packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-36773

Browse Source
This commit is contained in:
dillon_chen 2024-04-15 15:34:00 +08:00
parent 846628d2a4
commit ffb7d17fa5
2 changed files with 114 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
backport-CVE-2020-36773.patch Normal file
View File

@ -0,0 +1,106 @@
From 8c7bd787defa071c96289b7da9397f673fddb874 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 20 May 2020 16:02:07 +0100
Subject: [PATCH] txtwrite - address memory problems
Bug #702229 " txtwrite: use after free in 9.51 on some files (regression from 9.50)"
Also bug #702346 and the earlier report #701877.
The problems occur because its possible for a single character code in
a PDF file to map to more than a single Unicode code point. In the case
of the file for 701877 the character code maps to 'f' and 'i' (it is an
fi ligature).
The code should deal with this, but we need to ensure we are using the
correct index. In addition, if we do get more Unicode code points than
we expected, we need to set the widths of the 'extra' code points to
zero (we only want to consider the width of the original character).
This does mean increasing the size of the Widths array to cater for
the possibility of more entries on output than there were on input.
While working on it I noticed that the Unicode remapping on little-
endian machines was reversing the order of the Unicode values, when
there was more than a single code point returned, so fixed that at
the same time.
---
devices/vector/gdevtxtw.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
index 024419753..256ef468f 100644
--- a/devices/vector/gdevtxtw.c
+++ b/devices/vector/gdevtxtw.c
@@ -1812,11 +1812,11 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph,
#else
b = (char *)Buffer;
u = (char *)unicode;
- while (l >= 0) {
- *b++ = *(u + l);
- l--;
- }
+ for (l=0;l<length;l+=2, u+=2){
+ *b++ = *(u+1);
+ *b++ = *u;
+ }
#endif
gs_free_object(penum->dev->memory, unicode, "free temporary unicode buffer");
return length / sizeof(short);
@@ -1963,7 +1963,7 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
&penum->text_state->matrix, &wanted);
pte->returned.total_width.x += wanted.x;
pte->returned.total_width.y += wanted.y;
- penum->Widths[pte->index - 1] = wanted.x;
+ penum->Widths[penum->TextBufferIndex] = wanted.x;
if (pte->text.operation & TEXT_ADD_TO_ALL_WIDTHS) {
gs_point tpt;
@@ -1984,8 +1984,14 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
pte->returned.total_width.x += dpt.x;
pte->returned.total_width.y += dpt.y;
- penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
- penum->Widths[pte->index - 1] += dpt.x;
+ penum->Widths[penum->TextBufferIndex] += dpt.x;
+ code = get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
+ /* If a single text code returned multiple Unicode values, then we need to set the
+ * 'extra' code points' widths to 0.
+ */
+ if (code > 1)
+ memset(&penum->Widths[penum->TextBufferIndex + 1], 0x00, (code - 1) * sizeof(float));
+ penum->TextBufferIndex += code;
}
return 0;
}
@@ -2123,7 +2129,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum)
if (!penum->text_state->Widths)
return gs_note_error(gs_error_VMerror);
memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
- memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float));
+ memcpy(penum->text_state->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
unsorted_entry->Unicode_Text = (unsigned short *)gs_malloc(tdev->memory->stable_memory,
penum->TextBufferIndex, sizeof(unsigned short), "txtwrite alloc sorted text buffer");
@@ -2136,7 +2142,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum)
if (!unsorted_entry->Widths)
return gs_note_error(gs_error_VMerror);
memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
- memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * sizeof(float));
+ memcpy(unsorted_entry->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_memory,
(strlen(penum->text_state->FontName) + 1), sizeof(unsigned char), "txtwrite alloc sorted text buffer");
@@ -2192,7 +2198,7 @@ textw_text_process(gs_text_enum_t *pte)
if (!penum->TextBuffer)
return gs_note_error(gs_error_VMerror);
penum->Widths = (float *)gs_malloc(tdev->memory->stable_memory,
- pte->text.size, sizeof(float), "txtwrite temporary widths array");
+ pte->text.size * 4, sizeof(float), "txtwrite temporary widths array");
if (!penum->Widths)
return gs_note_error(gs_error_VMerror);
}
--
2.34.1

9
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.52
Release: 12
Release: 13
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -54,6 +54,7 @@ Patch35: CVE-2023-28879.patch
Patch36: CVE-2023-36664.patch
Patch37: backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
Patch38: backport-CVE-2023-46751.patch
Patch39: backport-CVE-2020-36773.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -214,6 +215,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Mon Apr 15 2024 dillon chen <dillon.chen@gmail.com> - 9.52-13
- Type:CVE
- ID:CVE-2020-36773
- SUG:NA
- DESC:fix CVE-2020-36773
* Mon Dec 25 2023 liningjie <liningjie@xfusion.com> - 9.52-12
- Type:CVE
- ID:CVE-2023-46751