diff options
author | Joe Slater <jslater@windriver.com> | 2017-08-22 13:18:19 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-23 08:44:41 +0100 |
commit | 3e5d80c84f4c141bc3f3193d1db899b0e56993cf (patch) | |
tree | 1e7e34957199e621c0c91b2b69e58b7e530eed97 /meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch | |
parent | f5302b0ad2942f7705d46c33949ebc1c5ddf3f58 (diff) | |
download | openembedded-core-contrib-3e5d80c84f4c141bc3f3193d1db899b0e56993cf.tar.gz |
ghostscript: fix several CVEs by adding bounds checking
CVE-2017-9611
CVE-2017-9612
CVE-2017-9739
CVE-2017-9726
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch new file mode 100644 index 0000000000..58ef04d1fd --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch @@ -0,0 +1,34 @@ +From c7c55972758a93350882c32147801a3485b010fe Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Mon, 12 Jun 2017 13:08:40 +0100 +Subject: [PATCH] Bug 698024: bounds check zone pointer in Ins_MIRP() + +--- + base/ttinterp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- end of original header + +CVE: CVE-2017-9611 + +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +diff --git a/base/ttinterp.c b/base/ttinterp.c +index e56aec6..f6a6d95 100644 +--- a/base/ttinterp.c ++++ b/base/ttinterp.c +@@ -3858,7 +3858,8 @@ static int nInstrCount=0; + /* XXX: UNDOCUMENTED! cvt[-1] = 0 always */ + + if ( BOUNDS( args[0], CUR.zp1.n_points ) || +- BOUNDS( args[1]+1, CUR.cvtSize+1 ) ) ++ BOUNDS( args[1]+1, CUR.cvtSize+1 ) || ++ BOUNDS(CUR.GS.rp0, CUR.zp0.n_points) ) + { + CUR.error = TT_Err_Invalid_Reference; + return; +-- +1.7.9.5 + |