diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2022-02-25 15:09:52 +0800 |
---|---|---|
committer | Anuj Mittal <anuj.mittal@intel.com> | 2022-03-07 10:32:15 +0800 |
commit | aebdb079eba5426253c5709e1ea20b97a302b556 (patch) | |
tree | 58ff6f7c7bd4ff5002f701b13666a6be59f2fda8 | |
parent | 4f4a32a7f9ab3306f0de26bedf6b77f3aba86cf4 (diff) | |
download | openembedded-core-contrib-aebdb079eba5426253c5709e1ea20b97a302b556.tar.gz |
ghostscript: fix CVE-2021-45949
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch | 68 | ||||
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb | 1 |
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..8e4fd40932 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch @@ -0,0 +1,68 @@ +From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Tue, 1 Jun 2021 19:57:16 +0100 +Subject: [PATCH] Bug 703902: Fix op stack management in + sampled_data_continue() + +Replace pop() (which does no checking, and doesn't handle stack extension +blocks) with ref_stack_pop() which does do all that. + +We still use pop() in one case (it's faster), but we have to later use +ref_stack_pop() before calling sampled_data_sample() which also accesses the +op stack. + +Fixes: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 + +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] +CVE: CVE-2021-45949 +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> +--- + psi/zfsample.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 0e8e4bc8d..00cd0cfdd 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + for (j = 0; j < bps; j++) + data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ + } +- pop(num_out); /* Move op to base of result values */ + +- /* Check if we are done collecting data. */ ++ pop(num_out); /* Move op to base of result values */ + ++ /* From here on, we have to use ref_stack_pop() rather than pop() ++ so that it handles stack extension blocks properly, before calling ++ sampled_data_sample() which also uses the op stack. ++ */ ++ /* Check if we are done collecting data. */ + if (increment_cube_indexes(params, penum->indexes)) { + if (stack_depth_adjust == 0) +- pop(O_STACK_PAD); /* Remove spare stack space */ ++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ + else +- pop(stack_depth_adjust - num_out); ++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); + /* Execute the closing procedure, if given */ + code = 0; + if (esp_finish_proc != 0) +@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + if ((O_STACK_PAD - stack_depth_adjust) < 0) { + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); + check_op(stack_depth_adjust); +- pop(stack_depth_adjust); ++ ref_stack_pop(&o_stack, stack_depth_adjust); + } + else { + check_ostack(O_STACK_PAD - stack_depth_adjust); +- push(O_STACK_PAD - stack_depth_adjust); ++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) + make_null(op - i); + } +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb index 59cc560cf8..d4442a4908 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb @@ -33,6 +33,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://do-not-check-local-libpng-source.patch \ file://avoid-host-contamination.patch \ file://mkdir-p.patch \ + file://CVE-2021-45949.patch \ " SRC_URI = "${SRC_URI_BASE} \ |