summaryrefslogtreecommitdiff
path: root/app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch')
-rw-r--r--app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch49
1 files changed, 49 insertions, 0 deletions
diff --git a/app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch b/app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch
new file mode 100644
index 00000000..ca6b2272
--- /dev/null
+++ b/app-text/ghostscript-gpl/files/VU332928-githash8e9ce501.patch
@@ -0,0 +1,49 @@
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 23 Aug 2018 14:42:02 +0000 (+0100)
+Subject: Bug 699665 "memory corruption in aesdecode"
+X-Git-Tag: ghostpdl-9.24rc1~13
+X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=8e9ce501
+
+Bug 699665 "memory corruption in aesdecode"
+
+The specimen file calls aesdecode without specifying the key to be
+used, though it does manage to do enough work with the PDF interpreter
+routines to get access to aesdecode (which isn't normally available).
+
+This causes us to read uninitialised memory, which can (and often does)
+lead to a segmentation fault.
+
+In this commit we set the key to NULL explicitly during intialisation
+and then check it before we read it. If its NULL we just return.
+
+It seems bizarre that we don't return error codes, we should probably
+look into that at some point, but this prevents the code trying to
+read uninitialised memory.
+---
+
+diff --git a/base/aes.c b/base/aes.c
+index a6bce93..e86f000 100644
+--- a/base/aes.c
++++ b/base/aes.c
+@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx,
+ }
+ #endif
+
++ if (ctx == NULL || ctx->rk == NULL)
++ return;
++
+ RK = ctx->rk;
+
+ GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
+diff --git a/base/saes.c b/base/saes.c
+index 6db0e8b..307ed74 100644
+--- a/base/saes.c
++++ b/base/saes.c
+@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr,
+ gs_throw(gs_error_VMerror, "could not allocate aes context");
+ return ERRC;
+ }
++ memset(state->ctx, 0x00, sizeof(aes_context));
+ if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) {
+ gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)",
+ state->keylength);