2 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
new file mode 100644
index 0000000000..5d50865271
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
@@ -0,0 +1,36 @@
+From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 1 Jul 2025 10:31:17 +0100
+Subject: [PATCH] PDF OCR 8 bit device - avoid overflow
+Bug 708602 "Heap overflow in ocr_line8"
+Make sure the calculation of the required raster size does not overflow
+an int.
+CVE: CVE-2025-59800
+Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/176cf0188a2294bc307b8caec876f39412e58350]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ devices/gdevpdfocr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
+index f27dc11db..6362f4104 100644
+--- a/devices/gdevpdfocr.c
+++ b/devices/gdevpdfocr.c
+@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image *dev, void *row)
+ static int
+ ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp)
+ {
+-    int raster = (w+3)&~3;
+    int64_t raster = (w + 3) & ~3;
+ 
+-    dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page");
+    raster = raster * (int64_t)h;
+    if (raster < 0 || raster > max_size_t)
+        return gs_note_error(gs_error_VMerror);
+    dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page");
+     if (dev->ocr.data == NULL)
+         return_error(gs_error_VMerror);
+     dev->ocr.w = w;
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
index 0f123d4899..a48ad671c7 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
           file://avoid-host-contamination.patch \
           file://CVE-2025-59798.patch \
           file://CVE-2025-59799.patch \
+           file://CVE-2025-59800.patch \
           "
 SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch new file mode 100644 index 0000000000..5d50865271 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
@@ -0,0 +1,36 @@
		1	From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Tue, 1 Jul 2025 10:31:17 +0100
		4	Subject: [PATCH] PDF OCR 8 bit device - avoid overflow
		5
		6	Bug 708602 "Heap overflow in ocr_line8"
		7
		8	Make sure the calculation of the required raster size does not overflow
		9	an int.
		10
		11	CVE: CVE-2025-59800
		12	Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/176cf0188a2294bc307b8caec876f39412e58350]
		13	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		14	---
		15	devices/gdevpdfocr.c \| 7 +++++--
		16	1 file changed, 5 insertions(+), 2 deletions(-)
		17
		18	diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
		19	index f27dc11db..6362f4104 100644
		20	--- a/devices/gdevpdfocr.c
		21	+++ b/devices/gdevpdfocr.c
		22	@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image dev, void row)
		23	static int
		24	ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp)
		25	{
		26	- int raster = (w+3)&~3;
		27	+ int64_t raster = (w + 3) & ~3;
		28
		29	- dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page");
		30	+ raster = raster * (int64_t)h;
		31	+ if (raster < 0 \|\| raster > max_size_t)
		32	+ return gs_note_error(gs_error_VMerror);
		33	+ dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page");
		34	if (dev->ocr.data == NULL)
		35	return_error(gs_error_VMerror);
		36	dev->ocr.w = w;


diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb index 0f123d4899..a48ad671c7 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
27	file://avoid-host-contamination.patch \	27	file://avoid-host-contamination.patch \
28	file://CVE-2025-59798.patch \	28	file://CVE-2025-59798.patch \
29	file://CVE-2025-59799.patch \	29	file://CVE-2025-59799.patch \
		30	file://CVE-2025-59800.patch \
30	"	31	"
31		32
32	SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"	33	SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"