rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ghostscript-9.54.0-7.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-04-05 06:11:03 -04:00 committed by Stepan Oksanichenko
parent 0f026bf032
commit eedc7d6b90
3 changed files with 176 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
SOURCES/ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch Normal file
View File

@ -0,0 +1,64 @@
From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 1 Jun 2021 19:57:16 +0100
Subject: [PATCH] Bug 703902: Fix op stack management in
sampled_data_continue()
Replace pop() (which does no checking, and doesn't handle stack extension
blocks) with ref_stack_pop() which does do all that.
We still use pop() in one case (it's faster), but we have to later use
ref_stack_pop() before calling sampled_data_sample() which also accesses the
op stack.
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
---
psi/zfsample.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/psi/zfsample.c b/psi/zfsample.c
index 0e8e4bc8d..00cd0cfdd 100644
--- a/psi/zfsample.c
+++ b/psi/zfsample.c
@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
for (j = 0; j < bps; j++)
data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
}
- pop(num_out); /* Move op to base of result values */
- /* Check if we are done collecting data. */
+ pop(num_out); /* Move op to base of result values */
+ /* From here on, we have to use ref_stack_pop() rather than pop()
+ so that it handles stack extension blocks properly, before calling
+ sampled_data_sample() which also uses the op stack.
+ */
+ /* Check if we are done collecting data. */
if (increment_cube_indexes(params, penum->indexes)) {
if (stack_depth_adjust == 0)
- pop(O_STACK_PAD); /* Remove spare stack space */
+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
else
- pop(stack_depth_adjust - num_out);
+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
/* Execute the closing procedure, if given */
code = 0;
if (esp_finish_proc != 0)
@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
if ((O_STACK_PAD - stack_depth_adjust) < 0) {
stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
check_op(stack_depth_adjust);
- pop(stack_depth_adjust);
+ ref_stack_pop(&o_stack, stack_depth_adjust);
}
else {
check_ostack(O_STACK_PAD - stack_depth_adjust);
- push(O_STACK_PAD - stack_depth_adjust);
+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
make_null(op - i);
}
--
2.35.1

