From: Zdenek Hutyra Date: Fri, 30 Aug 2024 13:11:53 +0100 Subject: PS interpreter - check Indexed colour space index Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ca1fc2aefe9796e321d0589afe7efb35063c8b2a Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707990 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-46955 Bug #707990 "Out of bounds read when reading color in "Indexed" color space" Check the 'index' is in the valid range (0 to hival) for the colour space. Also a couple of additional checks on the type of the 'proc' for Indexed, DeviceN and Separation spaces. Make sure these really are procs in case the user changed the colour space array. CVE-2024-46955 --- psi/zcolor.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/psi/zcolor.c b/psi/zcolor.c index 18caebe01857..d4e7a4438186 100644 --- a/psi/zcolor.c +++ b/psi/zcolor.c @@ -3815,6 +3815,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int code = array_get(imemory, sepspace, 3, &proc); if (code < 0) return code; + check_proc(proc); *esp = proc; return o_push_estack; } @@ -4630,6 +4631,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna code = array_get(imemory, devicenspace, 3, &proc); if (code < 0) return code; + check_proc(proc); esp++; *esp = proc; return o_push_estack; @@ -5054,6 +5056,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, code = array_get(imemory, space, 3, &proc); if (code < 0) return code; + check_proc(proc); *ep = proc; /* lookup proc */ return o_push_estack; } else { @@ -5067,6 +5070,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, if (!r_has_type(op, t_integer)) return_error (gs_error_typecheck); index = op->value.intval; + /* Ensure it is in range. See bug #707990 */ + if (index < 0 || index > pcs->params.indexed.hival) + return_error(gs_error_rangecheck); /* And remove it from the stack. */ ref_stack_pop(&o_stack, 1); op = osp; -- 2.45.2