!138 Fix CVE-2024-46951

From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-CVE-2024-46951.patch

@@ -0,0 +1,31 @@
+From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:16:39 +0100
+Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
+
+Bug #707991
+
+See bug report for details.
+
+CVE-2024-46951
+---
+ psi/zcolor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index d4e7a4438..d3384d75d 100644
+--- a/psi/zcolor.c
++++ b/psi/zcolor.c
+@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
+             code = array_get(imemory, pImpl, 0, &pPatInst);
+             if (code < 0)
+                 return code;
++
++            if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
++                return_error(gs_error_typecheck);
+             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
+             if (pattern_instance_uses_base_space(cc.pattern))
+                 *n = n_comps;
+-- 
+2.34.1
+

backport-CVE-2024-46953.patch

@@ -0,0 +1,66 @@
+From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 27 May 2024 13:38:36 +0100
+Subject: [PATCH] Bug 707793: Check for overflow validating format string
+
+for the output file name
+
+CVE-2024-46953
+---
+ base/gsdevice.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/base/gsdevice.c b/base/gsdevice.c
+index 90e699ab4..c1eaedd85 100644
+--- a/base/gsdevice.c
++++ b/base/gsdevice.c
+@@ -1070,7 +1070,7 @@ static int
+ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+ {
+     bool have_format = false, field;
+-    int width[2], int_width = sizeof(int) * 3, w = 0;
++    uint width[2], int_width = sizeof(int) * 3, w = 0;
+     uint i;
+ 
+     /* Scan the file name for a format string, and validate it if present. */
+@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+                         default: /* width (field = 0) and precision (field = 1) */
+                             if (strchr("0123456789", pfn->fname[i])) {
+                                 width[field] = width[field] * 10 + pfn->fname[i] - '0';
++                                if (width[field] > max_int)
++	                                return_error(gs_error_undefinedfilename);
+                                 continue;
+                             } else if (0 == field && '.' == pfn->fname[i]) {
+                                 field++;
+@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+         /* Calculate a conservative maximum width. */
+         w = max(width[0], width[1]);
+         w = max(w, int_width) + 5;
++        if (w > max_int)
++            return_error(gs_error_undefinedfilename);
+     }
+-    return w;
++    return (int)w;
+ }
+ 
+ /*
+@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt,
+     if (!pfn->fname)
+         return 0;
+     code = gx_parse_output_format(pfn, pfmt);
+-    if (code < 0)
++    if (code < 0) {
+         return code;
+-    if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
++    }
++
++    if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
++        code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
+         return_error(gs_error_undefinedfilename);
++    }
++
+     return 0;
+ }
+ 
+-- 
+2.34.1

backport-CVE-2024-46955.patch

@@ -0,0 +1,60 @@
+From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:11:53 +0100
+Subject: [PATCH] PS interpreter - check Indexed colour space index
+
+Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
+
+Check the 'index' is in the valid range (0 to hival) for the colour
+space.
+
+Also a couple of additional checks on the type of the 'proc' for
+Indexed, DeviceN and Separation spaces. Make sure these really are
+procs in case the user changed the colour space array.
+
+CVE-2024-46955
+---
+ psi/zcolor.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index 373bc06..7c00033 100644
+--- a/psi/zcolor.c
++++ b/psi/zcolor.c
+@@ -3635,6 +3635,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int
+         code = array_get(imemory, sepspace, 3, &proc);
+         if (code < 0)
+             return code;
++        check_proc(proc);
+         *esp = proc;
+         return o_push_estack;
+     }
+@@ -4457,6 +4458,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna
+         code = array_get(imemory, devicenspace, 3, &proc);
+         if (code < 0)
+             return code;
++		check_proc(proc);
+         *esp = proc;
+         return o_push_estack;
+     }
+@@ -4872,6 +4874,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
+             code = array_get(imemory, space, 3, &proc);
+             if (code < 0)
+                 return code;
++            check_proc(proc);
+             *ep = proc;	/* lookup proc */
+             return o_push_estack;
+         } else {
+@@ -4885,6 +4888,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
+             if (!r_has_type(op, t_integer))
+                 return_error (gs_error_typecheck);
+             index = op->value.intval;
++            /* Ensure it is in range. See bug #707990 */
++            if (index < 0 || index > pcs->params.indexed.hival)
++                return_error(gs_error_rangecheck);
+             /* And remove it from the stack. */
+             pop(1);
+             op = osp;
+-- 
+2.33.0
+

