登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 5

abushwang/ghostscript

forked from OpenCloudOS Stream/ghostscript 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
CVE-2024-46952-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch 2.61 KB
一键复制 编辑 原始数据 按行查看 历史
abushwang 提交于 2024-11-11 11:14 . fix CVE-2024-46951, CVE-2024-46952, CVE-2024-46953, CVE-2024-46954, CV…
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162
From b1f0827c30f59a2dcbc8a39e42cace7a1de35f7f Mon Sep 17 00:00:00 2001

From: Ken Sharp <Ken.Sharp@artifex.com>

Date: Mon, 2 Sep 2024 15:14:01 +0100

Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams



Bug #708001 "Buffer overflow in PDF XRef stream"



See bug report. I've chosen to fix this by checking the values in the

W array; these can (currently at least) only have certain relatively

small values.



As a future proofing fix I've also updated field_size in

pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger

than required, but matches the W array values and so prevents the

mismatch which could lead to a buffer overrun.



CVE-2024-46952

---

 pdf/pdf_xref.c | 20 +++++++++++++++++++-

 1 file changed, 19 insertions(+), 1 deletion(-)



diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c

index fefd08abe..4ad0f548f 100644

--- a/pdf/pdf_xref.c

+++ b/pdf/pdf_xref.c

@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size)

 static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, int64_t first, int64_t last, int64_t *W)

 {

     uint i, j;

-    uint field_width = 0;

+    uint64_t field_width = 0;

     uint32_t type = 0;

     uint64_t objnum = 0, gen = 0;

     byte *Buffer;

@@ -305,6 +305,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd

     }

     pdfi_countdown(a);

 

+    /* W[0] is either:

+     * 0 (no type field) or a single byte with the type.

+     * W[1] is either:

+     * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored.

+     * W[2] is either:

+     * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream.

+     *

+     * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually

+     * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number.

+     * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits.

+     */

+    if (W[0] > 1 || W[1] > 8 || W[2] > 8) {

+        pdfi_close_file(ctx, XRefStrm);

+        pdfi_countdown(ctx->xref_table);

+        ctx->xref_table = NULL;

+        return code;

+    }

+

     code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a);

     if (code == gs_error_undefined) {

         code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, W);

-- 

2.39.3
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/abushwang/ghostscript.git
git@gitee.com:abushwang/ghostscript.git
abushwang
ghostscript
ghostscript
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部