ghostscript: Fix CVE-2025-27830

Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f] (From OE-Core rev: bc74ad209b243b131ea5467b871339f1773ba64b) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-07-19 21:09:03 +02:00 · 2025-04-08 16:27:16 +05:30 · 2025-04-08 16:27:16 +05:30 · d80ece64ab
commit d80ece64ab
parent 57c7ce9193
2 changed files with 80 additions and 0 deletions
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch
@ -0,0 +1,79 @@
+From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 13 Jan 2025 09:15:01 +0000
+Subject: [PATCH] Bug 708241: Fix potential Buffer overflow with DollarBlend
+
+During serializing a multiple master font for passing to Freetype.
+
+Use CVE-2025-27830
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f]
+CVE: CVE-2025-27830
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/write_t1.c | 7 ++++---
+ psi/zfapi.c     | 9 +++++++--
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/base/write_t1.c b/base/write_t1.c
+index 52902be..d6b2454 100644
+--- a/base/write_t1.c
+++ b/base/write_t1.c
+@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
+     WRF_wbyte(a_fapi_font->memory, a_output, '\n');
+     if (is_MM_font(a_fapi_font)) {
+         short x, x2;
+        unsigned short ux;
+         float x1;
+         uint i, j, entries;
+         char Buffer[255];
+@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
+          */
+         code = a_fapi_font->get_word(a_fapi_font,
+                                    gs_fapi_font_feature_DollarBlend_length,
+-                                   0, (unsigned short *)&x);
+                                   0, &ux);
+         if (code < 0)
+             return code;
+ 
+-        if (x > 0) {
+        if (ux > 0) {
+             int len;
+             WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
+ 
+             if (a_output->m_count)
+-                a_output->m_count += x;
+                a_output->m_count += ux;
+             len = a_fapi_font->get_proc(a_fapi_font,
+                                       gs_fapi_font_feature_DollarBlend, 0,
+                                       (char *)a_output->m_pos);
+diff --git a/psi/zfapi.c b/psi/zfapi.c
+index 0b3ab1c..1ffef47 100644
+--- a/psi/zfapi.c
+++ b/psi/zfapi.c
+@@ -682,7 +682,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
+                 }
+                 for (i = 0; i < r_size(DBlend); i++) {
+                     if (array_get(ff->memory, DBlend, i, &Element) < 0) {
+-                        *ret = 0;
+                        length = 0;
+                         break;
+                     }
+                     switch (r_btype(&Element)) {
+@@ -709,7 +709,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
+                         default:
+                             break;
+                     }
+-                }
+
+		    if (length > max_ushort) {
+			length = 0;
+			break;
+                    }
+		}
+                 *ret = length;
+                 break;
+             }
+-- 
+2.25.1
+
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@ -62,6 +62,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2024-46953.patch \
                file://CVE-2024-46955.patch \
                file://CVE-2024-46956.patch \
+                file://CVE-2025-27830.patch \
 "

 SRC_URI = "${SRC_URI_BASE} \