ghostscript: add patch fixing CVE-2015-3228 (from debian)

2 files changed, 25 insertions, 1 deletions

diff --git a/pkgs/misc/ghostscript/CVE-2015-3228.patch b/pkgs/misc/ghostscript/CVE-2015-3228.patch
new file mode 100644
index 000000000000..7be18b0a7302
--- /dev/null
+++ b/pkgs/misc/ghostscript/CVE-2015-3228.patch
@@ -0,0 +1,20 @@
+Description: Sanity check for memory allocation.
+ In gs_heap_alloc_bytes(), add a sanity check to ensure we don't overflow the
+ variable holding the actual number of bytes we allocate.
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0c0b085
+Author: Chris Liddell <chris.liddell@artifex.com>
+Forwarded: yes
+Bug-Debian: http://bugs.debian.org/793489
+Last-Update: 2015-07-26
+
+--- a/base/gsmalloc.c
++++ b/base/gsmalloc.c
+@@ -178,7 +178,7 @@
+     } else {
+         uint added = size + sizeof(gs_malloc_block_t);
+ 
+-        if (mmem->limit - added < mmem->used)
++        if (added <= size || mmem->limit - added < mmem->used)
+             set_msg("exceeded limit");
+         else if ((ptr = (byte *) Memento_label(malloc(added), cname)) == 0)
+             set_msg("failed");
diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix
index 11f816dbb972..820e5f3cffe6 100644
--- a/pkgs/misc/ghostscript/default.nix
+++ b/pkgs/misc/ghostscript/default.nix
@@ -40,7 +40,11 @@ stdenv.mkDerivation rec {
     # [] # maybe sometimes jpeg2000 support
     ;
 
-  patches = [ ./urw-font-files.patch ];
+  patches = [
+    ./urw-font-files.patch
+    # fetched from debian's ghostscript 9.15_dfsg-1 (called 020150707~0c0b085.patch there)
+    ./CVE-2015-3228.patch
+  ];
 
   makeFlags = [ "cups_serverroot=$(out)" "cups_serverbin=$(out)/lib/cups" ];