- Applied patch to fix CVE-2010-1628 (memory corruption at PS stack
overflow, bug #592492).
This commit is contained in:
parent
9156a8754c
commit
02461c194f
124
ghostscript-CVE-2010-1628.patch
Normal file
124
ghostscript-CVE-2010-1628.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
diff -up ghostscript-8.70/psi/ialloc.c.CVE-2010-1628 ghostscript-8.70/psi/ialloc.c
|
||||||
|
--- ghostscript-8.70/psi/ialloc.c.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100
|
||||||
|
+++ ghostscript-8.70/psi/ialloc.c 2010-07-16 12:15:45.230948203 +0100
|
||||||
|
@@ -185,7 +185,14 @@ gs_alloc_ref_array(gs_ref_memory_t * mem
|
||||||
|
*/
|
||||||
|
chunk_t *pcc = mem->pcc;
|
||||||
|
ref *end;
|
||||||
|
+ alloc_change_t *cp = 0;
|
||||||
|
+ int code = 0;
|
||||||
|
|
||||||
|
+ if ((gs_memory_t *)mem != mem->stable_memory) {
|
||||||
|
+ code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &cp);
|
||||||
|
+ if (code < 0)
|
||||||
|
+ return code;
|
||||||
|
+ }
|
||||||
|
obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1,
|
||||||
|
ref, &st_refs, cname);
|
||||||
|
if (obj == 0)
|
||||||
|
@@ -210,14 +217,10 @@ gs_alloc_ref_array(gs_ref_memory_t * mem
|
||||||
|
chunk_locate_ptr(obj, &cl);
|
||||||
|
cl.cp->has_refs = true;
|
||||||
|
}
|
||||||
|
- if ((gs_memory_t *)mem != mem->stable_memory) {
|
||||||
|
- ref_packed **ppr = 0;
|
||||||
|
- int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr);
|
||||||
|
- if (code < 0)
|
||||||
|
- return code;
|
||||||
|
- if (ppr)
|
||||||
|
- *ppr = (ref_packed *)obj;
|
||||||
|
- }
|
||||||
|
+ if (cp) {
|
||||||
|
+ mem->changes = cp;
|
||||||
|
+ cp->where = (ref_packed *)obj;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
make_array(parr, attrs | mem->space, num_refs, obj);
|
||||||
|
return 0;
|
||||||
|
diff -up ghostscript-8.70/psi/idosave.h.CVE-2010-1628 ghostscript-8.70/psi/idosave.h
|
||||||
|
--- ghostscript-8.70/psi/idosave.h.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100
|
||||||
|
+++ ghostscript-8.70/psi/idosave.h 2010-07-16 12:15:45.238073609 +0100
|
||||||
|
@@ -18,6 +18,22 @@
|
||||||
|
# define idosave_INCLUDED
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * Structure for saved change chain for save/restore. Because of the
|
||||||
|
+ * garbage collector, we need to distinguish the cases where the change
|
||||||
|
+ * is in a static object, a dynamic ref, or a dynamic struct.
|
||||||
|
+ */
|
||||||
|
+typedef struct alloc_change_s alloc_change_t;
|
||||||
|
+struct alloc_change_s {
|
||||||
|
+ alloc_change_t *next;
|
||||||
|
+ ref_packed *where;
|
||||||
|
+ ref contents;
|
||||||
|
+#define AC_OFFSET_STATIC (-2) /* static object */
|
||||||
|
+#define AC_OFFSET_REF (-1) /* dynamic ref */
|
||||||
|
+#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
|
||||||
|
+ short offset; /* if >= 0, offset within struct */
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* Save a change that must be undone by restore. We have to pass the
|
||||||
|
* pointer to the containing object to alloc_save_change for two reasons:
|
||||||
|
*
|
||||||
|
@@ -29,6 +45,7 @@
|
||||||
|
* relocate the pointer to it from the change record during garbage
|
||||||
|
* collection.
|
||||||
|
*/
|
||||||
|
+
|
||||||
|
int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont,
|
||||||
|
ref_packed *ptr, client_name_t cname);
|
||||||
|
int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont,
|
||||||
|
@@ -36,6 +53,6 @@ int alloc_save_change_in(gs_ref_memory_t
|
||||||
|
/* Remove an AC_OFFSET_ALLOCATED element. */
|
||||||
|
void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname);
|
||||||
|
/* Allocate a structure for recording an allocation event. */
|
||||||
|
-int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr);
|
||||||
|
+int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp);
|
||||||
|
|
||||||
|
#endif /* idosave_INCLUDED */
|
||||||
|
diff -up ghostscript-8.70/psi/isave.c.CVE-2010-1628 ghostscript-8.70/psi/isave.c
|
||||||
|
--- ghostscript-8.70/psi/isave.c.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100
|
||||||
|
+++ ghostscript-8.70/psi/isave.c 2010-07-16 12:15:45.245073557 +0100
|
||||||
|
@@ -156,22 +156,6 @@ print_save(const char *str, uint spacen,
|
||||||
|
/* A link to igcref.c . */
|
||||||
|
ptr_proc_reloc(igc_reloc_ref_ptr_nocheck, ref_packed);
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * Structure for saved change chain for save/restore. Because of the
|
||||||
|
- * garbage collector, we need to distinguish the cases where the change
|
||||||
|
- * is in a static object, a dynamic ref, or a dynamic struct.