backport-CVE-2024-46956.patch

@@ -0,0 +1,30 @@
+From ea69a1388245ad959d31c272b5ba66d40cebba2c Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Tue, 23 Jul 2024 11:48:39 +0100
+Subject: [PATCH] PostScript interpreter - fix buffer length check
+
+Bug 707895
+
+See bug report for details.
+
+CVE-2024-46956
+---
+ psi/zfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psi/zfile.c b/psi/zfile.c
+index fe3f7e9..027f412 100644
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -440,7 +440,7 @@ file_continue(i_ctx_t *i_ctx_p)
+         if (code == ~(uint) 0) {    /* all done */
+             esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
+             return o_pop_estack;
+-        } else if (code > len) {      /* overran string */
++        } else if (code > len - devlen) {      /* overran string */
+             return_error(gs_error_rangecheck);
+         }
+         else if (iodev != iodev_default(imemory)
+-- 
+2.27.0
+

fix-CVE-2024-33871.patch

@@ -0,0 +1,62 @@
+diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
+index 70475ad..013a497 100644
+--- a/contrib/opvp/gdevopvp.c
++++ b/contrib/opvp/gdevopvp.c
+@@ -185,7 +185,7 @@ static  int opvp_copy_color(gx_device *, const byte *, int, int,
+ static  int _get_params(gs_param_list *);
+ static  int opvp_get_params(gx_device *, gs_param_list *);
+ static  int oprp_get_params(gx_device *, gs_param_list *);
+-static  int _put_params(gs_param_list *);
++static  int _put_params(gx_device *, gs_param_list *);
+ static  int opvp_put_params(gx_device *, gs_param_list *);
+ static  int oprp_put_params(gx_device *, gs_param_list *);
+ static  int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
+@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist)
+     /* vector driver name */
+     pname = "Driver";
+     vdps.data = (byte *)vectorDriver;
+-    vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
++    vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
+     vdps.persistent = false;
+     code = param_write_string(plist, pname, &vdps);
+     if (code) ecode = code;
+@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
+  * put params
+  */
+ static  int
+-_put_params(gs_param_list *plist)
++_put_params(gx_device *dev, gs_param_list *plist)
+ {
+     int code;
+     int ecode = 0;
+@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist)
+     code = param_read_string(plist, pname, &vdps);
+     switch (code) {
+     case 0:
++        if (gs_is_path_control_active(dev->memory)
++            && (!vectorDriver || strlen(vectorDriver) != vdps.size
++                || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
++            param_signal_error(plist, pname, gs_error_invalidaccess);
++            return_error(gs_error_invalidaccess);
++        }
+         buff = realloc(buff, vdps.size + 1);
+         memcpy(buff, vdps.data, vdps.size);
+         buff[vdps.size] = 0;
+@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
+     int code;
+ 
+     /* put params */
+-    code = _put_params(plist);
++    code = _put_params(dev, plist);
+     if (code) return code;
+ 
+     /* put default params */
+@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
+     int code;
+ 
+     /* put params */
+-    code = _put_params(plist);
++    code = _put_params(dev, plist);
+     if (code) return code;
+ 
+     /* put default params */

ghostscript.spec

@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.52
-Release:          15
+Release:          20
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -59,6 +59,11 @@ Patch40:  fix-CVE-2024-29510.patch
 Patch41:  fix-CVE-2024-33869.patch
 Patch42:  fix-CVE-2024-33870.patch
 Patch43: backport-CVE-2024-29508.patch
+Patch44:  fix-CVE-2024-33871.patch
+Patch45:  backport-CVE-2024-46953.patch
+Patch46:  backport-CVE-2024-46956.patch
+Patch47:  backport-CVE-2024-46955.patch
+Patch48:  backport-CVE-2024-46951.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -219,6 +224,36 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
+* Fri Nov 01 2024 liningjie <liningjie@xfusion.com> - 9.52-20
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46951
+
+* Wed Oct 30 2024 liningjie <liningjie@xfusion.com> - 9.52-19
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46955
+
+* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.52-18
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46956
+
+* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.52-17
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46953
+
+* Tue Sep 24 2024 dillon chen <dillon.chen@gmail.com> - 9.52-16
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: fix CVE-2024-33871
+
 * Fri Aug 16 2024 zhangxianting <zhangxianting@uniontech.com> - 9.52-15
 - Type:CVE
 - ID:NA