[jackhill/guix/guix.git] / gnu / packages / patches / ghostscript-CVE-2020-15900.patch

Fix CVE-2020-15900.

https://cve.circl.lu/cve/CVE-2020-15900
https://artifex.com/security-advisories/CVE-2020-15900

Taken from upstream:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b

diff --git a/psi/zstring.c b/psi/zstring.c
--- a/psi/zstring.c
+++ b/psi/zstring.c
@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
     return 0;
 found:
     op->tas.type_attrs = op1->tas.type_attrs;
-    op->value.bytes = ptr;
-    r_set_size(op, size);
+    op->value.bytes = ptr;				/* match */
+    op->tas.rsize = size;				/* match */
     push(2);
-    op[-1] = *op1;
-    r_set_size(op - 1, ptr - op[-1].value.bytes);
-    op1->value.bytes = ptr + size;
-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
+    op[-1] = *op1;					/* pre */
+    op[-3].value.bytes = ptr + size;			/* post */
+    if (forward) {
+        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
+        op[-3].tas.rsize = count;			/* post */
+    } else {
+        op[-1].tas.rsize = count;			/* pre */
+        op[-3].tas.rsize -= count + size;		/* post */
+    }
     make_true(op);
     return 0;
 }
Commit	Line	Data
3bd218e8 MB	1	Fix CVE-2020-15900.
	2
	3	https://cve.circl.lu/cve/CVE-2020-15900
	4	https://artifex.com/security-advisories/CVE-2020-15900
	5
	6	Taken from upstream:
	7	https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
	8
	9	diff --git a/psi/zstring.c b/psi/zstring.c
	10	--- a/psi/zstring.c
	11	+++ b/psi/zstring.c
	12	@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
	13	return 0;
	14	found:
	15	op->tas.type_attrs = op1->tas.type_attrs;
	16	- op->value.bytes = ptr;
	17	- r_set_size(op, size);
	18	+ op->value.bytes = ptr; /* match */
	19	+ op->tas.rsize = size; /* match */
	20	push(2);
	21	- op[-1] = *op1;
	22	- r_set_size(op - 1, ptr - op[-1].value.bytes);
	23	- op1->value.bytes = ptr + size;
	24	- r_set_size(op1, count + (!forward ? (size - 1) : 0));
	25	+ op[-1] = op1; / pre */
	26	+ op[-3].value.bytes = ptr + size; /* post */
	27	+ if (forward) {
	28	+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
	29	+ op[-3].tas.rsize = count; /* post */
	30	+ } else {
	31	+ op[-1].tas.rsize = count; /* pre */
	32	+ op[-3].tas.rsize -= count + size; /* post */
	33	+ }
	34	make_true(op);
	35	return 0;
	36	}