rpms/ghostscript
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- Applied patch to fix CVE-2009-0792 (bug #491853).

Browse Source 
- Applied patch to fix CVE-2009-0196 (bug #493379).
- Applied patch to fix CVE-2008-6679 (bug #493445).
This commit is contained in:
Tim Waugh 2009-04-15 16:07:40 +00:00
parent 43fdf5458f
commit d7b61390b6
4 changed files with 215 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ghostscript-CVE-2008-6679.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ghostscript-8.63/src/gdevpdtb.c.CVE-2008-6679 ghostscript-8.63/src/gdevpdtb.c
--- ghostscript-8.63/src/gdevpdtb.c.CVE-2008-6679 2008-04-04 09:53:57.000000000 +0100
+++ ghostscript-8.63/src/gdevpdtb.c 2009-04-15 16:43:11.000000000 +0100
@@ -133,7 +133,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev,
&st_pdf_base_font, "pdf_base_font_alloc");
const gs_font_name *pfname = &font->font_name;
gs_const_string font_name;
- char fnbuf[3 + sizeof(long) / 3 + 1]; /* .F#######\0 */
+ char fnbuf[2*sizeof(long) + 3]; /* .F########\0 */
int code;
if (pbfont == 0)

19
ghostscript-CVE-2009-0196.patch Normal file
View File

@ -0,0 +1,19 @@
diff -up ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c
--- ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 2007-12-11 08:29:58.000000000 +0000
+++ ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c 2009-04-15 16:40:13.000000000 +0100
@@ -699,6 +699,15 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
exrunlength = params->SDNUMEXSYMS;
else
code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+ if (exrunlength > params->SDNUMEXSYMS - j) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "runlength too large in export symbol table (%d > %d - %d)\n",
+ exrunlength, params->SDNUMEXSYMS, j);
+ jbig2_sd_release(ctx, SDEXSYMS);
+ /* skip to the cleanup code and return SDEXSYMS = NULL */
+ SDEXSYMS = NULL;
+ break;
+ }
for(k = 0; k < exrunlength; k++)
if (exflag) {
SDEXSYMS->glyphs[j++] = (i < m) ?

