!175 Fix CVE-2025-27830

From: @fundawang Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2025-04-02 07:19:53 +00:00 · 2025-04-02 07:19:53 +00:00 · 9a623c323c
commit 9a623c323c
parent b31ad8b489 7355d372ff
2 changed files with 66 additions and 4 deletions
--- a/backport-CVE-2025-27830.patch
+++ b/backport-CVE-2025-27830.patch
@ -0,0 +1,55 @@
+Backport of:
+
+From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 13 Jan 2025 09:15:01 +0000
+Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend
+
+During serializing a multiple master font for passing to Freetype.
+
+Use CVE-2025-27830
+---
+ base/write_t1.c | 9 +++++----
+ psi/zfapi.c     | 9 +++++++--
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/base/write_t1.c
+++ b/base/write_t1.c
+@@ -454,6 +454,7 @@ write_main_dictionary(gs_fapi_font * a_f
+     WRF_wbyte(a_fapi_font->memory, a_output, '\n');
+     if (is_MM_font(a_fapi_font)) {
+         short x, x2;
+        unsigned short ux;
+         float x1;
+         uint i, j, entries;
+         char Buffer[255];
+@@ -548,14 +549,14 @@ write_main_dictionary(gs_fapi_font * a_f
+          * be because the "get_proc" method below was missing the code to handle PS name
+          * objects.
+          */
+-        if ((x =
+        if ((ux =
+              a_fapi_font->get_word(a_fapi_font,
+                                    gs_fapi_font_feature_DollarBlend_length,
+                                    0)) > 0) {
+             WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
+ 
+             if (a_output->m_count)
+-                a_output->m_count += x;
+                a_output->m_count += ux;
+             x = a_fapi_font->get_proc(a_fapi_font,
+                                       gs_fapi_font_feature_DollarBlend, 0,
+                                       (char *)a_output->m_pos);
+--- a/psi/zfapi.c
+++ b/psi/zfapi.c
+@@ -618,6 +618,10 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa
+                         default:
+                             break;
+                     }
+
+                    if (length > max_ushort) {
+                        return 0;
+                    }
+                 }
+                 return length;
+             }
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -9,7 +9,7 @@

 Name:             ghostscript
 Version:          9.52
-Release:          21
+Release:          22
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@ -64,9 +64,10 @@ Patch45:  backport-CVE-2024-46953.patch
 Patch46:  backport-CVE-2024-46956.patch
 Patch47:  backport-CVE-2024-46955.patch
 Patch48:  backport-CVE-2024-46951.patch
-Patch49:  backport-CVE-2025-27832.patch
-Patch50:  backport-CVE-2025-27835.patch
-Patch60:  backport-CVE-2025-27836.patch
+Patch49:  backport-CVE-2025-27830.patch
+Patch50:  backport-CVE-2025-27832.patch
+Patch51:  backport-CVE-2025-27835.patch
+Patch52:  backport-CVE-2025-27836.patch

 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -227,6 +228,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf

 %changelog
+* Tue Apr 01 2025 Funda Wang <fundawang@yeah.net> - 9.52-22
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2025-27830
+
 * Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 9.52-21
 - Type:CVE
 - ID:NA