diff options
author | Catalin Enache <catalin.enache@windriver.com> | 2017-04-21 15:04:17 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-04-28 11:26:07 +0100 |
commit | 6679a4d4379f6f18554ed0042546cce94d5d0b19 (patch) | |
tree | 3ed7a894be4cdda80a49cb3d565e479ee8dd93f4 /meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch | |
parent | 14abd767349bc868ca59838f1af3aaf17dfe4350 (diff) | |
download | openembedded-core-contrib-6679a4d4379f6f18554ed0042546cce94d5d0b19.tar.gz |
ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript
9.20 allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a crafted file.
The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file that is
mishandled in the PDF Transparency module.
The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f
http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8
http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch new file mode 100644 index 0000000000..574abe0e42 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch @@ -0,0 +1,49 @@ +From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001 +From: Robin Watts <Robin.Watts@artifex.com> +Date: Thu, 29 Dec 2016 15:57:43 +0000 +Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code. + +Arithmetic overflow due to extreme values in the scan conversion +code can cause a division by 0. + +Avoid this with a simple extra check. + + dx_old=cf814d81 + endp->x_next=b0e859b9 + alp->x_next=8069a73a + +leads to dx_den = 0 + +Upstream-Status: Backport +CVE: CVE-2016-10219 + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + base/gxfill.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/gxfill.c b/base/gxfill.c +index 99196c0..2f81bb0 100644 +--- a/base/gxfill.c ++++ b/base/gxfill.c +@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new + fixed dx_old = alp->x_current - endp->x_current; + fixed dx_den = dx_old + endp->x_next - alp->x_next; + +- if (dx_den <= dx_old) ++ if (dx_den <= dx_old || dx_den == 0) + return false; /* Intersection isn't possible. */ + dy = y1 - y; + if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n", +@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new + /* Do the computation in single precision */ + /* if the values are small enough. */ + y_new = +- ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ? ++ (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ? + dy * dx_old / dx_den : + (INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den))) + + y; +-- +2.10.2 + |