poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch - openbmc/openbmc - Gitiles

 From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
 From: Ray Johnston <ray.johnston@artifex.com>
 Date: Wed, 22 Jul 2020 09:57:54 -0700
 Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
  9.52

 Fix the 'rsearch' calculation for the 'post' size to give the correct
 size.  Previous calculation would result in a size that was too large,
 and could underflow to max uint32_t. Also fix 'rsearch' to return the
 correct 'pre' string with empty string match.

 A future change may 'undefine' this undocumented, non-standard operator
 during initialization as we do with the many other non-standard internal
 PostScript operators and procedures.

 Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
 CVE: CVE-2020-15900
 Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
 ---
  psi/zstring.c | 17 +++++++++++------
  1 file changed, 11 insertions(+), 6 deletions(-)

 diff --git a/psi/zstring.c b/psi/zstring.c
 index 33662dafa..58e1af2b3 100644
 --- a/psi/zstring.c
 +++ b/psi/zstring.c
 @@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
      return 0;
  found:
      op->tas.type_attrs = op1->tas.type_attrs;
 -    op->value.bytes = ptr;
 -    r_set_size(op, size);
 +    op->value.bytes = ptr;				/* match */
 +    op->tas.rsize = size;				/* match */
      push(2);
 -    op[-1] = *op1;
 -    r_set_size(op - 1, ptr - op[-1].value.bytes);
 -    op1->value.bytes = ptr + size;
 -    r_set_size(op1, count + (!forward ? (size - 1) : 0));
 +    op[-1] = *op1;					/* pre */
 +    op[-3].value.bytes = ptr + size;			/* post */
 +    if (forward) {
 +        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
 +        op[-3].tas.rsize = count;			/* post */
 +    } else {
 +        op[-1].tas.rsize = count;			/* pre */
 +        op[-3].tas.rsize -= count + size;		/* post */
 +    }
      make_true(op);
      return 0;
  }
 --
 2.17.1
	From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
	From: Ray Johnston <ray.johnston@artifex.com>
	Date: Wed, 22 Jul 2020 09:57:54 -0700
	Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
	9.52

	Fix the 'rsearch' calculation for the 'post' size to give the correct
	size. Previous calculation would result in a size that was too large,
	and could underflow to max uint32_t. Also fix 'rsearch' to return the
	correct 'pre' string with empty string match.

	A future change may 'undefine' this undocumented, non-standard operator
	during initialization as we do with the many other non-standard internal
	PostScript operators and procedures.

	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
	CVE: CVE-2020-15900
	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	---
	psi/zstring.c \| 17 +++++++++++------
	1 file changed, 11 insertions(+), 6 deletions(-)

	diff --git a/psi/zstring.c b/psi/zstring.c
	index 33662dafa..58e1af2b3 100644
	--- a/psi/zstring.c
	+++ b/psi/zstring.c
	@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
	return 0;
	found:
	op->tas.type_attrs = op1->tas.type_attrs;
	- op->value.bytes = ptr;
	- r_set_size(op, size);
	+ op->value.bytes = ptr; /* match */
	+ op->tas.rsize = size; /* match */
	push(2);
	- op[-1] = *op1;
	- r_set_size(op - 1, ptr - op[-1].value.bytes);
	- op1->value.bytes = ptr + size;
	- r_set_size(op1, count + (!forward ? (size - 1) : 0));
	+ op[-1] = op1; / pre */
	+ op[-3].value.bytes = ptr + size; /* post */
	+ if (forward) {
	+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
	+ op[-3].tas.rsize = count; /* post */
	+ } else {
	+ op[-1].tas.rsize = count; /* pre */
	+ op[-3].tas.rsize -= count + size; /* post */
	+ }
	make_true(op);
	return 0;
	}
	--
	2.17.1