98
SOURCES/ghostscript-9.54.0-covscan-fixes.patch Normal file
View File

@ -0,0 +1,98 @@
diff -ur ghostscript-9.54.0/base/gdevvec.c ghostscript-9.54.0-patched/base/gdevvec.c
--- ghostscript-9.54.0/base/gdevvec.c
+++ ghostscript-9.54.0-patched/base/gdevvec.c
@@ -643,7 +643,7 @@
*/
int
gdev_vector_dopath_segment(gdev_vector_dopath_state_t *state, int pe_op,
- gs_fixed_point vs[3])
+ gs_fixed_point *vs)
{
gx_device_vector *vdev = state->vdev;
const gs_matrix *const pmat = &state->scale_mat;
diff -ur ghostscript-9.54.0/base/gdevvec.h ghostscript-9.54.0-patched/base/gdevvec.h
--- ghostscript-9.54.0/base/gdevvec.h
+++ ghostscript-9.54.0-patched/base/gdevvec.h
@@ -306,7 +306,7 @@
/* Write a segment of a path using the default implementation. */
int gdev_vector_dopath_segment(gdev_vector_dopath_state_t *state, int pe_op,
- gs_fixed_point vs[3]);
+ gs_fixed_point *vs);
typedef struct gdev_vector_path_seg_record_s {
int op;
diff -ur ghostscript-9.54.0/base/gxclpath.c ghostscript-9.54.0-patched/base/gxclpath.c
--- ghostscript-9.54.0/base/gxclpath.c 2021-03-30 09:40:28.000000000 +0200
+++ ghostscript-9.54.0-patched/base/gxclpath.c 2021-11-23 11:06:14.670137576 +0100
@@ -715,10 +715,10 @@
} else {
code = set_cmd_put_op(&dp, cldev, pcls, cmd_opv_set_color_space,
2 + sizeof(clist_icc_color_t));
- memcpy(dp + 2, &(cldev->color_space.icc_info),
- sizeof(clist_icc_color_t));
if (code < 0)
return code;
+ memcpy(dp + 2, &(cldev->color_space.icc_info),
+ sizeof(clist_icc_color_t));
}
dp[1] = cldev->color_space.byte1;
pcls->known |= color_space_known;
diff -ur ghostscript-9.54.0/extract/src/mem.c ghostscript-9.54.0-patched/extract/src/mem.c
--- ghostscript-9.54.0/extract/src/mem.c 2021-03-30 09:40:28.000000000 +0200
+++ ghostscript-9.54.0-patched/extract/src/mem.c 2021-11-23 11:11:37.293082828 +0100
@@ -19,14 +19,24 @@
int extract_vasprintf(extract_alloc_t* alloc, char** out, const char* format, va_list va)
{
int n;
- int n2;
+ int ret;
va_list va2;
va_copy(va2, va);
n = vsnprintf(NULL, 0, format, va);
- if (n < 0) return n;
- if (extract_malloc(alloc, out, n + 1)) return -1;
- n2 = vsnprintf(*out, n + 1, format, va2);
+ if (n < 0)
+ {
+ ret = n;
+ goto end;
+ }
+ if (extract_malloc(alloc, out, n + 1))
+ {
+ ret = -1;
+ goto end;
+ }
+ vsnprintf(*out, n + 1, format, va2);
+ ret = 0;
+
+ end:
va_end(va2);
- assert(n2 == n);
- return n2;
+ return ret;
}
diff -ur ghostscript-9.54.0/psi/icie.h ghostscript-9.54.0-patched/psi/icie.h
--- ghostscript-9.54.0/psi/icie.h 2021-03-30 09:40:28.000000000 +0200
+++ ghostscript-9.54.0-patched/psi/icie.h 2021-10-29 12:48:43.405814563 +0200
@@ -53,7 +53,7 @@
/* Get 3 procedures from a dictionary. */
int dict_proc3_param(const gs_memory_t *mem, const ref *pdref,
- const char *kstr, ref proc3[3]);
+ const char *kstr, ref *proc3);
/* Get WhitePoint and BlackPoint values. */
int cie_points_param(const gs_memory_t *mem,
diff -ur ghostscript-9.54.0/psi/zcie.c ghostscript-9.54.0-patched/psi/zcie.c
--- ghostscript-9.54.0/psi/zcie.c 2021-03-30 09:40:28.000000000 +0200
+++ ghostscript-9.54.0-patched/psi/zcie.c 2021-11-02 14:36:28.463448728 +0100
@@ -144,7 +144,7 @@
/* Get 3 procedures from a dictionary. */
int
-dict_proc3_param(const gs_memory_t *mem, const ref *pdref, const char *kstr, ref proc3[3])
+dict_proc3_param(const gs_memory_t *mem, const ref *pdref, const char *kstr, ref *proc3)
{
return dict_proc_array_param(mem, pdref, kstr, 3, proc3);
}

15
SPECS/ghostscript.spec
View File

@ -42,7 +42,7 @@
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 9.54.0
Release: 4%{?dist}
Release: 7%{?dist}
License: AGPLv3+
@ -102,6 +102,10 @@ BuildRequires: make
#Patch000: example000.patch
Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch
Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch
#2032789 - coverity warnings fixes
Patch003: ghostscript-9.54.0-covscan-fixes.patch
#2049767 - CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
@ -435,6 +439,15 @@ done
# =============================================================================
%changelog
* Thu Feb 24 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-7
- Fix patch for covscan issues (#2032789)
* Tue Feb 22 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-6
- Added fix for vulnerability CVE-2021-45949 (#2049767)
* Mon Feb 21 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
- Added coverity fixes (#2032789)
* Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-4
- Added fix for CVE-2021-3781 (#2002625)