ghostscript: fix several CVEs by adding bounds checking

CVE-2017-9611
CVE-2017-9612
CVE-2017-9739
CVE-2017-9726

Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 33 insertions, 0 deletions

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch
new file mode 100644
index 0000000000..3e6c65699d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch
@@ -0,0 +1,33 @@
+From 7755e67116e8973ee0e3b22d653df026a84fa01b Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 15 Jun 2017 08:58:31 +0100
+Subject: [PATCH] Bug 698055: bounds check zone pointer in Ins_MDRP
+
+---
+ base/ttinterp.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- end of original header
+
+CVE: CVE-2017-9726
+
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/base/ttinterp.c b/base/ttinterp.c
+index e7c9d68..af457e8 100644
+--- a/base/ttinterp.c
++++ b/base/ttinterp.c
+@@ -3770,7 +3770,8 @@ static int nInstrCount=0;
+ 
+     point = (Int)args[0];
+ 
+-    if ( BOUNDS( args[0], CUR.zp1.n_points ) )
++    if ( BOUNDS( args[0], CUR.zp1.n_points ) ||
++         BOUNDS( CUR.GS.rp0, CUR.zp0.n_points) )
+     {
+         /* Current version of FreeType silently ignores this out of bounds error
+          * and drops the instruction, see bug #691121
+-- 
+1.7.9.5
+