ghostscript/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch

27 lines
1.2 KiB
Diff
Raw Normal View History

diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 74200cf..dc45b22 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -3296,7 +3296,7 @@ _get_params(gx_device* dev, gs_param_list *plist)
/* vector driver name */
pname = "Driver";
vdps.data = (byte *)opdev->globals.vectorDriver;
- vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) + 1 : 0);
+ vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) : 0);
vdps.persistent = false;
code = param_write_string(plist, pname, &vdps);
if (code) ecode = code;
@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (gs_is_path_control_active(dev->memory)
+ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
+ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;