ghostscript: Fix CVE-2025-27831

Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647 & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647] (From OE-Core rev: 810795d2f1d7798c52675efd94917bf99fb940d0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-07-19 21:09:03 +02:00 · 2025-04-08 16:27:17 +05:30 · 2025-04-08 16:27:17 +05:30 · 09870c8cce
commit 09870c8cce
parent d80ece64ab
3 changed files with 136 additions and 0 deletions
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch
@ -0,0 +1,50 @@
 Partial backport of:
 From bf79b61cb1677d6865c45d397435848a21e8a647 Mon Sep 17 00:00:00 2001
 From: Ken Sharp <ken.sharp@artifex.com>
 Date: Tue, 27 Sep 2022 13:03:57 +0100
 Subject: [PATCH] PCL interpreter - fix decode_glyph for Unicode
 The text extraction (and pdfwrite family) expect that decode_glyph
 should always return pairs of bytes (an assumption that Unicode code
 points are 2 bytes), and the return value from the routine should be
 the number of bytes required to hold the value.
 The PCL decode_glyph routine however was simply returning 1, which
 caused the text extraction code some difficulty since it wasn't
 expecting that.
 This commit firstly alters the text extraction code to cope 'better'
 with a decode_glyph routine which returns an odd value (basically
 ignore it and fall back to using the character code).
 We also alter the pl_decode_glyph routine to return 2 instead of 1,
 so that it correctly tells the caller that it is returning 2 bytes.
 Finally we make sure that the returned value is big-endian, because the
 text extraction code assumes it will be.
 Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647]
 CVE: CVE-2025-27831 #Dependency Patch
 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
 ---
 devices/vector/doc_common.c |  8 ++++++++
 pcl/pl/plfont.c             | 12 +++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)
 --- a/devices/vector/doc_common.c
 +++ b/devices/vector/doc_common.c
@@ -513,6 +513,14 @@ int txt_get_unicode(gx_device *dev, gs_f
         char *b, *u;
         int l = length - 1;
 +        /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly
 +         * 2 bytes. If we got an odd number, give up and return the character code.
 +         */
 +        if (length & 1) {
 +            *Buffer = fallback;
 +            return 1;
 +        }
 +
         unicode = (ushort *)gs_alloc_bytes(dev->memory, length, "temporary Unicode array");
         length = font->procs.decode_glyph((gs_font *)font, glyph, ch, unicode, length);
 #if ARCH_IS_BIG_ENDIAN
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch
@ -0,0 +1,84 @@
 From d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17 Mon Sep 17 00:00:00 2001
 From: Zdenek Hutyra <zhutyra@centrum.cz>
 Date: Thu, 21 Nov 2024 10:04:17 +0000
 Subject: Prevent Unicode decoding overrun
 Bug #708132 "Text buffer overflow with long characters"
 The txt_get_unicode function was copying too few bytes from the
 fixed glyph name to unicode mapping tables. This was probably
 causing incorrect Unicode code points in relatively rare cases but
 not otherwise a problem.
 However, a badly formed GlyphNames2Unicode array attached to a font
 could cause the decoding to spill over the assigned buffer.
 We really should rewrite the Unicode handling, but until we do just
 checking that the length is no more than 4 Unicode code points is
 enough to prevent an overrun. All the current clients allocate at least
 4 code points per character code.
 Added a comment to explain the magic number.
 CVE-2025-27831
 Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17]
 CVE: CVE-2025-27831
 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
 ---
 devices/vector/doc_common.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 diff --git a/devices/vector/doc_common.c b/devices/vector/doc_common.c
 index 690f8eaed..05fb3d51f 100644
 --- a/devices/vector/doc_common.c
 +++ b/devices/vector/doc_common.c
@@ -479,7 +479,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u
                     }
                     if (strlen(dentry->Glyph) == gnstr.size) {
                         if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
 -                            memcpy(Buffer, dentry->Unicode, 2);
 +                            memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short));
                             return 2;
                         }
                     }
@@ -497,7 +497,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u
                     }
                     if (strlen(tentry->Glyph) == gnstr.size) {
                         if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
 -                            memcpy(Buffer, tentry->Unicode, 3);
 +                            memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short));
                             return 3;
                         }
                     }
@@ -515,7 +515,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u
                     }
                     if (strlen(qentry->Glyph) == gnstr.size) {
                         if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
 -                            memcpy(Buffer, qentry->Unicode, 4);
 +                            memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short));
                             return 4;
                         }
                     }
@@ -527,12 +527,16 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u
         return 1;
     } else {
         char *b, *u;
 -        int l = length - 1;
 +        int l;
         /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly
          * 2 bytes. If we got an odd number, give up and return the character code.
 +         *
 +         * The magic number here is due to the clients calling this code. Currently txtwrite and docxwrite
 +         * allow up to 4 Unicode values per character/glyph, if the length would exceed that we can't
 +         * write it. For now, again, fall back to the character code.
          */
 -        if (length & 1) {
 +        if (length & 1 || length > 4 * sizeof(unsigned short)) {
             *Buffer = fallback;
             return 1;
         }
 -- 
 cgit v1.2.3
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@ -63,6 +63,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2024-46955.patch \
                file://CVE-2024-46956.patch \
                file://CVE-2025-27830.patch \
                file://CVE-2025-27831-pre1.patch \
                file://CVE-2025-27831.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \