File CVE-2025-27831.patch of Package ghostscript.38120
--- devices/vector/gdevtxtw.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ devices/vector/gdevtxtw.c 2025-03-27 09:33:17.896176285 +0100
@@ -1755,7 +1755,7 @@ static int get_unicode(textw_text_enum_t
}
if (strlen(dentry->Glyph) == gnstr.size) {
if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, dentry->Unicode, 2);
+ memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short));
return 2;
}
}
@@ -1773,7 +1773,7 @@ static int get_unicode(textw_text_enum_t
}
if (strlen(tentry->Glyph) == gnstr.size) {
if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, tentry->Unicode, 3);
+ memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short));
return 3;
}
}
@@ -1791,7 +1791,7 @@ static int get_unicode(textw_text_enum_t
}
if (strlen(qentry->Glyph) == gnstr.size) {
if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, qentry->Unicode, 4);
+ memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short));
return 4;
}
}
@@ -1804,6 +1804,18 @@ static int get_unicode(textw_text_enum_t
} else {
char *b, *u;
int l = length - 1;
+
+ /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly
+ * 2 bytes. If we got an odd number, give up and return the character code.
+ *
+ * The magic number here is due to the clients calling this code. Currently txtwrite
+ * allows up to 4 Unicode values per character/glyph, if the length would exceed that we can't
+ * write it. For now, again, fall back to the character code.
+ */
+ if (length & 1 || length > 4 * sizeof(unsigned short)) {
+ *Buffer = fallback;
+ return 1;
+ }
unicode = (ushort *)gs_alloc_bytes(penum->dev->memory, length, "temporary Unicode array");
length = font->procs.decode_glyph((gs_font *)font, glyph, ch, unicode, length);
