Blame SOURCES/ghostscript-cve-2018-19477.patch
|
 |
7c5933 |
From: Ken Sharp <ken.sharp@artifex.com>
|
|
|
7c5933 |
Date: Wed, 14 Nov 2018 09:27:00 +0000 (+0000)
|
|
|
7c5933 |
Subject: Bug #700168 - add a type check
|
|
|
7c5933 |
|
|
|
7c5933 |
Bug #700168 - add a type check
|
|
|
7c5933 |
|
|
|
7c5933 |
Bug #700168 "Type confusion in JBIG2Decode"
|
|
|
7c5933 |
|
|
|
7c5933 |
The code was assuming that .jbig2globalctx was a structure allocated
|
|
|
7c5933 |
by the graphics library, without checking.
|
|
|
7c5933 |
|
|
|
7c5933 |
Add a check to see that it is a structure and that its the correct
|
|
|
7c5933 |
type of structure.
|
|
|
7c5933 |
|
|
|
7c5933 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ef252e7dc214bcbd9a2539216aab9202848602bb
|
|
|
7c5933 |
---
|
|
|
7c5933 |
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zfjbig2.c.cve-2018-19477 ghostscript-9.07/psi/zfjbig2.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zfjbig2.c.cve-2018-19477 2019-01-15 10:36:23.973538520 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zfjbig2.c 2019-01-15 10:37:16.897897568 +0100
|
|
|
7c5933 |
@@ -72,6 +72,8 @@ z_jbig2decode(i_ctx_t * i_ctx_p)
|
|
|
7c5933 |
if (r_has_type(op, t_dictionary)) {
|
|
|
7c5933 |
check_dict_read(*op);
|
|
|
7c5933 |
if ( dict_find_string(op, ".jbig2globalctx", &sop) > 0) {
|
|
|
7c5933 |
+ if (!r_is_struct(sop) || !r_has_stype(sop, imemory, st_jbig2_global_data_t))
|
|
|
7c5933 |
+ return_error(gs_error_typecheck);
|
|
|
7c5933 |
gref = r_ptr(sop, s_jbig2_global_data_t);
|
|
|
7c5933 |
s_jbig2decode_set_global_data((stream_state*)&state, gref);
|
|
|
7c5933 |
}
|