166
ghostscript-CVE-2009-0792.patch Normal file
View File

@ -0,0 +1,166 @@
diff -up ghostscript-8.63/icclib/icc.c.CVE-2009-0792 ghostscript-8.63/icclib/icc.c
--- ghostscript-8.63/icclib/icc.c.CVE-2009-0792 2009-04-15 16:37:49.000000000 +0100
+++ ghostscript-8.63/icclib/icc.c 2009-04-15 16:38:00.000000000 +0100
@@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd(
rv |= 1;
}
ix = (int)floor(val); /* Coordinate */
- if (ix > (p->size-2))
+ if (ix < 0 || ix > (p->size-2))
ix = (p->size-2);
w = val - (double)ix; /* weight */
val = p->data[ix];
@@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd(
) {
int i;
+ if (size > INT_MAX - 2)
+ /* Although rt->size is unsigned long, the rt data
+ * structure uses int data types to store indices. */
+ return 2;
+
rt->size = size; /* Stash pointers to these away */
rt->data = data;
@@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd(
rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */
/* Initialize the reverse lookup structures, and get overall min/max */
- if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) {
+ if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) {
return 2;
}
@@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd(
int t;
t = s; s = e; e = t;
}
+ /* s and e should both be in the range [0,rt->rsize]
+ * now, but let's not rely on floating point
+ * calculations -- double-check. */
+ if (s < 0)
+ s = 0;
+ if (e < 0)
+ e = 0;
+ if (s >= rt->rsize)
+ s = rt->rsize-1;
if (e >= rt->rsize)
e = rt->rsize-1;
@@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd(
as = rt->rlists[j][0]; /* Allocate space for this list */
nf = rt->rlists[j][1]; /* Next free location in list */
if (nf >= as) { /* need to expand space */
+ if (as > INT_MAX / 2 / sizeof (int))
+ return 2;
+
as *= 2;
rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
if (rt->rlists[j] == NULL) {
@@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd(
val = rsize_1;
ix = (int)floor(val); /* Coordinate */
- if (ix > (rt->size-2))
+ if (ix < 0 || ix > (rt->size-2))
ix = (rt->size-2);
if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */
/* For each candidate forward range */
@@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd(
/* We have failed to find an exact value, so return the nearest value */
/* (This is slow !) */
val = fabs(ival - rt->data[0]);
+ /* rt->size is known to be < INT_MAX */
for (k = 0, i = 1; i < rt->size; i++) {
double er;
er = fabs(ival - rt->data[i]);
@@ -3671,7 +3689,7 @@ static int icmData_allocate(
if (p->size != p->_size) {
if (p->data != NULL)
icp->al->free(icp->al, p->data);
- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
+ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed");
return icp->errc = 2;
}
@@ -3887,7 +3905,7 @@ static int icmText_allocate(
if (p->size != p->_size) {
if (p->data != NULL)
icp->al->free(icp->al, p->data);
- if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+ if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed");
return icp->errc = 2;
}
@@ -4301,7 +4319,7 @@ double *in /* Input array[inputChan] */
rv |= 1;
}
ix = (int)floor(val); /* Grid coordinate */
- if (ix > (p->inputEnt-2))
+ if (ix < 0 || ix > (p->inputEnt-2))
ix = (p->inputEnt-2);
w = val - (double)ix; /* weight */
val = table[ix];
@@ -4360,7 +4378,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
x = (int)floor(val); /* Grid coordinate */
- if (x > clutPoints_2)
+ if (x < 0 || x > clutPoints_2)
x = clutPoints_2;
co[e] = val - (double)x; /* 1.0 - weight */
gp += x * p->dinc[e]; /* Add index offset for base of cube */
@@ -4433,7 +4451,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
x = (int)floor(val); /* Grid coordinate */
- if (x > clutPoints_2)
+ if (x < 0 || x > clutPoints_2)
x = clutPoints_2;
co[e] = val - (double)x; /* 1.0 - weight */
gp += x * p->dinc[e]; /* Add index offset for base of cube */
@@ -4506,7 +4524,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
ix = (int)floor(val); /* Grid coordinate */
- if (ix > (p->outputEnt-2))
+ if (ix < 0 || ix > (p->outputEnt-2))
ix = (p->outputEnt-2);
w = val - (double)ix; /* weight */
val = table[ix];
@@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate(
if (p->size != p->_size) {
if (p->desc != NULL)
icp->al->free(icp->al, p->desc);
- if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed");
return icp->errc = 2;
}
@@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate(
if (p->size != p->_size) {
if (p->string != NULL)
icp->al->free(icp->al, p->string);
- if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+ if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed");
return icp->errc = 2;
}
@@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate(
if (p->ppsize != p->_ppsize) {
if (p->ppname != NULL)
icp->al->free(icp->al, p->ppname);
- if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) {
+ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) {
sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed");
return icp->errc = 2;
}
@@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate(
if (p->crdsize[t] != p->_crdsize[t]) {
if (p->crdname[t] != NULL)
icp->al->free(icp->al, p->crdname[t]);
- if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) {
+ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) {
sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t);
return icp->errc = 2;
}

19
ghostscript.spec
View File

@ -5,7 +5,7 @@ Summary: A PostScript(TM) interpreter and renderer.
Name: ghostscript
Version: %{gs_ver}
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv2
URL: http://www.ghostscript.com/
@ -22,6 +22,9 @@ Patch5: ghostscript-runlibfileifexists.patch
Patch6: ghostscript-system-jasper.patch
Patch7: ghostscript-pksmraw.patch
Patch8: ghostscript-CVE-2009-0583,0584.patch
Patch9: ghostscript-CVE-2009-0792.patch
Patch10: ghostscript-CVE-2009-0196.patch
Patch11: ghostscript-CVE-2008-6679.patch
Requires: urw-fonts >= 1.1, ghostscript-fonts
BuildRequires: libjpeg-devel, libXt-devel
@ -109,6 +112,15 @@ rm -rf libpng zlib jpeg jasper
# (bug #487744).
%patch8 -p1 -b .CVE-2009-0583,0584
# Applied patch to fix CVE-2009-0792 (bug #491853).
%patch9 -p1 -b .CVE-2009-0792
# Applied patch to fix CVE-2009-0196 (bug #493379).
%patch10 -p1 -b .CVE-2009-0196
# Applied patch to fix CVE-2008-6679 (bug #493445).
%patch11 -p1 -b .CVE-2008-6679
# Convert manual pages to UTF-8
from8859_1() {
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -293,6 +305,11 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libgs.so
%changelog
* Wed Apr 15 2009 Tim Waugh <twaugh@redhat.com> 8.63-6
- Applied patch to fix CVE-2009-0792 (bug #491853).
- Applied patch to fix CVE-2009-0196 (bug #493379).
- Applied patch to fix CVE-2008-6679 (bug #493445).
* Fri Mar 20 2009 Tim Waugh <twaugh@redhat.com> 8.63-5
- Applied patch to fix CVE-2009-0583 (bug #487742) and CVE-2009-0584
(bug #487744).