summary refs log tree commit diff
path: root/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
blob: b6658d7c7f6fbfe526c8aa51bd7e6a09f8ab926a (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Fix CVE-2020-15900.

https://cve.circl.lu/cve/CVE-2020-15900
https://artifex.com/security-advisories/CVE-2020-15900

Taken from upstream:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b

diff --git a/psi/zstring.c b/psi/zstring.c
--- a/psi/zstring.c
+++ b/psi/zstring.c
@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
     return 0;
 found:
     op->tas.type_attrs = op1->tas.type_attrs;
-    op->value.bytes = ptr;
-    r_set_size(op, size);
+    op->value.bytes = ptr;				/* match */
+    op->tas.rsize = size;				/* match */
     push(2);
-    op[-1] = *op1;
-    r_set_size(op - 1, ptr - op[-1].value.bytes);
-    op1->value.bytes = ptr + size;
-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
+    op[-1] = *op1;					/* pre */
+    op[-3].value.bytes = ptr + size;			/* post */
+    if (forward) {
+        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
+        op[-3].tas.rsize = count;			/* post */
+    } else {
+        op[-1].tas.rsize = count;			/* pre */
+        op[-3].tas.rsize -= count + size;		/* post */
+    }
     make_true(op);
     return 0;
 }