File CVE-2025-27836.patch of Package ghostscript.38120
--- contrib/japanese/gdev10v.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ contrib/japanese/gdev10v.c 2025-03-28 13:47:29.815232090 +0100
@@ -218,17 +218,25 @@ bj10v_print_page(gx_device_printer *pdev
int bytes_per_column = bits_per_column / 8;
int x_skip_unit = bytes_per_column * (xres / 180);
int y_skip_unit = (yres / 180);
- byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
- /* We need one extra byte in <out> for our sentinel. */
- byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+ byte *in, *out;
int lnum = 0;
int y_skip = 0;
int code = 0;
int blank_lines = 0;
int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
- if ( in == 0 || out == 0 )
- return -1;
+ if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
+ code = gs_note_error(gs_error_rangecheck);
+ goto error;
+ }
+
+ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
+ /* We need one extra byte in <out> for our sentinel. */
+ out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+ if ( in == NULL || out == NULL ) {
+ code = gs_note_error(gs_error_VMerror);
+ goto error;
+ }
/* Initialize the printer. */
prn_puts(pdev, "\033@");
@@ -339,8 +347,10 @@ notz:
}
/* Eject the page */
-xit: prn_putc(pdev, 014); /* form feed */
+xit:
+ prn_putc(pdev, 014); /* form feed */
prn_flush(pdev);
+error:
gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
return code;
