Acasă Explorează Ajutor
Autentificare
PUBLIC_REPOS
/
buildroot
oglindă de git://git.buildroot.net/buildroot
2
1
Bifurcare 0
Fisiere
Răsfoiți Sursa

package/ghostscript: fix CVE-2021-45944

Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in
sampled_data_sample (called from sampled_data_continue and interp).

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine 3 ani în urmă
părinte
488f92a1c3
comite
70910c4092
2 a modificat fișierele cu 55 adăugiri și 0 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 52 0
      package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
  2. 3 0
      package/ghostscript/ghostscript.mk

+ 52 - 0
package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
Vizualizați fișierul 

@@ -0,0 +1,52 @@
 
+From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
 
+From: Chris Liddell <chris.liddell@artifex.com>
 
+Date: Fri, 12 Feb 2021 10:34:23 +0000
 
+Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
 
+
 
+During function result sampling, after the callout to the Postscript
 
+interpreter, make sure there is enough stack space available before pushing
 
+or popping entries.
 
+
 
+In thise case, the Postscript procedure for the "function" is totally invalid
 
+(as a function), and leaves the op stack in an unrecoverable state (as far as
 
+function evaluation is concerned). We end up popping more entries off the
 
+stack than are available.
 
+
 
+To cope, add in stack limit checking to throw an appropriate error when this
 
+happens.
 
+
 
+[Retrieved from:
 
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25]
 
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 
+---
 
+ psi/zfsample.c | 14 +++++++++++---
 
+ 1 file changed, 11 insertions(+), 3 deletions(-)
 
+
 
+diff --git a/psi/zfsample.c b/psi/zfsample.c
 
+index 290809405..652ae02c6 100644
 
+--- a/psi/zfsample.c
 
++++ b/psi/zfsample.c
 
+@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
 
+     } else {
 
+         if (stack_depth_adjust) {
 
+             stack_depth_adjust -= num_out;
 
+-            push(O_STACK_PAD - stack_depth_adjust);
 
+-            for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
 
+-                make_null(op - i);
 
++            if ((O_STACK_PAD - stack_depth_adjust) < 0) {
 
++                stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
 
++                check_op(stack_depth_adjust);
 
++                pop(stack_depth_adjust);
 
++            }
 
++            else {
 
++                check_ostack(O_STACK_PAD - stack_depth_adjust);
 
++                push(O_STACK_PAD - stack_depth_adjust);
 
++                for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
 
++                    make_null(op - i);
 
++            }
 
+         }
 
+     }
 
+ 
+-- 
+2.25.1
 
+

+ 3 - 0
package/ghostscript/ghostscript.mk
Vizualizați fișierul 

@@ -24,6 +24,9 @@ GHOSTSCRIPT_DEPENDENCIES = \
 
 # 0002-Bug-704342-Include-device-specifier-strings-in-acces.patch
 
 GHOSTSCRIPT_IGNORE_CVES += CVE-2021-3781
 
 
+# 0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
 
+GHOSTSCRIPT_IGNORE_CVES += CVE-2021-45944
 
+
 
 # Ghostscript includes (old) copies of several libraries, delete them.
 
 # Inspired by linuxfromscratch:
 
 # http://www.linuxfromscratch.org/blfs/view/svn/pst/gs.html