ghostscript/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch

From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 24 Jan 2024 18:25:12 +0000
Subject: [PATCH 3/7] Bug 707510(3): Bounds checks when using CIDFont related 
 params
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514

Specifically, for CIDFont substitution.
---
 pdf/ghostpdf.h |  1 +
 pdf/pdf_font.c | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/pdf/ghostpdf.h b/pdf/ghostpdf.h
index 3cc1b8c..47c34ec 100644
--- a/pdf/ghostpdf.h
+++ b/pdf/ghostpdf.h
@@ -117,6 +117,7 @@ typedef enum pdf_warning_e {
     W_PDF_INVALID_REAL,
     W_PDF_DEVICEN_USES_ALL,
     W_PDF_BAD_MEDIABOX,
+    W_PDF_BAD_CONFIG,
     W_PDF_MAX_WARNING               /* Must be last entry, add new warnings immediately before this and update pdf_warning_strings in ghostpdf.c */
 } pdf_warning;
 
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index 7fa8a42..c536130 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -166,9 +166,19 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di
         code = 0;
 
         memcpy(fontfname, fsprefix, fsprefixlen);
-        memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
-        fontfname[fsprefixlen + defcidfallacklen] = '\0';
-
+        if (defcidfallacklen + 1 > gp_file_name_sizeof) {
+            code = gs_note_error(gs_error_rangecheck);
+            pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long");
+            if (ctx->args.pdfstoponwarning != 0) {
+                return code;//goto exit;
+            }
+            code = 0;
+            memcpy(fontfname, fsprefix, fsprefixlen);
+        }
+        else {
+            memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+            fontfname[fsprefixlen + defcidfallacklen] = '\0';
+        }
         code = pdfi_open_resource_file(ctx, fontfname, strlen(fontfname), &s);
         if (code >= 0) {
             sfseek(s, 0, SEEK_END);
-- 
2.43.0
fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 (cherry picked from commit e4b5740a70d2cea87c7d4f5611d25692961d52e4) 2024-06-27 18:43:49 +08:00			`From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001`
			`From: Chris Liddell <chris.liddell@artifex.com>`
			`Date: Wed, 24 Jan 2024 18:25:12 +0000`
Fix CVE-2024-29511 (cherry picked from commit a16cd73a024ed11badb2502b9c7889931a72406c) 2024-07-12 18:10:20 +08:00			`Subject: [PATCH 3/7] Bug 707510(3): Bounds checks when using CIDFont related`
fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 (cherry picked from commit e4b5740a70d2cea87c7d4f5611d25692961d52e4) 2024-06-27 18:43:49 +08:00			`params`
Fix CVE-2024-29511 (cherry picked from commit a16cd73a024ed11badb2502b9c7889931a72406c) 2024-07-12 18:10:20 +08:00			`https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514`
fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 (cherry picked from commit e4b5740a70d2cea87c7d4f5611d25692961d52e4) 2024-06-27 18:43:49 +08:00
			`Specifically, for CIDFont substitution.`
			`---`
			`pdf/ghostpdf.h \| 1 +`
			`pdf/pdf_font.c \| 16 +++++++++++++---`
			`2 files changed, 14 insertions(+), 3 deletions(-)`

			`diff --git a/pdf/ghostpdf.h b/pdf/ghostpdf.h`
			`index 3cc1b8c..47c34ec 100644`
			`--- a/pdf/ghostpdf.h`
			`+++ b/pdf/ghostpdf.h`
			`@@ -117,6 +117,7 @@ typedef enum pdf_warning_e {`
			`W_PDF_INVALID_REAL,`
			`W_PDF_DEVICEN_USES_ALL,`
			`W_PDF_BAD_MEDIABOX,`
			`+ W_PDF_BAD_CONFIG,`
			`W_PDF_MAX_WARNING /* Must be last entry, add new warnings immediately before this and update pdf_warning_strings in ghostpdf.c */`
			`} pdf_warning;`

			`diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c`
			`index 7fa8a42..c536130 100644`
			`--- a/pdf/pdf_font.c`
			`+++ b/pdf/pdf_font.c`
			`@@ -166,9 +166,19 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di`
			`code = 0;`

			`memcpy(fontfname, fsprefix, fsprefixlen);`
			`- memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);`
			`- fontfname[fsprefixlen + defcidfallacklen] = '\0';`
			`-`
			`+ if (defcidfallacklen + 1 > gp_file_name_sizeof) {`
			`+ code = gs_note_error(gs_error_rangecheck);`
			`+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long");`
			`+ if (ctx->args.pdfstoponwarning != 0) {`
			`+ return code;//goto exit;`
			`+ }`
			`+ code = 0;`
			`+ memcpy(fontfname, fsprefix, fsprefixlen);`
			`+ }`
			`+ else {`
			`+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);`
			`+ fontfname[fsprefixlen + defcidfallacklen] = '\0';`
			`+ }`
			`code = pdfi_open_resource_file(ctx, fontfname, strlen(fontfname), &s);`
			`if (code >= 0) {`
			`sfseek(s, 0, SEEK_END);`
			`--`
			`2.43.0`