|
||||||
|
- */
|
||||||
|
-typedef struct alloc_change_s alloc_change_t;
|
||||||
|
-struct alloc_change_s {
|
||||||
|
- alloc_change_t *next;
|
||||||
|
- ref_packed *where;
|
||||||
|
- ref contents;
|
||||||
|
-#define AC_OFFSET_STATIC (-2) /* static object */
|
||||||
|
-#define AC_OFFSET_REF (-1) /* dynamic ref */
|
||||||
|
-#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
|
||||||
|
- short offset; /* if >= 0, offset within struct */
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
static
|
||||||
|
CLEAR_MARKS_PROC(change_clear_marks)
|
||||||
|
{
|
||||||
|
@@ -519,7 +503,7 @@ alloc_save_change(gs_dual_memory_t * dme
|
||||||
|
|
||||||
|
/* Allocate a structure for recording an allocation event. */
|
||||||
|
int
|
||||||
|
-alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr)
|
||||||
|
+alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp)
|
||||||
|
{
|
||||||
|
register alloc_change_t *cp;
|
||||||
|
|
||||||
|
@@ -533,8 +517,7 @@ alloc_save_change_alloc(gs_ref_memory_t
|
||||||
|
cp->where = 0;
|
||||||
|
cp->offset = AC_OFFSET_ALLOCATED;
|
||||||
|
make_null(&cp->contents);
|
||||||
|
- mem->changes = cp;
|
||||||
|
- *ppr = &cp->where;
|
||||||
|
+ *pcp = cp;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer.
|
|||||||
Name: ghostscript
|
Name: ghostscript
|
||||||
Version: %{gs_ver}
|
Version: %{gs_ver}
|
||||||
|
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
|
|
||||||
# Included CMap data is Redistributable, no modification permitted,
|
# Included CMap data is Redistributable, no modification permitted,
|
||||||
# see http://bugzilla.redhat.com/487510
|
# see http://bugzilla.redhat.com/487510
|
||||||
@ -35,6 +35,7 @@ Patch16: ghostscript-cups-realloc-color-depth.patch
|
|||||||
Patch17: ghostscript-tif-fail-close.patch
|
Patch17: ghostscript-tif-fail-close.patch
|
||||||
Patch18: ghostscript-tiff-default-strip-size.patch
|
Patch18: ghostscript-tiff-default-strip-size.patch
|
||||||
Patch19: ghostscript-tiff-fixes.patch
|
Patch19: ghostscript-tiff-fixes.patch
|
||||||
|
Patch20: ghostscript-CVE-2010-1628.patch
|
||||||
|
|
||||||
Requires: urw-fonts >= 1.1, ghostscript-fonts
|
Requires: urw-fonts >= 1.1, ghostscript-fonts
|
||||||
BuildRequires: xz
|
BuildRequires: xz
|
||||||
@ -164,6 +165,10 @@ rm -rf libpng zlib jpeg jasper
|
|||||||
# Backported some more TIFF fixes (bug #573970).
|
# Backported some more TIFF fixes (bug #573970).
|
||||||
%patch19 -p1 -b .tiff-fixes
|
%patch19 -p1 -b .tiff-fixes
|
||||||
|
|
||||||
|
# Applied patch to fix CVE-2010-1628 (memory corruption at PS stack
|
||||||
|
# overflow, bug #592492).
|
||||||
|
%patch20 -p1 -b .CVE-2010-1628
|
||||||
|
|
||||||
# Convert manual pages to UTF-8
|
# Convert manual pages to UTF-8
|
||||||
from8859_1() {
|
from8859_1() {
|
||||||
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
|
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
|
||||||
@ -352,6 +357,10 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_libdir}/libgs.so
|
%{_libdir}/libgs.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 16 2010 Tim Waugh <twaugh@redhat.com> 8.71-7
|
||||||
|
- Applied patch to fix CVE-2010-1628 (memory corruption at PS stack
|
||||||
|
overflow, bug #592492).
|
||||||
|
|
||||||
* Tue Mar 16 2010 Tim Waugh <twaugh@redhat.com> 8.71-6
|
* Tue Mar 16 2010 Tim Waugh <twaugh@redhat.com> 8.71-6
|
||||||
- Backported some more TIFF fixes (bug #573970).
|
- Backported some more TIFF fixes (bug #573970).
|
||||||
- Use upstream fix for TIFF default strip size (bug #571520).
|
- Use upstream fix for TIFF default strip size (bug #571520).
|
||||||
|
Loading…
Reference in New Issue
Block a user