--- /dev/null
+From ef42ff180a04926e187d40faea40d4a43e304e3b Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 20 Jan 2025 16:13:46 +0000
+Subject: [PATCH] PDF interpreter - Guard against unsigned int overflow
+
+Bug #708253 - see bug report for details.
+
+CVE-2025-27834
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b]
+CVE: CVE-2025-27834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pdf/pdf_func.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
+index 9b7d5bb..423e544 100644
+--- a/pdf/pdf_func.c
++++ b/pdf/pdf_func.c
+@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in
+ byte *p = (ops ? ops + *size : NULL);
+
+ do {
++ if (*size > max_uint / 2)
++ return gs_note_error(gs_error_VMerror);
++
+ code = pdfi_read_bytes(ctx, &c, 1, 1, function_stream);
+ if (code < 0)
+ break;
+@@ -318,6 +321,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR,
+ if (code < 0)
+ goto function_4_error;
+
++ if (size > max_uint - 1) {
++ code = gs_note_error(gs_error_VMerror);
++ goto function_4_error;
++ }
++
+ ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
+ if (ops == NULL) {
+ code = gs_error_VMerror;
+@@ -816,6 +824,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte *
+ if (code < 0)
+ goto halftone_function_error;
+
++ if (size > max_uint - 1) {
++ code = gs_note_error(gs_error_VMerror);
++ goto halftone_function_error;
++ }
++
+ ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
+ if (ops == NULL) {
+ code = gs_error_VMerror;
+--
+2.25.1
+
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
