ghostscript: patch CVE-2025-59800

author Peter Marko <peter.marko@siemens.com>

Tue, 7 Oct 2025 22:11:12 +0000 (00:11 +0200)

committer Steve Sakoman <steve@sakoman.com>

Thu, 9 Oct 2025 19:25:56 +0000 (12:25 -0700)
author Peter Marko <peter.marko@siemens.com>
Tue, 7 Oct 2025 22:11:12 +0000 (00:11 +0200)
committer Steve Sakoman <steve@sakoman.com>
Thu, 9 Oct 2025 19:25:56 +0000 (12:25 -0700)
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch

new file mode 100644 (file)

index 0000000..5d50865
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
@@ -0,0 +1,36 @@
+From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 1 Jul 2025 10:31:17 +0100
+Subject: [PATCH] PDF OCR 8 bit device - avoid overflow
+
+Bug 708602 "Heap overflow in ocr_line8"
+
+Make sure the calculation of the required raster size does not overflow
+an int.
+
+CVE: CVE-2025-59800
+Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/176cf0188a2294bc307b8caec876f39412e58350]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ devices/gdevpdfocr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
+index f27dc11db..6362f4104 100644
+--- a/devices/gdevpdfocr.c
++++ b/devices/gdevpdfocr.c
+@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image *dev, void *row)
+ static int
+ ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp)
+ {
+-    int raster = (w+3)&~3;
++    int64_t raster = (w + 3) & ~3;
+ 
+-    dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page");
++    raster = raster * (int64_t)h;
++    if (raster < 0 || raster > max_size_t)
++        return gs_note_error(gs_error_VMerror);
++    dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page");
+     if (dev->ocr.data == NULL)
+         return_error(gs_error_VMerror);
+     dev->ocr.w = w;
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb

index 0f123d48991b859e91ab95067b8f586d80eb0472..a48ad671c7649d2e2d3a927888d8851e1cb36e7c 100644 (file)
--- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
             file://avoid-host-contamination.patch \
             file://CVE-2025-59798.patch \
             file://CVE-2025-59799.patch \
+           file://CVE-2025-59800.patch \
             "
  
  SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"
author	Peter Marko <peter.marko@siemens.com>
	Tue, 7 Oct 2025 22:11:12 +0000 (00:11 +0200)
committer	Steve Sakoman <steve@sakoman.com>
	Thu, 9 Oct 2025 19:25:56 +0000 (12:25 -0700)
meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch	[new file with mode: 0644]	patch \| blob
meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb		patch \| blob \| blame \| history