RHEL-61729 Ghostscript is generating PJL of a significantly larger size

Resolves: RHEL-61729
2024-10-10 13:03:48 +02:00 · 2024-10-10 13:03:48 +02:00 · 4ccf2d2afd
commit 4ccf2d2afd
parent 8c3e8ad395
3 changed files with 191 additions and 1 deletions
--- a/0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch
+++ b/0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch
@ -0,0 +1,64 @@
+From 68c7275d4a580dca6c0ed3798f3717eea3513403 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 12 Sep 2019 09:35:01 +0100
+Subject: [PATCH] Bug 701568: Fix gdevpx.c RLE stream handling.
+
+The current code in pclxl_write_image_data_RLE passes
+lines of data to the RLE compression routine. It tells
+each invocation of that routine that this is the "last"
+block of data, when clearly it is not.
+
+Accordingly, the compression routine inserts the "EOD" byte
+into the stream, and returns EOFC.
+
+Independently of the return value used, having multiple EOD
+bytes in the data is clearly wrong. Update the caller to only
+pass "last" in for the last block.
+
+The code still returns EOFC at the end of the data, so update
+this final call to accept (indeed, expect) that return value
+there.
+---
+ devices/vector/gdevpx.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/devices/vector/gdevpx.c b/devices/vector/gdevpx.c
+index 825e6b4c5..5d2d0edf5 100644
+--- a/devices/vector/gdevpx.c
+++ b/devices/vector/gdevpx.c
+@@ -714,6 +714,7 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base,
+     uint num_bytes = ROUND_UP(width_bytes, 4) * height;
+     bool compress = num_bytes >= 8;
+     int i;
+    int code;
+ 
+     /* cannot handle data_bit not multiple of 8, but we don't invoke this routine that way */
+     int offset = data_bit >> 3;
+@@ -752,19 +753,20 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base,
+             r.ptr = data + i * raster - 1;
+             r.limit = r.ptr + width_bytes;
+             if ((*s_RLE_template.process)
+-                ((stream_state *) & rlstate, &r, &w, true) != 0 ||
+                ((stream_state *) & rlstate, &r, &w, false) != 0 ||
+                 r.ptr != r.limit)
+                 goto ncfree;
+             r.ptr = (const byte *)"\000\000\000\000\000";
+             r.limit = r.ptr + (-(int)width_bytes & 3);
+             if ((*s_RLE_template.process)
+-                ((stream_state *) & rlstate, &r, &w, true) != 0 ||
+                ((stream_state *) & rlstate, &r, &w, false) != 0 ||
+                 r.ptr != r.limit)
+                 goto ncfree;
+         }
+         r.ptr = r.limit;
+-        if ((*s_RLE_template.process)
+-            ((stream_state *) & rlstate, &r, &w, true) != 0)
+        code = (*s_RLE_template.process)
+            ((stream_state *) & rlstate, &r, &w, true);
+        if (code != EOFC && code != 0)
+             goto ncfree;
+         {
+             uint count = w.ptr + 1 - buf;
+-- 
+2.46.2
+
--- a/0001-Bug-701568-followup-Fix-RLE-compressor.patch
+++ b/0001-Bug-701568-followup-Fix-RLE-compressor.patch
@ -0,0 +1,118 @@
+From 3b2ad1f24d2e9705481f9feb6835aa3e851726ac Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 12 Sep 2019 17:09:50 +0100
+Subject: [PATCH] Bug 701568 followup: Fix RLE compressor.
+
+The previous fix to the RLE compressor reveals an additional
+existing issue to do with us not checking whether we have
+space in the buffer to write the EOD byte.
+
+Fixed here.
+---
+ base/srle.c | 78 ++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 45 insertions(+), 33 deletions(-)
+
+diff --git a/base/srle.c b/base/srle.c
+index 50de0d847..0c0186e04 100644
+--- a/base/srle.c
+++ b/base/srle.c
+@@ -59,7 +59,13 @@ enum {
+     state_gt_012,
+ 
+     /* -n bytes into a repeated run, n0 and n1 read. */
+-    state_lt_01
+    state_lt_01,
+
+    /* We have reached the end of data, but not written the marker. */
+    state_eod_unmarked,
+
+    /* We have reached the end of data, and written the marker. */
+    state_eod
+ };
+ 
+ #ifdef DEBUG_RLE
+@@ -294,43 +300,49 @@ run_len_0_n0_read:
