diff options
Diffstat (limited to 'app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch')
-rw-r--r-- | app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch b/app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch new file mode 100644 index 00000000..ca6b2272 --- /dev/null +++ b/app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch @@ -0,0 +1,49 @@ +From: Ken Sharp <ken.sharp@artifex.com> +Date: Thu, 23 Aug 2018 14:42:02 +0000 (+0100) +Subject: Bug 699665 "memory corruption in aesdecode" +X-Git-Tag: ghostpdl-9.24rc1~13 +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=8e9ce501 + +Bug 699665 "memory corruption in aesdecode" + +The specimen file calls aesdecode without specifying the key to be +used, though it does manage to do enough work with the PDF interpreter +routines to get access to aesdecode (which isn't normally available). + +This causes us to read uninitialised memory, which can (and often does) +lead to a segmentation fault. + +In this commit we set the key to NULL explicitly during intialisation +and then check it before we read it. If its NULL we just return. + +It seems bizarre that we don't return error codes, we should probably +look into that at some point, but this prevents the code trying to +read uninitialised memory. +--- + +diff --git a/base/aes.c b/base/aes.c +index a6bce93..e86f000 100644 +--- a/base/aes.c ++++ b/base/aes.c +@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx, + } + #endif + ++ if (ctx == NULL || ctx->rk == NULL) ++ return; ++ + RK = ctx->rk; + + GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++; +diff --git a/base/saes.c b/base/saes.c +index 6db0e8b..307ed74 100644 +--- a/base/saes.c ++++ b/base/saes.c +@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr, + gs_throw(gs_error_VMerror, "could not allocate aes context"); + return ERRC; + } ++ memset(state->ctx, 0x00, sizeof(aes_context)); + if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) { + gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)", + state->keylength); |