ghostscript: CVE-2017-7207
The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091 (From OE-Core rev: 0f22a27c2abd2f2dd9119681f139dd85dcb6479d) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
77de4e58bf
commit
6df3fde8e9
|
@ -0,0 +1,39 @@
|
||||||
|
From 0e88bee1304993668fede72498d656a2dd33a35e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ken Sharp <ken.sharp@artifex.com>
|
||||||
|
Date: Mon, 20 Mar 2017 09:34:11 +0000
|
||||||
|
Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
|
||||||
|
|
||||||
|
Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
|
||||||
|
|
||||||
|
This is only possible by abusing/mis-using Ghostscript-specific
|
||||||
|
language extensions, so cannot happen in a general PostScript program.
|
||||||
|
|
||||||
|
Nevertheless, Ghostscript should not crash. So this commit checks the
|
||||||
|
memory device to see if raster memory has been allocated, before trying
|
||||||
|
to read from it.
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
CVE: CVE-2017-7207
|
||||||
|
|
||||||
|
Author: Ken Sharp <ken.sharp@artifex.com>
|
||||||
|
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
|
||||||
|
---
|
||||||
|
base/gdevmem.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/base/gdevmem.c b/base/gdevmem.c
|
||||||
|
index 41108ba..183f96d 100644
|
||||||
|
--- a/base/gdevmem.c
|
||||||
|
+++ b/base/gdevmem.c
|
||||||
|
@@ -605,6 +605,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
|
||||||
|
GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
|
||||||
|
return_error(gs_error_rangecheck);
|
||||||
|
}
|
||||||
|
+ if (mdev->line_ptrs == 0x00)
|
||||||
|
+ return_error(gs_error_rangecheck);
|
||||||
|
if ((w <= 0) | (h <= 0)) {
|
||||||
|
if ((w | h) < 0)
|
||||||
|
return_error(gs_error_rangecheck);
|
||||||
|
--
|
||||||
|
2.10.2
|
||||||
|
|
|
@ -31,6 +31,7 @@ SRC_URI = "${SRC_URI_BASE} \
|
||||||
file://ghostscript-9.02-genarch.patch \
|
file://ghostscript-9.02-genarch.patch \
|
||||||
file://objarch.h \
|
file://objarch.h \
|
||||||
file://cups-no-gcrypt.patch \
|
file://cups-no-gcrypt.patch \
|
||||||
|
file://CVE-2017-7207.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI_class-native = "${SRC_URI_BASE} \
|
SRC_URI_class-native = "${SRC_URI_BASE} \
|
||||||
|
|
Loading…
Reference in New Issue