Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
ghostscript-mini.7320
CVE-2016-10317.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2016-10317.patch of Package ghostscript-mini.7320
From: Daniel Molkentin <daniel.molkentin@suse.com> Subject: [PATCH] Backport: Fixes for CVE-2016-10317 Fix Bug 696398: Segfault with fuzzing file. Overflow of integer caused later failure even if allocation of the ht_buffer succeeded. Detect overflow, return error. Requires dependent fix: Fix bug 697459 Buffer overflow in fill_threshold_buffer There was an overflow check for ht_buffer size, but none for the larger threshold_buffer. Note that this file didn't fail on Windows because the combination of the ht_buffer and the size of the (miscalculated due to overflow) threshold_buffer would have exceeded the 2Gb limit. --- base/gxht_thresh.c | 14 ++++++++++++-- base/gxipixel.c | 2 +- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/base/gxht_thresh.c b/base/gxht_thresh.c index 35f8e3f57..726861685 100644 --- a/base/gxht_thresh.c +++ b/base/gxht_thresh.c @@ -711,6 +711,11 @@ gxht_thresh_image_init(gx_image_enum *penum) space */ max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) / (float) penum->Height); + if (max_height <= 0) + return -1; /* shouldn't happen, but check so we don't div by zero */ + if (penum->ht_stride * spp_out > max_int / max_height) + return -1; /* overflow */ + penum->ht_buffer = gs_alloc_bytes(penum->memory, penum->ht_stride * max_height * spp_out, @@ -731,6 +736,11 @@ gxht_thresh_image_init(gx_image_enum *penum) Also allow a 15 sample over run during the execution. */ temp = (int) ceil((float) ((dev_width + 15.0) + 15.0)/16.0); penum->line_size = bitmap_raster(temp * 16 * 8); /* The stride */ + if (penum->line_size > max_int / max_height) { + gs_free_object(penum->memory, penum->ht_buffer, "gxht_thresh"); + penum->ht_buffer = NULL; + return -1; /* thresh_buffer size overflow */ + } penum->line = gs_alloc_bytes(penum->memory, penum->line_size * spp_out, "gxht_thresh"); penum->thresh_buffer = gs_alloc_bytes(penum->memory, @@ -751,7 +761,7 @@ gxht_thresh_image_init(gx_image_enum *penum) } static void -fill_threshhold_buffer(byte *dest_strip, byte *src_strip, int src_width, +fill_threshold_buffer(byte *dest_strip, byte *src_strip, int src_width, int left_offset, int left_width, int num_tiles, int right_width) { @@ -905,7 +915,7 @@ gxht_thresh_planes(gx_image_enum *penum, fixed xrun, to update with stride */ position = contone_stride * k; /* Tile into the 128 bit aligned threshold strip */ - fill_threshhold_buffer(&(thresh_align[position]), + fill_threshold_buffer(&(thresh_align[position]), thresh_tile, thresh_width, dx, left_width, num_full_tiles, right_tile_width); } diff --git a/base/gxipixel.c b/base/gxipixel.c index 4eb654844..da2574a05 100644 --- a/base/gxipixel.c +++ b/base/gxipixel.c @@ -755,7 +755,7 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs, penum->memory = mem; penum->buffer = buffer; penum->buffer_size = bsize; - penum->line = 0; + penum->line = NULL; penum->icc_link = NULL; penum->color_cache = NULL; penum->ht_buffer = NULL; -- 2.13.6
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor