From 3bd218e8d4abde56e7ce9149311df5e60db0e321 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Tue, 8 Dec 2020 21:11:19 +0100
Subject: [PATCH] gnu: ghostscript: Fix CVE-2020-15900.

* gnu/packages/patches/ghostscript-CVE-2020-15900.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/ghostscript.scm (ghostscript)[source](patches): Add it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/ghostscript.scm                  |  1 +
 .../patches/ghostscript-CVE-2020-15900.patch  | 36 +++++++++++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 gnu/packages/patches/ghostscript-CVE-2020-15900.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 97dd9a74d0..7f0b69cacf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1055,6 +1055,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghc-monad-par-fix-tests.patch		\
   %D%/packages/patches/ghc-pandoc-fix-html-tests.patch		\
   %D%/packages/patches/ghc-pandoc-fix-latex-test.patch		\
+  %D%/packages/patches/ghostscript-CVE-2020-15900.patch		\
   %D%/packages/patches/ghostscript-freetype-compat.patch	\
   %D%/packages/patches/ghostscript-no-header-id.patch		\
   %D%/packages/patches/ghostscript-no-header-uuid.patch		\
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index b132fba7eb..03a516dc52 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -171,6 +171,7 @@ printing, and psresize, for adjusting page sizes.")
          (base32
           "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p"))
         (patches (search-patches "ghostscript-freetype-compat.patch"
+                                 "ghostscript-CVE-2020-15900.patch"
                                  "ghostscript-no-header-creationdate.patch"
                                  "ghostscript-no-header-id.patch"
                                  "ghostscript-no-header-uuid.patch"))
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
new file mode 100644
index 0000000000..b6658d7c7f
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
@@ -0,0 +1,36 @@
+Fix CVE-2020-15900.
+
+https://cve.circl.lu/cve/CVE-2020-15900
+https://artifex.com/security-advisories/CVE-2020-15900
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
+
+diff --git a/psi/zstring.c b/psi/zstring.c
+--- a/psi/zstring.c
++++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+     return 0;
+ found:
+     op->tas.type_attrs = op1->tas.type_attrs;
+-    op->value.bytes = ptr;
+-    r_set_size(op, size);
++    op->value.bytes = ptr;				/* match */
++    op->tas.rsize = size;				/* match */
+     push(2);
+-    op[-1] = *op1;
+-    r_set_size(op - 1, ptr - op[-1].value.bytes);
+-    op1->value.bytes = ptr + size;
+-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
++    op[-1] = *op1;					/* pre */
++    op[-3].value.bytes = ptr + size;			/* post */
++    if (forward) {
++        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
++        op[-3].tas.rsize = count;			/* post */
++    } else {
++        op[-1].tas.rsize = count;			/* pre */
++        op[-3].tas.rsize -= count + size;		/* post */
++    }
+     make_true(op);
+     return 0;
+ }
-- 
2.20.1