summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch
blob: 574abe0e42012ee9f61fe095e0e26849cec050b5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 29 Dec 2016 15:57:43 +0000
Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.

Arithmetic overflow due to extreme values in the scan conversion
code can cause a division by 0.

Avoid this with a simple extra check.

  dx_old=cf814d81
  endp->x_next=b0e859b9
  alp->x_next=8069a73a

leads to dx_den = 0

Upstream-Status: Backport
CVE: CVE-2016-10219

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
 base/gxfill.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/base/gxfill.c b/base/gxfill.c
index 99196c0..2f81bb0 100644
--- a/base/gxfill.c
+++ b/base/gxfill.c
@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
     fixed dx_old = alp->x_current - endp->x_current;
     fixed dx_den = dx_old + endp->x_next - alp->x_next;
 
-    if (dx_den <= dx_old)
+    if (dx_den <= dx_old || dx_den == 0)
         return false; /* Intersection isn't possible. */
     dy = y1 - y;
     if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
     /* Do the computation in single precision */
     /* if the values are small enough. */
     y_new =
-        ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
+        (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
          dy * dx_old / dx_den :
          (INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
         + y;
-- 
2.10.2