Blame SOURCES/ghostscript-cve-2020-16301.patch

6bda8e
From f54414c8b15b2c27d1dcadd92cfe84f6d15f18dc Mon Sep 17 00:00:00 2001
6bda8e
From: Julian Smith <jules@op59.net>
6bda8e
Date: Thu, 31 Oct 2019 13:12:47 +0000
6bda8e
Subject: [PATCH] Bug 701808: return error from okiibm_print_page1() if x_dpi
6bda8e
 too high.
6bda8e
6bda8e
Avoids asan error in:
6bda8e
    ./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r599 -sOutputFile=tmp -sDEVICE=okiibm ../bug-701808.pdf
6bda8e
---
6bda8e
 devices/gdevokii.c | 46 ++++++++++++++++++++++++++++++++--------------
6bda8e
 1 file changed, 32 insertions(+), 14 deletions(-)
6bda8e
6bda8e
diff --git a/devices/gdevokii.c b/devices/gdevokii.c
6bda8e
index d8929a22c..97a1c3b88 100644
6bda8e
--- a/devices/gdevokii.c
6bda8e
+++ b/devices/gdevokii.c
6bda8e
@@ -96,23 +96,41 @@ okiibm_print_page1(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high
6bda8e
         -1, 0 /*60*/, 1 /*120*/, -1, 3 /*240*/
6bda8e
         };
6bda8e
 
6bda8e
-        int in_y_mult = (y_9pin_high ? 2 : 1);
6bda8e
-        int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
6bda8e
-        /* Note that in_size is a multiple of 8. */
6bda8e
-        int in_size = line_size * (8 * in_y_mult);
6bda8e
-        byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)");
6bda8e
-        byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)");
6bda8e
-        byte *in = buf1;
6bda8e
-        byte *out = buf2;
6bda8e
-        int out_y_mult = 1;
6bda8e
-        int x_dpi = pdev->x_pixels_per_inch;
6bda8e
-        char start_graphics = graphics_modes_9[x_dpi / 60];
6bda8e
-        int first_pass = (start_graphics == 3 ? 1 : 0);
6bda8e
-        int last_pass = first_pass * 2;
6bda8e
-        int y_passes = (y_9pin_high ? 2 : 1);
6bda8e
+        int in_y_mult;
6bda8e
+        int line_size;
6bda8e
+        int in_size;
6bda8e
+        byte *buf1;
6bda8e
+        byte *buf2;
6bda8e
+        byte *in;
6bda8e
+        byte *out;
6bda8e
+        int out_y_mult;
6bda8e
+        int x_dpi;
6bda8e
+        char start_graphics;
6bda8e
+        int first_pass;
6bda8e
+        int last_pass;
6bda8e
+        int y_passes;
6bda8e
         int skip = 0, lnum = 0, pass, ypass;
6bda8e
         int y_step = 0;
6bda8e
 
6bda8e
+        x_dpi = pdev->x_pixels_per_inch;
6bda8e
+        if (x_dpi / 60 >= sizeof(graphics_modes_9)/sizeof(graphics_modes_9[0])) {
6bda8e
+            return_error(gs_error_rangecheck);
6bda8e
+        }
6bda8e
+        in_y_mult = (y_9pin_high ? 2 : 1);
6bda8e
+        line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
6bda8e
+        /* Note that in_size is a multiple of 8. */
6bda8e
+        in_size = line_size * (8 * in_y_mult);
6bda8e
+        buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)");
6bda8e
+        buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)");
6bda8e
+        in = buf1;
6bda8e
+        out = buf2;
6bda8e
+        out_y_mult = 1;
6bda8e
+        start_graphics = graphics_modes_9[x_dpi / 60];
6bda8e
+        first_pass = (start_graphics == 3 ? 1 : 0);
6bda8e
+        last_pass = first_pass * 2;
6bda8e
+        y_passes = (y_9pin_high ? 2 : 1);
6bda8e
+        y_step = 0;
6bda8e
+
6bda8e
         /* Check allocations */
6bda8e
         if ( buf1 == 0 || buf2 == 0 )
6bda8e
         {	if ( buf1 )
6bda8e
-- 
6bda8e
2.35.3
6bda8e