+                 }
+             }
+         }
+-    }
+-    /* n1 is never valid here */
+        /* n1 is never valid here */
+ 
+-    if (last) {
+-        if (run_len == 0) {
+-            /* EOD */
+-            if (wlimit - q < 1) {
+-                ss->state = state_0;
+-                goto no_output_room;
+-            }
+-        } else if (run_len > 0) {
+-            /* Flush literal run + EOD */
+-            if (wlimit - q < run_len+2) {
+-                ss->state = state_0;
+-                goto no_output_room;
+        if (last) {
+            if (run_len == 0) {
+                /* EOD */
+                if (wlimit - q < 1) {
+                    ss->state = state_0;
+                    goto no_output_room;
+                }
+            } else if (run_len > 0) {
+                /* Flush literal run + EOD */
+                if (wlimit - q < run_len+2) {
+                    ss->state = state_0;
+                    goto no_output_room;
+                }
+                *++q = run_len;
+                memcpy(q+1, ss->literals, run_len);
+                q += run_len;
+                *++q = n0;
+            } else if (run_len < 0) {
+                /* Flush repeated run + EOD */
+                if (wlimit - q < 3) {
+                    ss->state = state_0;
+                    goto no_output_room;
+                }
+                *++q = 257+run_len; /* Repeated run */
+                *++q = n0;
+             }
+-            *++q = run_len;
+-            memcpy(q+1, ss->literals, run_len);
+-            q += run_len;
+-            *++q = n0;
+-        } else if (run_len < 0) {
+-            /* Flush repeated run + EOD */
+-            if (wlimit - q < 3) {
+-                ss->state = state_0;
+    case state_eod_unmarked:
+            if (wlimit - q < 1) {
+                ss->state = state_eod_unmarked;
+                 goto no_output_room;
+             }
+-            *++q = 257+run_len; /* Repeated run */
+-            *++q = n0;
+            *++q = 128; /* EOD */
+    case state_eod:
+            ss->run_len = 0;
+            ss->state = state_0;
+            pr->ptr = p;
+            pw->ptr = q;
+            ss->record_left = rlimit - p;
+            debug_ate(pinit, p, qinit, q, EOFC);
+            return EOFC;
+         }
+-        *++q = 128; /* EOD */
+-        ss->run_len = 0;
+-        ss->state = state_0;
+-        pr->ptr = p;
+-        pw->ptr = q;
+-        ss->record_left = rlimit - p;
+-        debug_ate(pinit, p, qinit, q, EOFC);
+-        return EOFC;
+     }
+ 
+     /* Normal exit */
+-- 
+2.46.2
+
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -37,7 +37,7 @@
 Name:             ghostscript
 Summary:          Interpreter for PostScript language & PDF
 Version:          9.27
-Release:          13%{?dist}
+Release:          14%{?dist}

 License:          AGPLv3+

@ -123,6 +123,11 @@ Patch023: ghostscript-9.27-avoid-divide-by-zero-in-devices.patch
 # Downside of the fix is if someone depends on unsafe settings of driver for OPVP device
 # (via Postscript code in command -c, via Postscript code in input file), gs will start to fail.
 Patch024: gs-cve-2024-33871.patch
+# RHEL-61729 Ghostscript is generating PJL of a significantly larger size
+# Patches: 0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch
+#          0001-Bug-701568-followup-Fix-RLE-compressor.patch
+Patch025: 0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch
+Patch026: 0001-Bug-701568-followup-Fix-RLE-compressor.patch


 # Downstream patches -- these should be always included when doing rebase:
@ -463,6 +468,9 @@ done
 # =============================================================================

 %changelog
+* Thu Oct 10 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-14
+- RHEL-61729 Ghostscript is generating PJL of a significantly larger size
+
 * Wed Jun 12 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-13
 - CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library