Added security patch for CVE-2016-10220

Resolves: #1441571
This commit is contained in:
David Kaspar [Dee'Kej] 2017-04-28 13:11:59 +02:00
parent 007868af59
commit e76b7b9160
2 changed files with 55 additions and 0 deletions

View File

@ -0,0 +1,50 @@
From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 21 Dec 2016 16:54:14 +0000
Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
Bug #697450 "Null pointer dereference in gx_device_finalize()"
The problem here is that the code to finalise a device unconditionally
frees the icc_struct member of the device structure. However this
particular (weird) device is not setup as a normal device, probably
because its very, very ancient. Its possible for the initialisation
of the device to abort with an error before calling gs_make_mem_device()
which is where the icc_struct member gets allocated (or set to NULL).
If that happens, then the cleanup code tries to free the device, which
calls finalize() which tries to free a garbage pointer.
Setting the device memory to 0x00 after we allocate it means that the
icc_struct member will be NULL< and our memory manager allows for that
happily enough, which avoids the problem.
---
base/gsdevmem.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/base/gsdevmem.c b/base/gsdevmem.c
index 97b9cf4..fe75bcc 100644
--- a/base/gsdevmem.c
+++ b/base/gsdevmem.c
@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
if (pnew == 0)
return_error(gs_error_VMerror);
+
+ /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
+ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
+ * initialisation will fail, crucially it will fail *before* it calls
+ * gs_make_mem_device() which initialises the device. This means that the
+ * icc_struct member will be uninitialsed, but the device finalise method
+ * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
+ * Apparently we do still need makeimagedevice to be available from
+ * PostScript, so in here just zero the device memory, which means that
+ * the finalise routine won't have a problem.
+ */
+ memset(pnew, 0x00, st_device_memory.ssize);
code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
colors, num_colors, word_oriented,
page_device, mem);
--
2.9.3

View File

@ -34,6 +34,7 @@ Patch13: ghostscript-9.20-cve-2017-7207.patch
Patch14: ghostscript-9.20-cve-2016-10217.patch
Patch15: ghostscript-9.20-cve-2016-10218.patch
Patch16: ghostscript-9.20-cve-2016-10219.patch
Patch17: ghostscript-9.20-cve-2016-10220.patch
Requires: %{name}-core%{?_isa} = %{version}-%{release}
Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@ -171,6 +172,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib
# CVE-2016-10219 (bug #1441569):
%patch16 -p1
# CVE-2016-10220 (bug #1441571):
%patch17 -p1
# Convert manual pages to UTF-8
from8859_1() {
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -372,6 +376,7 @@ rm -rf $RPM_BUILD_ROOT
- CVE-2016-10217 (bug #1441564)
- CVE-2016-10218 (bug #1441568)
- CVE-2016-10219 (bug #1441569)
- CVE-2016-10220 (bug #1441571)
* Thu Apr 06 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-8
Added security fix for CVE-2017-7207 (bug #1434497)