MIRRORS/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky.git synced 2025-07-19 21:09:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

ghostscript: fix CVE-2021-45949

Browse Source 
Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish
(called from sampled_data_continue and interp).

To apply this CVE-2021-45959 patch,
the check-stack-limits-after-function-evalution.patch should be applied first.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-45949

(From OE-Core rev: 5fb43ed64ae32abe4488f2eb37c1b82f97f83db0)

(From OE-Core rev: 9b0199a1d8ec3c7bbfd2022932d524d61f2c6832)

Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Minjae Kim 2022-02-28 11:38:38 +08:00 committed by Richard Purdie
parent b2bd31b9cc
commit f8d05252d1
3 changed files with 118 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch Normal file
View File

@ -0,0 +1,65 @@
From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 28 Jan 2022 08:21:19 +0000
Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in
sampled_data_continue()
Replace pop() (which does no checking, and doesn't handle stack extension
blocks) with ref_stack_pop() which does do all that.
We still use pop() in one case (it's faster), but we have to later use
ref_stack_pop() before calling sampled_data_sample() which also accesses the
op stack.
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7]
CVE: CVE-2021-45949
Signed-off-by: Minjae Kim <flowergom@gmail.com>
---
psi/zfsample.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/psi/zfsample.c b/psi/zfsample.c
index 0023fa4..f84671f 100644
--- a/psi/zfsample.c
+++ b/psi/zfsample.c
@@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
}
pop(num_out); /* Move op to base of result values */
-
+ /* From here on, we have to use ref_stack_pop() rather than pop()
+ so that it handles stack extension blocks properly, before calling
+ sampled_data_sample() which also uses the op stack.
+ */
/* Check if we are done collecting data. */
if (increment_cube_indexes(params, penum->indexes)) {
if (stack_depth_adjust == 0)
- pop(O_STACK_PAD); /* Remove spare stack space */
+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
else
- pop(stack_depth_adjust - num_out);
+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
/* Execute the closing procedure, if given */
code = 0;
if (esp_finish_proc != 0)
@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
if ((O_STACK_PAD - stack_depth_adjust) < 0) {
stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
check_op(stack_depth_adjust);
- pop(stack_depth_adjust);
+ ref_stack_pop(&o_stack, stack_depth_adjust);
}
else {
check_ostack(O_STACK_PAD - stack_depth_adjust);
- push(O_STACK_PAD - stack_depth_adjust);
+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
make_null(op - i);
}
--
2.17.1

51
meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch Normal file
View File

@ -0,0 +1,51 @@
From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 12 Feb 2021 10:34:23 +0000
Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
During function result sampling, after the callout to the Postscript
interpreter, make sure there is enough stack space available before pushing
or popping entries.
In thise case, the Postscript procedure for the "function" is totally invalid
(as a function), and leaves the op stack in an unrecoverable state (as far as
function evaluation is concerned). We end up popping more entries off the
stack than are available.
To cope, add in stack limit checking to throw an appropriate error when this
happens.
Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25]
Signed-off-by: Minjae Kim <flowergom@gmail.com>
---
psi/zfsample.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/psi/zfsample.c b/psi/zfsample.c
index 290809405..652ae02c6 100644
--- a/psi/zfsample.c
+++ b/psi/zfsample.c
@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
} else {
if (stack_depth_adjust) {
stack_depth_adjust -= num_out;
- push(O_STACK_PAD - stack_depth_adjust);
- for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
- make_null(op - i);
+ if ((O_STACK_PAD - stack_depth_adjust) < 0) {
+ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
+ check_op(stack_depth_adjust);
+ pop(stack_depth_adjust);
+ }
+ else {
+ check_ostack(O_STACK_PAD - stack_depth_adjust);
+ push(O_STACK_PAD - stack_depth_adjust);
+ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+ make_null(op - i);
+ }
}
}
--
2.25.1

2
meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
View File

@ -34,6 +34,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
file://avoid-host-contamination.patch \
file://mkdir-p.patch \
file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \
file://check-stack-limits-after-function-evalution.patch \
file://CVE-2021-45949.patch \
"
SRC_URI = "${SRC_URI_BASE} \