| From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 |
| From: Ken Sharp <ken.sharp@artifex.com> |
| Date: Fri, 24 Mar 2023 13:19:57 +0000 |
| Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding |
| |
| Bug #706494 "Buffer Overflow in s_xBCPE_process" |
| |
| As described in detail in the bug report, if the write buffer is filled |
| to one byte less than full, and we then try to write an escaped |
| character, we overrun the buffer because we don't check before |
| writing two bytes to it. |
| |
| This just checks if we have two bytes before starting to write an |
| escaped character and exits if we don't (replacing the consumed byte |
| of the input). |
| |
| Up for further discussion; why do we even permit a BCP encoding filter |
| anyway ? I think we should remove this, at least when SAFER is true. |
| --- |
| CVE: CVE-2023-28879 |
| |
| Upstream-Status: Backport [see text] |
| |
| git://git.ghostscript.com/ghostpdl |
| cherry-pick |
| |
| Signed-off-by: Joe Slater <joe.slater@windriver.com. |
| |
| --- |
| base/sbcp.c | 10 +++++++++- |
| 1 file changed, 9 insertions(+), 1 deletion(-) |
| |
| diff --git a/base/sbcp.c b/base/sbcp.c |
| index 979ae0992..47fc233ec 100644 |
| --- a/base/sbcp.c |
| +++ b/base/sbcp.c |
| @@ -1,4 +1,4 @@ |
| -/* Copyright (C) 2001-2021 Artifex Software, Inc. |
| +/* Copyright (C) 2001-2023 Artifex Software, Inc. |
| All Rights Reserved. |
| |
| This software is provided AS-IS with no warranty, either express or |
| @@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, |
| byte ch = *++p; |
| |
| if (ch <= 31 && escaped[ch]) { |
| + /* Make sure we have space to store two characters in the write buffer, |
| + * if we don't then exit without consuming the input character, we'll process |
| + * that on the next time round. |
| + */ |
| + if (pw->limit - q < 2) { |
| + p--; |
| + break; |
| + } |
| if (p == rlimit) { |
| p--; |
| break; |
| -- |
| 2.25.1 |
| |