Fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836

2025-03-28 12:57:52 +08:00 · 2025-03-28 12:57:52 +08:00 · d20a0b2d7b
commit d20a0b2d7b
parent 8e00c41c96
9 changed files with 420 additions and 158 deletions
--- a/backport-CVE-2025-27830.patch
+++ b/backport-CVE-2025-27830.patch
@ -0,0 +1,72 @@
 From dc17ab3fe8cd43eeaf3f2da9bcaa30a2be69e57b Mon Sep 17 00:00:00 2001
 From: Zdenek Hutyra <zhutyra@centrum.cz>
 Date: Mon, 13 Jan 2025 09:15:01 +0000
 Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend
 During serializing a multiple master font for passing to Freetype.
 Use CVE-2025-27830
 ---
 base/write_t1.c | 9 +++++----
 psi/zfapi.c     | 9 +++++++--
 2 files changed, 12 insertions(+), 6 deletions(-)
 diff --git a/base/write_t1.c b/base/write_t1.c
 index 50af7ea..1b17aae 100644
 --- a/base/write_t1.c
 +++ b/base/write_t1.c
@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
     WRF_wbyte(a_fapi_font->memory, a_output, '\n');
     if (is_MM_font(a_fapi_font)) {
         short x, x2;
 +        unsigned short ux;
         float x1;
         uint i, j, entries;
         char Buffer[255];
@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
          */
         code = a_fapi_font->get_word(a_fapi_font,
                                    gs_fapi_font_feature_DollarBlend_length,
 -                                   0, (unsigned short *)&x);
 +                                   0, &ux);
         if (code < 0)
             return code;
 -        if (x > 0) {
 +        if (ux > 0) {
             int len;
             WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
             if (a_output->m_count)
 -                a_output->m_count += x;
 +                a_output->m_count += ux;
             len = a_fapi_font->get_proc(a_fapi_font,
                                       gs_fapi_font_feature_DollarBlend, 0,
                                       (char *)a_output->m_pos);
 diff --git a/psi/zfapi.c b/psi/zfapi.c
 index 6927e60..05bf9dc 100644
 --- a/psi/zfapi.c
 +++ b/psi/zfapi.c
@@ -683,7 +683,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
                 }
                 for (i = 0; i < r_size(DBlend); i++) {
                     if (array_get(ff->memory, DBlend, i, &Element) < 0) {
 -                        *ret = 0;
 +                        length = 0;
                         break;
                     }
                     switch (r_btype(&Element)) {
@@ -710,7 +710,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
                         default:
                             break;
                     }
 -                }
 +
 +                    if (length > max_ushort) {
 +                        length = 0;
 +                        break;
 +                    }
 +                 }
                 *ret = length;
                 break;
             }
--- a/backport-CVE-2025-27832.patch
+++ b/backport-CVE-2025-27832.patch
@ -0,0 +1,41 @@
 From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001
 From: Zdenek Hutyra <zhutyra@centrum.cz>
 Date: Wed, 20 Nov 2024 11:42:31 +0000
 Subject: Bug 708133: Avoid integer overflow leading to buffer overflow
 The calculation of the buffer size was being done with int values, and
 overflowing that data type. By leaving the total size calculation to the
 memory manager, the calculation ends up being done in size_t values, and
 avoiding the overflow in this case, but also meaning the memory manager
 overflow protection will be effective.
 CVE-2025-27832
 ---
 contrib/japanese/gdevnpdl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
 index 60065bacf..4967282bd 100644
 --- a/contrib/japanese/gdevnpdl.c
 +++ b/contrib/japanese/gdevnpdl.c
@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
     int code;
     int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
 -    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
 +    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
         return_error(gs_error_VMerror);
         /* Initialize printer */
@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
     /* Form Feed */
     gp_fputs("\014", prn_stream);
 -    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
 +    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
     return 0;
 }
 -- 
 cgit v1.2.3
--- a/backport-CVE-2025-27834.patch
+++ b/backport-CVE-2025-27834.patch
@ -0,0 +1,49 @@
 From 3885f8307726fa7611b39fa1376403406bdbd55c Mon Sep 17 00:00:00 2001
 From: Zdenek Hutyra <zhutyra@centrum.cz>
 Date: Mon, 20 Jan 2025 16:13:46 +0000
 Subject: PDF interpreter - Guard against unsigned int overflow
 Bug #708253 - see bug report for details.
