From 3706c3f3314fa24e64354141e000535c7e8b3982 Mon Sep 17 00:00:00 2001
From: David Kaspar [Dee'Kej] <dkaspar@redhat.com>
Date: Apr 06 2017 14:27:59 +0000
Subject: Added security patch for CVE-2017-7207


  Resolves: #1434497

---

diff --git a/ghostscript-9.20-cve-2017-7207.patch b/ghostscript-9.20-cve-2017-7207.patch
new file mode 100644
index 0000000..ebe83fe
--- /dev/null
+++ b/ghostscript-9.20-cve-2017-7207.patch
@@ -0,0 +1,33 @@
+From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Mon, 20 Mar 2017 09:34:11 +0000
+Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
+
+Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
+
+This is only possible by abusing/mis-using Ghostscript-specific
+language extensions, so cannot happen in a general PostScript program.
+
+Nevertheless, Ghostscript should not crash. So this commit checks the
+memory device to see if raster memory has been allocated, before trying
+to read from it.
+---
+ base/gdevmem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/base/gdevmem.c b/base/gdevmem.c
+index afd05bd..d52d684 100644
+--- a/base/gdevmem.c
++++ b/base/gdevmem.c
+@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
+             GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
+         return_error(gs_error_rangecheck);
+     }
++    if (mdev->line_ptrs == 0x00)
++        return_error(gs_error_rangecheck);
+     if ((w <= 0) | (h <= 0)) {
+         if ((w | h) < 0)
+             return_error(gs_error_rangecheck);
+-- 
+2.9.3
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 490f640..d2e0dea 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer
 Name: ghostscript
 Version: %{gs_ver}
 
-Release: 7%{?dist}
+Release: 8%{?dist}
 
 # Included CMap data is Redistributable, no modification permitted,
 # see http://bugzilla.redhat.com/487510
@@ -30,6 +30,7 @@ Patch7: ghostscript-9.20-cve-2016-7978.patch
 Patch8: ghostscript-9.20-cve-2016-8602.patch
 Patch9: ghostscript-9.20-cve-2016-7977.patch
 Patch12: ghostscript-9.20-cve-2016-9601.patch
+Patch13: ghostscript-9.20-cve-2017-7207.patch
 
 Requires: %{name}-core%{?_isa} = %{version}-%{release}
 Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@@ -155,6 +156,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib 
 # Squash signed/unsigned warnings in MSVC jbig2 build (bug #1410021):
 %patch12 -p1
 
+# Check for null-pointer dereference in mem_get_bits_rectangle() (bug #1434497):
+%patch13 -p1
+
 # Convert manual pages to UTF-8
 from8859_1() {
         iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -351,6 +355,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so
 
 %changelog
+* Thu Apr 06 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-8
+  Added security fix for CVE-2017-7207 (bug #1434497)
+
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 9.20-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild