rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()

Browse Source 
Resolves: RHEL-46131
This commit is contained in:
Zdenek Dohnal 2024-07-16 17:42:23 +02:00
parent 10f971e9bb
commit e4a4fdf933
2 changed files with 433 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

430
0001-Bug-707510-review-printing-of-pointers.patch Normal file
View File

@ -0,0 +1,430 @@
From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:53:44 +0000
Subject: [PATCH] Bug 707510 - review printing of pointers
This is for item 4 of the report, which is addressed by the change in
gdevpdtb.c. That change uses a fixed name for fonts which have no name
instead of using the pointer to the address of the font.
The remaining changes are all due to reviewing the use of PRI_INTPTR.
In general we only use that for debugging purposes but there were a few
places which were printing pointers arbitrarily, even in a release build.
We really don't want to do that so I've modified the places which were
printing pointer unconditionally so that they only do so if DEBUG is
set at compile time, or a specific debug flag is set.
---
base/gsfont.c | 4 ++--
base/gsicc_cache.c | 8 ++++----
base/gsmalloc.c | 4 ++--
base/gxclmem.c | 5 ++---
base/gxcpath.c | 6 +++++-
base/gxpath.c | 8 +++++++-
base/szlibc.c | 4 +++-
devices/gdevupd.c | 7 ++++++-
devices/vector/gdevpdtb.c | 4 ++--
psi/ialloc.c | 4 ++--
psi/igc.c | 6 +++---
psi/igcstr.c | 6 +++---
psi/iinit.c | 6 +++++-
psi/imainarg.c | 5 +++--
psi/isave.c | 4 ++--
psi/iutil.c | 6 +++++-
16 files changed, 56 insertions(+), 31 deletions(-)
diff --git a/base/gsfont.c b/base/gsfont.c
index 351954776..8b0da819b 100644
--- a/base/gsfont.c
+++ b/base/gsfont.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -791,7 +791,7 @@ gs_purge_font(gs_font * pfont)
else if (pdir->scaled_fonts == pfont)
pdir->scaled_fonts = next;
else { /* Shouldn't happen! */
- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
+ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
}
/* Purge the font from the scaled font cache. */
diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c
index c2a59107e..c3026c136 100644
--- a/base/gsicc_cache.c
+++ b/base/gsicc_cache.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -161,7 +161,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr)
return;
while (link_cache->head != NULL) {
if (link_cache->head->ref_count != 0) {
- emprintf2(link_cache->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
+ if_debug2m(gs_debug_flag_icc, link_cache->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
(intptr_t)link_cache->head, link_cache->head->ref_count);
link_cache->head->ref_count = 0; /* force removal */
}
@@ -586,7 +586,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache,
/* that was building it failed to be able to complete building it. Try this only
a limited number of times before we bail. */
if (curr->valid == false) {
- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
+ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
}
gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */
}
@@ -614,7 +614,7 @@ gsicc_remove_link(gsicc_link_t *link)
/* NOTE: link->ref_count must be 0: assert ? */
gx_monitor_enter(icc_link_cache->lock);
if (link->ref_count != 0) {
- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
+ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
}
curr = icc_link_cache->head;
prev = NULL;
diff --git a/base/gsmalloc.c b/base/gsmalloc.c
index 5d5b0f4d1..6b8da1fba 100644
--- a/base/gsmalloc.c
+++ b/base/gsmalloc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -420,7 +420,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new
client_name_t cname)
{
if (gs_heap_object_type(mem, data) != &st_bytes)
- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n",
+ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n",
client_name_string(cname), (intptr_t)data);
return gs_heap_resize_object(mem, data, new_num, cname);
}
diff --git a/base/gxclmem.c b/base/gxclmem.c
index 9b9bbcf35..68125303e 100644
--- a/base/gxclmem.c
+++ b/base/gxclmem.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete)
/* leaks if other users of the memfile don't 'fclose with delete=true */
if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) {
/* TODO: do the cleanup rather than just giving an error */
- emprintf1(f->memory,
- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
+ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
(intptr_t)f);
return_error(gs_error_invalidfileaccess);
} else {
diff --git a/base/gxcpath.c b/base/gxcpath.c
index e277f3172..a7a127db2 100644
--- a/base/gxcpath.c
+++ b/base/gxcpath.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -178,8 +178,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath,
{
if (shared) {
if (shared->path.segments == &shared->path.local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*pcpath = *shared;
@@ -236,8 +238,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath,
if (shared) {
if ((shared->path.segments == &shared->path.local_segments) &&
!safely_nested) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
pcpath->path = shared->path;
diff --git a/base/gxpath.c b/base/gxpath.c
index eb0f3bf2e..817c247b2 100644
--- a/base/gxpath.c
+++ b/base/gxpath.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem,
ppath->procs = &default_path_procs;
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
gs_free_object(mem, ppath, cname);
return 0;
}
@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
diff --git a/base/szlibc.c b/base/szlibc.c
index e2b0d68c3..5f315c3c3 100644
--- a/base/szlibc.c
