patch
Patch47: backport-CVE-2024-46955.patch
BuildRequires: automake gcc BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -222,6 +223,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf %{_bindir}/dvipdf
%changelog %changelog
* Wed Oct 30 2024 liningjie <liningjie@xfusion.com> - 9.52-19
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46955
* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.52-18 * Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.52-18
- Type:CVE - Type:CVE
- ID:NA - ID:NA