From: Zdenek Hutyra Date: Mon, 13 Jan 2025 09:15:01 +0000 Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8474e1d6b896e35741d3c608ea5c21deeec1078f Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708241 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27830 During serializing a multiple master font for passing to Freetype. Use CVE-2025-27830 --- base/write_t1.c | 9 +++++---- psi/zfapi.c | 9 +++++++-- 2 files changed, 12 insertions(+), 6 deletions(-) --- a/base/write_t1.c +++ b/base/write_t1.c @@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_f WRF_wbyte(a_fapi_font->memory, a_output, '\n'); if (is_MM_font(a_fapi_font)) { short x, x2; + unsigned short ux; float x1; uint i, j, entries; char Buffer[255]; @@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_f */ code = a_fapi_font->get_word(a_fapi_font, gs_fapi_font_feature_DollarBlend_length, - 0, (unsigned short *)&x); + 0, &ux); if (code < 0) return code; - if (x > 0) { + if (ux > 0) { int len; WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); if (a_output->m_count) - a_output->m_count += x; + a_output->m_count += ux; len = a_fapi_font->get_proc(a_fapi_font, gs_fapi_font_feature_DollarBlend, 0, (char *)a_output->m_pos); --- a/psi/zfapi.c +++ b/psi/zfapi.c @@ -683,7 +683,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa } for (i = 0; i < r_size(DBlend); i++) { if (array_get(ff->memory, DBlend, i, &Element) < 0) { - *ret = 0; + length = 0; break; } switch (r_btype(&Element)) { @@ -710,7 +710,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa default: break; } - } + + if (length > max_ushort) { + length = 0; + break; + } + } *ret = length; break; }