packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!130 Fix CVE-2024-46955

Browse Source 
From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-11-01 08:19:54 +00:00 committed by Gitee
commit f96ae72a76
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
backport-CVE-2024-46955.patch Normal file
View File

@ -0,0 +1,59 @@
From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:11:53 +0100
Subject: [PATCH] PS interpreter - check Indexed colour space index
Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
Check the 'index' is in the valid range (0 to hival) for the colour
space.
Also a couple of additional checks on the type of the 'proc' for
Indexed, DeviceN and Separation spaces. Make sure these really are
procs in case the user changed the colour space array.
CVE-2024-46955
---
psi/zcolor.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index c0d73c2..7d15ec7 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -3629,6 +3629,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int
code = array_get(imemory, sepspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4450,6 +4451,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna
code = array_get(imemory, devicenspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4865,6 +4867,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
code = array_get(imemory, space, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*ep = proc; /* lookup proc */
return o_push_estack;
} else {
@@ -4878,6 +4881,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
if (!r_has_type(op, t_integer))
return_error (gs_error_typecheck);
index = op->value.intval;
+ /* Ensure it is in range. See bug #707990 */
+ if (index < 0 || index > pcs->params.indexed.hival)
+ return_error(gs_error_rangecheck);
/* And remove it from the stack. */
ref_stack_pop(&o_stack, 1);
op = osp;
--
2.27.0

9
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript Name: ghostscript
Version: 9.55.0 Version: 9.55.0
Release: 13 Release: 14
Summary: An interpreter for PostScript and PDF files Summary: An interpreter for PostScript and PDF files
License: AGPLv3+ License: AGPLv3+
URL: https://ghostscript.com/ URL: https://ghostscript.com/
@ -45,6 +45,7 @@ Patch17: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch
Patch18: Bug-707510-fix-LIBIDN-usage.patch Patch18: Bug-707510-fix-LIBIDN-usage.patch
Patch19: backport-CVE-2024-46953.patch Patch19: backport-CVE-2024-46953.patch
Patch20: backport-CVE-2024-46956.patch Patch20: backport-CVE-2024-46956.patch
Patch21: backport-CVE-2024-46955.patch
BuildRequires: automake gcc BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -205,6 +206,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf %{_bindir}/dvipdf
%changelog %changelog
* Wed Oct 30 2024 liningjie <liningjie@xfusion.com> - 9.55.0-14
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46955
* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.55.0-13 * Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.55.0-13
- Type:CVE - Type:CVE
- ID:NA - ID:NA