diff options
Diffstat (limited to 'poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch')
| -rw-r--r-- | poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch | 54 |
1 files changed, 0 insertions, 54 deletions
diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch deleted file mode 100644 index d7c5f034e..000000000 --- a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001 -From: Ray Johnston <ray.johnston@artifex.com> -Date: Wed, 22 Jul 2020 09:57:54 -0700 -Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript - 9.52 - -Fix the 'rsearch' calculation for the 'post' size to give the correct -size. Previous calculation would result in a size that was too large, -and could underflow to max uint32_t. Also fix 'rsearch' to return the -correct 'pre' string with empty string match. - -A future change may 'undefine' this undocumented, non-standard operator -during initialization as we do with the many other non-standard internal -PostScript operators and procedures. - -Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b] -CVE: CVE-2020-15900 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> ---- - psi/zstring.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/psi/zstring.c b/psi/zstring.c -index 33662dafa..58e1af2b3 100644 ---- a/psi/zstring.c -+++ b/psi/zstring.c -@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) - return 0; - found: - op->tas.type_attrs = op1->tas.type_attrs; -- op->value.bytes = ptr; -- r_set_size(op, size); -+ op->value.bytes = ptr; /* match */ -+ op->tas.rsize = size; /* match */ - push(2); -- op[-1] = *op1; -- r_set_size(op - 1, ptr - op[-1].value.bytes); -- op1->value.bytes = ptr + size; -- r_set_size(op1, count + (!forward ? (size - 1) : 0)); -+ op[-1] = *op1; /* pre */ -+ op[-3].value.bytes = ptr + size; /* post */ -+ if (forward) { -+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ -+ op[-3].tas.rsize = count; /* post */ -+ } else { -+ op[-1].tas.rsize = count; /* pre */ -+ op[-3].tas.rsize -= count + size; /* post */ -+ } - make_true(op); - return 0; - } --- -2.17.1 - |