File CVE-2025-59798.patch of Package ghostscript.41464
--- devices/vector/gdevpdtw.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ devices/vector/gdevpdtw.c 2025-11-03 15:43:36.553847349 +0100
@@ -691,7 +691,8 @@ static int
pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s,
const gs_cid_system_info_t *pcidsi, gs_id object_id)
{
- byte *Registry, *Ordering;
+ byte *Registry = NULL, *Ordering = NULL;
+ int code = 0;
Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry");
if (!Registry)
@@ -722,14 +723,19 @@ pdf_write_cid_system_info_to_stream(gx_d
}
s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size);
}
- stream_puts(s, "<<\n/Registry");
+ code = stream_puts(s, "<<\n/Registry");
+ if (code < 0)
+ goto error;
s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK);
- stream_puts(s, "\n/Ordering");
+ code = stream_puts(s, "\n/Ordering");
+ if(code < 0)
+ goto error;
s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK);
+error:
pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement);
gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer");
gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer");
- return 0;
+ return code;
}
int
@@ -774,31 +780,54 @@ pdf_write_cmap(gx_device_pdf *pdev, cons
*ppres = writer.pres;
writer.pres->where_used = 0; /* CMap isn't a PDF resource. */
if (!pcmap->ToUnicode) {
- byte buf[200];
+ byte *buf = NULL;
+ uint64_t buflen = 0;
cos_dict_t *pcd = (cos_dict_t *)writer.pres->object;
stream s;
+ /* We use 'buf' for the stream 's' below and that needs to have some extra
+ * space for the CIDSystemInfo. We also need an extra byte for the leading '/'
+ * 100 bytes is ample for the overhead.
+ */
+ buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100;
+ if (buflen > max_uint)
+ return_error(gs_error_limitcheck);
+ buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap");
+ if (buf == NULL)
+ return_error(gs_error_VMerror);
+
code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode);
- if (code < 0)
+ if (code < 0) {
+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
return code;
+ }
buf[0] = '/';
memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size);
code = cos_dict_put_c_key_string(pcd, "/CMapName",
buf, pcmap->CMapName.size + 1);
- if (code < 0)
+ if (code < 0) {
+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
return code;
+ }
s_init(&s, pdev->memory);
- swrite_string(&s, buf, sizeof(buf));
+ swrite_string(&s, buf, buflen);
code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0);
- if (code < 0)
+ if (code < 0) {
+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
return code;
+ }
code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo",
buf, stell(&s));
- if (code < 0)
+ if (code < 0) {
+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
return code;
+ }
code = cos_dict_put_string_copy(pcd, "/Type", "/CMap");
- if (code < 0)
+ if (code < 0) {
+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
return code;
+ }
+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
}
if (pcmap->CMapName.size == 0) {
/* Create an arbitrary name (for ToUnicode CMap). */
