From: Zdenek Hutyra Date: Wed, 20 Nov 2024 11:42:31 +0000 Subject: Bug 708133: Avoid integer overflow leading to buffer overflow Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=57291c846334f1585552010faa42d7cb2cbd5c41 Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708133 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27832 The calculation of the buffer size was being done with int values, and overflowing that data type. By leaving the total size calculation to the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this case, but also meaning the memory manager overflow protection will be effective. CVE-2025-27832 --- contrib/japanese/gdevnpdl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c index 60065bacf9fb..4967282bd757 100644 --- a/contrib/japanese/gdevnpdl.c +++ b/contrib/japanese/gdevnpdl.c @@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c int code; int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; - if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) + if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) return_error(gs_error_VMerror); /* Initialize printer */ @@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c /* Form Feed */ gp_fputs("\014", prn_stream); - gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); + gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); return 0; } -- 2.49.0