 CVE-2025-27834
 ---
 pdf/pdf_func.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
 index 9b7d5bb..9fba5e1 100644
 --- a/pdf/pdf_func.c
 +++ b/pdf/pdf_func.c
@@ -153,6 +153,8 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in
     byte *p = (ops ? ops + *size : NULL);
     do {
 +        if (*size > max_uint / 2)
 +            return gs_note_error(gs_error_VMerror);
         code = pdfi_read_bytes(ctx, &c, 1, 1, function_stream);
         if (code < 0)
             break;
@@ -318,6 +320,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR,
     if (code < 0)
         goto function_4_error;
 +    if (size > max_uint - 1) {
 +        code = gs_note_error(gs_error_VMerror);
 +        goto function_4_error;
 +    }
 +
     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
     if (ops == NULL) {
         code = gs_error_VMerror;
@@ -816,6 +823,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte *
     if (code < 0)
         goto halftone_function_error;
 +    if (size > max_uint - 1) {
 +        code = gs_note_error(gs_error_VMerror);
 +        goto halftone_function_error;
 +    }
 +
     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
     if (ops == NULL) {
         code = gs_error_VMerror;
--- a/backport-CVE-2025-27835.patch
+++ b/backport-CVE-2025-27835.patch
@ -0,0 +1,30 @@
 From 920fae688705b3a25a1f8925f3837219a6243565 Mon Sep 17 00:00:00 2001
 From: Zdenek Hutyra <zhutyra@centrum.cz>
 Date: Wed, 20 Nov 2024 11:27:52 +0000
 Subject: Bug 708131: Fix confusion between bytes and shorts
 We were copying data from a string in multiple of shorts, rather than multiple
 of bytes, leading to both an read (probably benign, given the memory manager)
 and write buffer overflow.
 CVE-2025-27835
 ---
 psi/zbfont.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/psi/zbfont.c b/psi/zbfont.c
 index acffb39ef..5850ab54d 100644
 --- a/psi/zbfont.c
 +++ b/psi/zbfont.c
@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
                     if (l > length)
                         return l;
 -                    memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
 +                    memcpy(unicode_return, v->value.const_bytes, l);
                     return l;
                 }
                 if (r_type(v) == t_integer) {
 -- 
 cgit v1.2.3
--- a/backport-CVE-2025-27836.patch
+++ b/backport-CVE-2025-27836.patch
@ -0,0 +1,60 @@
 From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001
 From: Zdenek Hutyra <zhutyra@centrum.cz>
 Date: Mon, 13 Jan 2025 09:07:57 +0000
 Subject: Bug 708192: Fix potential print buffer overflow
 CVE-2025-27836
 ---
 contrib/japanese/gdev10v.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)
 diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
 index 0bd3cec02..9d27573dc 100644
 --- a/contrib/japanese/gdev10v.c
 +++ b/contrib/japanese/gdev10v.c
@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
         int bytes_per_column = bits_per_column / 8;
         int x_skip_unit = bytes_per_column * (xres / 180);
         int y_skip_unit = (yres / 180);
 -        byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
 -        /* We need one extra byte in <out> for our sentinel. */
 -        byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
 +        byte *in, *out;
         int lnum = 0;
         int y_skip = 0;
         int code = 0;
         int blank_lines = 0;
         int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
 -        if ( in == 0 || out == 0 )
 -                return -1;
 +        if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
 +            code = gs_note_error(gs_error_rangecheck);
 +            goto error;
 +        }
 +
 +        in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
 +        /* We need one extra byte in <out> for our sentinel. */
 +        out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
 +        if ( in == NULL || out == NULL ) {
 +            code = gs_note_error(gs_error_VMerror);
 +            goto error;
 +        }
         /* Initialize the printer. */
         prn_puts(pdev, "\033@");
@@ -320,8 +328,10 @@ notz:
            }
         /* Eject the page */
 -xit:	prn_putc(pdev, 014);	/* form feed */
 +xit:
 +        prn_putc(pdev, 014); /* form feed */
         prn_flush(pdev);
 +error:
         gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
         gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
         return code;
 -- 
 cgit v1.2.3
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -9,7 +9,7 @@
 Name:             ghostscript
 Version:          9.55.0
-Release:          17
+Release:          18
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@ -41,14 +41,18 @@ Patch15:  Bug-707510-review-printing-of-pointers.patch
 # CVE-2024-29511
 Patch16:  Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
 Patch17:  Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch
 Patch18:  Bug-707510-fix-LIBIDN-usage.patch
-Patch19:   backport-CVE-2024-46953.patch
+Patch19:  fix-CVE-2024-33871.patch
-Patch20:   backport-CVE-2024-46956.patch
+Patch20:    backport-CVE-2024-46953.patch
-Patch21:   backport-CVE-2024-46955.patch
+Patch21:    backport-CVE-2024-46956.patch
-Patch22:   backport-CVE-2024-46951.patch
+Patch22:    backport-CVE-2024-46955.patch
-Patch23:   backport-CVE-2024-46952.patch
+Patch23:    backport-CVE-2024-46951.patch
-Patch24:   fix-CVE-2024-33871.patch
+Patch24:    backport-CVE-2024-46952.patch
 Patch25:    backport-CVE-2025-27830.patch
 Patch26:    backport-CVE-2025-27832.patch
 Patch27:    backport-CVE-2025-27834.patch
 Patch28:    backport-CVE-2025-27835.patch
 Patch39:    backport-CVE-2025-27836.patch
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -209,6 +213,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 %changelog
 * Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 9.55.0-18
 - Type:CVE
 - ID:NA
 - SUG:NA
 - DECS: Fix CVE-2025-27830, CVE-2025-27832, CVE-2025-27834, CVE-2025-27835, CVE-2025-27836
 * Mon Nov 18 2024 liningjie <liningjie@xfusion.com> - 9.55.0-17
 - Type:CVE
 - ID:NA