diff --git a/SOURCES/ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch b/SOURCES/ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch new file mode 100644 index 0000000..27ca0b2 --- /dev/null +++ b/SOURCES/ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch @@ -0,0 +1,64 @@ +From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Tue, 1 Jun 2021 19:57:16 +0100 +Subject: [PATCH] Bug 703902: Fix op stack management in + sampled_data_continue() + +Replace pop() (which does no checking, and doesn't handle stack extension +blocks) with ref_stack_pop() which does do all that. + +We still use pop() in one case (it's faster), but we have to later use +ref_stack_pop() before calling sampled_data_sample() which also accesses the +op stack. + +Fixes: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 +--- + psi/zfsample.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 0e8e4bc8d..00cd0cfdd 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + for (j = 0; j < bps; j++) + data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ + } +- pop(num_out); /* Move op to base of result values */ + +- /* Check if we are done collecting data. */ ++ pop(num_out); /* Move op to base of result values */ + ++ /* From here on, we have to use ref_stack_pop() rather than pop() ++ so that it handles stack extension blocks properly, before calling ++ sampled_data_sample() which also uses the op stack. ++ */ ++ /* Check if we are done collecting data. */ + if (increment_cube_indexes(params, penum->indexes)) { + if (stack_depth_adjust == 0) +- pop(O_STACK_PAD); /* Remove spare stack space */ ++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ + else +- pop(stack_depth_adjust - num_out); ++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); + /* Execute the closing procedure, if given */ + code = 0; + if (esp_finish_proc != 0) +@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + if ((O_STACK_PAD - stack_depth_adjust) < 0) { + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); + check_op(stack_depth_adjust); +- pop(stack_depth_adjust); ++ ref_stack_pop(&o_stack, stack_depth_adjust); + } + else { + check_ostack(O_STACK_PAD - stack_depth_adjust); +- push(O_STACK_PAD - stack_depth_adjust); ++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); + for (i=0;ivdev; + const gs_matrix *const pmat = &state->scale_mat; +diff -ur ghostscript-9.54.0/base/gdevvec.h ghostscript-9.54.0-patched/base/gdevvec.h +--- ghostscript-9.54.0/base/gdevvec.h ++++ ghostscript-9.54.0-patched/base/gdevvec.h +@@ -306,7 +306,7 @@ + + /* Write a segment of a path using the default implementation. */ + int gdev_vector_dopath_segment(gdev_vector_dopath_state_t *state, int pe_op, +- gs_fixed_point vs[3]); ++ gs_fixed_point *vs); + + typedef struct gdev_vector_path_seg_record_s { + int op; +diff -ur ghostscript-9.54.0/base/gxclpath.c ghostscript-9.54.0-patched/base/gxclpath.c +--- ghostscript-9.54.0/base/gxclpath.c 2021-03-30 09:40:28.000000000 +0200 ++++ ghostscript-9.54.0-patched/base/gxclpath.c 2021-11-23 11:06:14.670137576 +0100 +@@ -715,10 +715,10 @@ + } else { + code = set_cmd_put_op(&dp, cldev, pcls, cmd_opv_set_color_space, + 2 + sizeof(clist_icc_color_t)); +- memcpy(dp + 2, &(cldev->color_space.icc_info), +- sizeof(clist_icc_color_t)); + if (code < 0) + return code; ++ memcpy(dp + 2, &(cldev->color_space.icc_info), ++ sizeof(clist_icc_color_t)); + } + dp[1] = cldev->color_space.byte1; + pcls->known |= color_space_known; +diff -ur ghostscript-9.54.0/extract/src/mem.c ghostscript-9.54.0-patched/extract/src/mem.c +--- ghostscript-9.54.0/extract/src/mem.c 2021-03-30 09:40:28.000000000 +0200 ++++ ghostscript-9.54.0-patched/extract/src/mem.c 2021-11-23 11:11:37.293082828 +0100 +@@ -19,14 +19,24 @@ + int extract_vasprintf(extract_alloc_t* alloc, char** out, const char* format, va_list va) + { + int n; +- int n2; ++ int ret; + va_list va2; + va_copy(va2, va); + n = vsnprintf(NULL, 0, format, va); +- if (n < 0) return n; +- if (extract_malloc(alloc, out, n + 1)) return -1; +- n2 = vsnprintf(*out, n + 1, format, va2); ++ if (n < 0) ++ { ++ ret = n; ++ goto end; ++ } ++ if (extract_malloc(alloc, out, n + 1)) ++ { ++ ret = -1; ++ goto end; ++ } ++ vsnprintf(*out, n + 1, format, va2); ++ ret = 0; ++ ++ end: + va_end(va2); +- assert(n2 == n); +- return n2; ++ return ret; + } +diff -ur ghostscript-9.54.0/psi/icie.h ghostscript-9.54.0-patched/psi/icie.h +--- ghostscript-9.54.0/psi/icie.h 2021-03-30 09:40:28.000000000 +0200 ++++ ghostscript-9.54.0-patched/psi/icie.h 2021-10-29 12:48:43.405814563 +0200 +@@ -53,7 +53,7 @@ + + /* Get 3 procedures from a dictionary. */ + int dict_proc3_param(const gs_memory_t *mem, const ref *pdref, +- const char *kstr, ref proc3[3]); ++ const char *kstr, ref *proc3); + + /* Get WhitePoint and BlackPoint values. */ + int cie_points_param(const gs_memory_t *mem, +diff -ur ghostscript-9.54.0/psi/zcie.c ghostscript-9.54.0-patched/psi/zcie.c +--- ghostscript-9.54.0/psi/zcie.c 2021-03-30 09:40:28.000000000 +0200 ++++ ghostscript-9.54.0-patched/psi/zcie.c 2021-11-02 14:36:28.463448728 +0100 +@@ -144,7 +144,7 @@ + + /* Get 3 procedures from a dictionary. */ + int +-dict_proc3_param(const gs_memory_t *mem, const ref *pdref, const char *kstr, ref proc3[3]) ++dict_proc3_param(const gs_memory_t *mem, const ref *pdref, const char *kstr, ref *proc3) + { + return dict_proc_array_param(mem, pdref, kstr, 3, proc3); + } diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index bc639a1..ab1e299 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -42,7 +42,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.54.0 -Release: 4%{?dist} +Release: 7%{?dist} License: AGPLv3+ @@ -102,6 +102,10 @@ BuildRequires: make #Patch000: example000.patch Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch +#2032789 - coverity warnings fixes +Patch003: ghostscript-9.54.0-covscan-fixes.patch +#2049767 - CVE-2021-45949 heap-based buffer overflow in sampled_data_finish +Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -435,6 +439,15 @@ done # ============================================================================= %changelog +* Thu Feb 24 2022 Richard Lescak - 9.54.0-7 +- Fix patch for covscan issues (#2032789) + +* Tue Feb 22 2022 Richard Lescak - 9.54.0-6 +- Added fix for vulnerability CVE-2021-45949 (#2049767) + +* Mon Feb 21 2022 Richard Lescak - 9.54.0-5 +- Added coverity fixes (#2032789) + * Thu Sep 16 2021 Richard Lescak - 9.54.0-4 - Added fix for CVE-2021-3781 (#2002625)