rpms/ghostscript/F-11 ghostscript-CVE-2009-0196.patch, NONE, 1.1 ghostscript-CVE-2009-0792.patch, NONE, 1.1 ghostscript.spec, 1.184, 1.185
Tim Waugh
twaugh at fedoraproject.org
Wed Apr 15 16:25:09 UTC 2009
- Previous message (by thread): rpms/mash/F-11 .cvsignore, 1.40, 1.41 mash.spec, 1.46, 1.47 sources, 1.42, 1.43 0001-Add-the-F11-Test-key-to-the-rawhide-config.patch, 1.1, NONE
- Next message (by thread): rpms/ghostscript/devel ghostscript-CVE-2009-0196.patch, NONE, 1.1 ghostscript-CVE-2009-0792.patch, NONE, 1.1 ghostscript.spec, 1.184, 1.185
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: twaugh
Update of /cvs/pkgs/rpms/ghostscript/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30064
Modified Files:
ghostscript.spec
Added Files:
ghostscript-CVE-2009-0196.patch
ghostscript-CVE-2009-0792.patch
Log Message:
* Wed Apr 15 2009 Tim Waugh <twaugh at redhat.com> 8.64-6
- Applied patch to fix CVE-2009-0792 (bug #491853).
- Applied patch to fix CVE-2009-0196 (bug #493379).
ghostscript-CVE-2009-0196.patch:
--- NEW FILE ghostscript-CVE-2009-0196.patch ---
diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c
--- ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 2007-12-11 08:29:58.000000000 +0000
+++ ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c 2009-04-15 16:27:43.000000000 +0100
@@ -699,6 +699,15 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
exrunlength = params->SDNUMEXSYMS;
else
code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+ if (exrunlength > params->SDNUMEXSYMS - j) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "runlength too large in export symbol table (%d > %d - %d)\n",
+ exrunlength, params->SDNUMEXSYMS, j);
+ jbig2_sd_release(ctx, SDEXSYMS);
+ /* skip to the cleanup code and return SDEXSYMS = NULL */
+ SDEXSYMS = NULL;
+ break;
+ }
for(k = 0; k < exrunlength; k++)
if (exflag) {
SDEXSYMS->glyphs[j++] = (i < m) ?
ghostscript-CVE-2009-0792.patch:
--- NEW FILE ghostscript-CVE-2009-0792.patch ---
diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0792 ghostscript-8.64/icclib/icc.c
--- ghostscript-8.64/icclib/icc.c.CVE-2009-0792 2009-04-15 16:20:04.000000000 +0100
+++ ghostscript-8.64/icclib/icc.c 2009-04-15 16:20:24.000000000 +0100
@@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd(
rv |= 1;
}
ix = (int)floor(val); /* Coordinate */
- if (ix > (p->size-2))
+ if (ix < 0 || ix > (p->size-2))
ix = (p->size-2);
w = val - (double)ix; /* weight */
val = p->data[ix];
@@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd(
) {
int i;
+ if (size > INT_MAX - 2)
+ /* Although rt->size is unsigned long, the rt data
+ * structure uses int data types to store indices. */
+ return 2;
+
rt->size = size; /* Stash pointers to these away */
rt->data = data;
@@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd(
rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */
/* Initialize the reverse lookup structures, and get overall min/max */
- if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) {
+ if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) {
return 2;
}
@@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd(
int t;
t = s; s = e; e = t;
}
+ /* s and e should both be in the range [0,rt->rsize]
+ * now, but let's not rely on floating point
+ * calculations -- double-check. */
+ if (s < 0)
+ s = 0;
+ if (e < 0)
+ e = 0;
+ if (s >= rt->rsize)
+ s = rt->rsize-1;
if (e >= rt->rsize)
e = rt->rsize-1;
@@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd(
as = rt->rlists[j][0]; /* Allocate space for this list */
nf = rt->rlists[j][1]; /* Next free location in list */
if (nf >= as) { /* need to expand space */
+ if (as > INT_MAX / 2 / sizeof (int))
+ return 2;
+
as *= 2;
rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
if (rt->rlists[j] == NULL) {
@@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd(
val = rsize_1;
ix = (int)floor(val); /* Coordinate */
- if (ix > (rt->size-2))
+ if (ix < 0 || ix > (rt->size-2))
ix = (rt->size-2);
if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */
/* For each candidate forward range */
@@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd(
/* We have failed to find an exact value, so return the nearest value */
/* (This is slow !) */
val = fabs(ival - rt->data[0]);
+ /* rt->size is known to be < INT_MAX */
for (k = 0, i = 1; i < rt->size; i++) {
double er;
er = fabs(ival - rt->data[i]);
@@ -3671,7 +3689,7 @@ static int icmData_allocate(
if (p->size != p->_size) {
if (p->data != NULL)
icp->al->free(icp->al, p->data);
- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
+ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed");
return icp->errc = 2;
}
@@ -3887,7 +3905,7 @@ static int icmText_allocate(
if (p->size != p->_size) {
if (p->data != NULL)
icp->al->free(icp->al, p->data);
- if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+ if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed");
return icp->errc = 2;
}
@@ -4301,7 +4319,7 @@ double *in /* Input array[inputChan] */
rv |= 1;
}
ix = (int)floor(val); /* Grid coordinate */
- if (ix > (p->inputEnt-2))
+ if (ix < 0 || ix > (p->inputEnt-2))
ix = (p->inputEnt-2);
w = val - (double)ix; /* weight */
val = table[ix];
@@ -4360,7 +4378,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
x = (int)floor(val); /* Grid coordinate */
- if (x > clutPoints_2)
+ if (x < 0 || x > clutPoints_2)
x = clutPoints_2;
co[e] = val - (double)x; /* 1.0 - weight */
gp += x * p->dinc[e]; /* Add index offset for base of cube */
@@ -4433,7 +4451,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
x = (int)floor(val); /* Grid coordinate */
- if (x > clutPoints_2)
+ if (x < 0 || x > clutPoints_2)
x = clutPoints_2;
co[e] = val - (double)x; /* 1.0 - weight */
gp += x * p->dinc[e]; /* Add index offset for base of cube */
@@ -4506,7 +4524,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
ix = (int)floor(val); /* Grid coordinate */
- if (ix > (p->outputEnt-2))
+ if (ix < 0 || ix > (p->outputEnt-2))
ix = (p->outputEnt-2);
w = val - (double)ix; /* weight */
val = table[ix];
@@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate(
if (p->size != p->_size) {
if (p->desc != NULL)
icp->al->free(icp->al, p->desc);
- if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed");
return icp->errc = 2;
}
@@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate(
if (p->size != p->_size) {
if (p->string != NULL)
icp->al->free(icp->al, p->string);
- if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+ if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed");
return icp->errc = 2;
}
@@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate(
if (p->ppsize != p->_ppsize) {
if (p->ppname != NULL)
icp->al->free(icp->al, p->ppname);
- if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) {
+ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) {
sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed");
return icp->errc = 2;
}
@@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate(
if (p->crdsize[t] != p->_crdsize[t]) {
if (p->crdname[t] != NULL)
icp->al->free(icp->al, p->crdname[t]);
- if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) {
+ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) {
sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t);
return icp->errc = 2;
}
Index: ghostscript.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ghostscript/F-11/ghostscript.spec,v
retrieving revision 1.184
retrieving revision 1.185
diff -u -r1.184 -r1.185
--- ghostscript.spec 20 Mar 2009 12:35:56 -0000 1.184
+++ ghostscript.spec 15 Apr 2009 16:24:39 -0000 1.185
@@ -5,7 +5,7 @@
Name: ghostscript
Version: %{gs_ver}
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2
URL: http://www.ghostscript.com/
@@ -23,6 +23,8 @@
Patch7: ghostscript-pksmraw.patch
Patch8: ghostscript-bitcmyk.patch
Patch9: ghostscript-CVE-2009-0583,0584.patch
+Patch10: ghostscript-CVE-2009-0792.patch
+Patch11: ghostscript-CVE-2009-0196.patch
Requires: urw-fonts >= 1.1, ghostscript-fonts
BuildRequires: libjpeg-devel, libXt-devel
@@ -113,6 +115,12 @@
# (bug #487744).
%patch9 -p1 -b .CVE-2009-0583,0584
+# Applied patch to fix CVE-2009-0792 (bug #491853).
+%patch10 -p1 -b .CVE-2009-0792
+
+# Applied patch to fix CVE-2009-0196 (bug #493379).
+%patch11 -p1 -b .CVE-2009-0196
+
# Convert manual pages to UTF-8
from8859_1() {
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -294,6 +302,10 @@
%{_libdir}/libgs.so
%changelog
+* Wed Apr 15 2009 Tim Waugh <twaugh at redhat.com> 8.64-6
+- Applied patch to fix CVE-2009-0792 (bug #491853).
+- Applied patch to fix CVE-2009-0196 (bug #493379).
+
* Fri Mar 20 2009 Tim Waugh <twaugh at redhat.com> 8.64-5
- Applied patch to fix CVE-2009-0583 (bug #487742) and CVE-2009-0584
(bug #487744).
- Previous message (by thread): rpms/mash/F-11 .cvsignore, 1.40, 1.41 mash.spec, 1.46, 1.47 sources, 1.42, 1.43 0001-Add-the-F11-Test-key-to-the-rawhide-config.patch, 1.1, NONE
- Next message (by thread): rpms/ghostscript/devel ghostscript-CVE-2009-0196.patch, NONE, 1.1 ghostscript-CVE-2009-0792.patch, NONE, 1.1 ghostscript.spec, 1.184, 1.185
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list