+++ b/base/szlibc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data)
gs_free_object(mem, data, "s_zlib_free(data)");
for (; ; block = block->next) {
if (block == 0) {
+#ifdef DEBUG
lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data);
+#endif
return;
}
if (block->data == data)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index 740dae012..cb479d21f 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1040,8 +1040,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out)
*/
if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) {
#if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS)
+#ifdef DEBUG
errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
(intptr_t)udev,(intptr_t) out);
+#else
+ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+ (intptr_t)udev,(intptr_t) out);
+#endif
#endif
return_error(gs_error_undefined);
}
diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c
index 41046aa21..3d7dcae53 100644
--- a/devices/vector/gdevpdtb.c
+++ b/devices/vector/gdevpdtb.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -373,7 +373,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, pdf_base_font_t **ppbfont,
font_name.size -= SUBSET_PREFIX_SIZE;
}
} else {
- gs_snprintf(fnbuf, sizeof(fnbuf), ".F" PRI_INTPTR, (intptr_t)copied);
+ gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous");
font_name.data = (byte *)fnbuf;
font_name.size = strlen(fnbuf);
}
diff --git a/psi/ialloc.c b/psi/ialloc.c
index 6d22110e8..40216e41c 100644
--- a/psi/ialloc.c
+++ b/psi/ialloc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -391,7 +391,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, ref * parr, client_name_t cname)
size = num_refs * sizeof(ref);
break;
default:
- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
+ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
r_type(parr), num_refs, (intptr_t)obj);
return;
}
diff --git a/psi/igc.c b/psi/igc.c
index 121723f79..ab6565c6b 100644
--- a/psi/igc.c
+++ b/psi/igc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1062,7 +1062,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_state_t * pstate)
if (cp == 0) { /* We were tracing outside collectible */
/* storage. This can't happen. */
- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
+ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
(intptr_t)cptr);
gs_abort(pstate->heap);
}
@@ -1291,7 +1291,7 @@ igc_reloc_struct_ptr(const void /*obj_header_t */ *obj, gc_state_t * gcst)
if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj <cp->ctop) {
if (back > (cp->ctop - cp->cbase) >> obj_back_shift) {
- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n",
+ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n",
back, (intptr_t)obj);
gs_abort(NULL);
}
diff --git a/psi/igcstr.c b/psi/igcstr.c
index bfaee419b..c43c12875 100644
--- a/psi/igcstr.c
+++ b/psi/igcstr.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
return false;
#ifdef DEBUG
if (ptr < cp->ctop) {
- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
(intptr_t)ptr, size, (intptr_t)cp->ctop, (intptr_t)cp->climit);
return false;
} else if (ptr + size > cp->climit) { /*
@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
while (ptr == scp->climit && scp->outer != 0)
scp = scp->outer;
if (ptr + size > scp->climit) {
- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
(intptr_t)ptr, size,
(intptr_t)scp->ctop, (intptr_t)scp->climit);
return false;
diff --git a/psi/iinit.c b/psi/iinit.c
index ed41b36da..0af7ee9c1 100644
--- a/psi/iinit.c
+++ b/psi/iinit.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p)
if (def->proc != 0) {
code = def->proc(i_ctx_p);
if (code < 0) {
+#ifdef DEBUG
lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n",
(intptr_t)def->proc, code);
+#else
+ lprintf("op_init proc returned error !\n");
+#endif
return code;
}
}
diff --git a/psi/imainarg.c b/psi/imainarg.c
index 638694ba2..29ad1d633 100644
--- a/psi/imainarg.c
+++ b/psi/imainarg.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instance * minst, int argc, char *argv[])
if (gs_debug[':'] && !have_dumped_args) {
int i;
- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
+ if (gs_debug_c(gs_debug_flag_init_details))
+ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
(intptr_t)minst);
for (i=1; i<argc; i++)
dmprintf1(minst->heap, "%s ", argv[i]);
diff --git a/psi/isave.c b/psi/isave.c
index 80cf9c1f7..795170fcb 100644
--- a/psi/isave.c
+++ b/psi/isave.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *mem, const ref * pcont,
else if (r_is_struct(pcont))
cp->offset = (byte *) where - (byte *) pcont->value.pstruct;
else {
- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
+ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
r_type(pcont), (intptr_t) pcont, (intptr_t) where);
gs_abort((const gs_memory_t *)mem);
}
diff --git a/psi/iutil.c b/psi/iutil.c
index 405869666..239c26b85 100644
--- a/psi/iutil.c
+++ b/psi/iutil.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -537,7 +537,11 @@ other:
break;
}
/* Internal operator, no name. */
+#if DEBUG
gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc);
+#else
+ gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc);
+#endif
break;
}
case t_real:
--
2.45.2

3
ghostscript.spec
View File

@ -119,6 +119,8 @@ Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch
Patch: 0001-Bug-707686.patch
# RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
# RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
Patch: 0001-Bug-707510-review-printing-of-pointers.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
@ -437,6 +439,7 @@ done
%changelog
* Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths