From: Vijay Anusuri Date: Tue, 8 Apr 2025 10:57:18 +0000 (+0530) Subject: ghostscript: Fix CVE-2025-27832 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1cd1e6275cc5ae3c100a3259e24d03937a4b78d;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git ghostscript: Fix CVE-2025-27832 Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch new file mode 100644 index 0000000000..c3a328bcc9 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch @@ -0,0 +1,45 @@ +From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: Bug 708133: Avoid integer overflow leading to buffer overflow + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41] +CVE: CVE-2025-27832 +Signed-off-by: Vijay Anusuri +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf..4967282bd 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +cgit v1.2.3 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 94a21d1dce..284ae3a28e 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -65,6 +65,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27830.patch \ file://CVE-2025-27831-pre1.patch \ file://CVE-2025-27831.patch \ + file://CVE-2025-27832.patch \ " SRC_URI = "${SRC_URI_BASE} \