NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
72b4229cfc
kumquat-buildroot/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
Fabrice Fontaine 70910c4092 package/ghostscript: fix CVE-2021-45944 
Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in
sampled_data_sample (called from sampled_data_continue and interp).

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2022-01-15 12:05:31 +01:00

53 lines
1.9 KiB
Diff
Raw Blame History

From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 12 Feb 2021 10:34:23 +0000
Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
During function result sampling, after the callout to the Postscript
interpreter, make sure there is enough stack space available before pushing
or popping entries.
In thise case, the Postscript procedure for the "function" is totally invalid
(as a function), and leaves the op stack in an unrecoverable state (as far as
function evaluation is concerned). We end up popping more entries off the
stack than are available.
To cope, add in stack limit checking to throw an appropriate error when this
happens.
[Retrieved from:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
psi/zfsample.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/psi/zfsample.c b/psi/zfsample.c
index 290809405..652ae02c6 100644
--- a/psi/zfsample.c
+++ b/psi/zfsample.c
@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
} else {
if (stack_depth_adjust) {
stack_depth_adjust -= num_out;
- push(O_STACK_PAD - stack_depth_adjust);
- for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
- make_null(op - i);
+ if ((O_STACK_PAD - stack_depth_adjust) < 0) {
+ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
+ check_op(stack_depth_adjust);
+ pop(stack_depth_adjust);
+ }
+ else {
+ check_ostack(O_STACK_PAD - stack_depth_adjust);
+ push(O_STACK_PAD - stack_depth_adjust);
+ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+ make_null(op - i);
+ }
}
}
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink