rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c10s
rpms:c9s
rpms:c8s
rpms:c8-beta
rpms:c9-beta
rpms:imports/c9/ghostscript-9.54.0-17.el9_4
rpms:imports/c10s/ghostscript-10.02.1-13.el10
rpms:imports/c9/ghostscript-9.54.0-16.el9_4
rpms:imports/c8/ghostscript-9.27-13.el8_10
rpms:imports/c8/ghostscript-9.27-12.el8
rpms:imports/c8-beta/ghostscript-9.27-12.el8
rpms:imports/c8/ghostscript-9.27-11.el8
rpms:imports/c9/ghostscript-9.54.0-14.el9_3
rpms:imports/c9/ghostscript-9.54.0-11.el9_2
rpms:imports/c9/ghostscript-9.54.0-10.el9_2
rpms:imports/c8-beta/ghostscript-9.27-11.el8
rpms:imports/c9-beta/ghostscript-9.54.0-13.el9
rpms:imports/c8/ghostscript-9.27-6.el8
rpms:imports/c9/ghostscript-9.54.0-9.el9
rpms:imports/c9-beta/ghostscript-9.54.0-9.el9
rpms:imports/c8-beta/ghostscript-9.27-6.el8
rpms:imports/c8s/ghostscript-9.27-6.el8
rpms:imports/c8s/ghostscript-9.27-5.el8
rpms:imports/c8/ghostscript-9.27-4.el8
rpms:imports/c8-beta/ghostscript-9.27-4.el8
rpms:imports/c8s/ghostscript-9.27-4.el8
rpms:imports/c9/ghostscript-9.54.0-7.el9
rpms:imports/c9-beta/ghostscript-9.54.0-7.el9
rpms:imports/c9-beta/ghostscript-9.54.0-4.el9
rpms:imports/c9-beta/ghostscript-9.54.0-2.el9
rpms:imports/c8-beta/ghostscript-9.27-1.el8
rpms:imports/c8-beta/ghostscript-9.25-7.el8
rpms:imports/c8-beta/ghostscript-9.25-5.el8_1.1
rpms:imports/c8-beta/ghostscript-9.25-3.el8
rpms:imports/c8s/ghostscript-9.27-1.el8
rpms:imports/c8s/ghostscript-9.25-7.el8
rpms:imports/c8/ghostscript-9.27-1.el8
rpms:imports/c8/ghostscript-9.25-7.el8
rpms:imports/c8/ghostscript-9.25-5.el8_1.1
rpms:imports/c8/ghostscript-9.25-5.el8
rpms:imports/c8/ghostscript-9.25-2.el8_0.3
...
pull from: rpms:c10s
Branches Tags
rpms:c9
rpms:c10s
rpms:c9s
rpms:c8
rpms:c8s
rpms:c8-beta
rpms:c9-beta
rpms:imports/c9/ghostscript-9.54.0-17.el9_4
rpms:imports/c10s/ghostscript-10.02.1-13.el10
rpms:imports/c9/ghostscript-9.54.0-16.el9_4
rpms:imports/c8/ghostscript-9.27-13.el8_10
rpms:imports/c8/ghostscript-9.27-12.el8
rpms:imports/c8-beta/ghostscript-9.27-12.el8
rpms:imports/c8/ghostscript-9.27-11.el8
rpms:imports/c9/ghostscript-9.54.0-14.el9_3
rpms:imports/c9/ghostscript-9.54.0-11.el9_2
rpms:imports/c9/ghostscript-9.54.0-10.el9_2
rpms:imports/c8-beta/ghostscript-9.27-11.el8
rpms:imports/c9-beta/ghostscript-9.54.0-13.el9
rpms:imports/c8/ghostscript-9.27-6.el8
rpms:imports/c9/ghostscript-9.54.0-9.el9
rpms:imports/c9-beta/ghostscript-9.54.0-9.el9
rpms:imports/c8-beta/ghostscript-9.27-6.el8
rpms:imports/c8s/ghostscript-9.27-6.el8
rpms:imports/c8s/ghostscript-9.27-5.el8
rpms:imports/c8/ghostscript-9.27-4.el8
rpms:imports/c8-beta/ghostscript-9.27-4.el8
rpms:imports/c8s/ghostscript-9.27-4.el8
rpms:imports/c9/ghostscript-9.54.0-7.el9
rpms:imports/c9-beta/ghostscript-9.54.0-7.el9
rpms:imports/c9-beta/ghostscript-9.54.0-4.el9
rpms:imports/c9-beta/ghostscript-9.54.0-2.el9
rpms:imports/c8-beta/ghostscript-9.27-1.el8
rpms:imports/c8-beta/ghostscript-9.25-7.el8
rpms:imports/c8-beta/ghostscript-9.25-5.el8_1.1
rpms:imports/c8-beta/ghostscript-9.25-3.el8
rpms:imports/c8s/ghostscript-9.27-1.el8
rpms:imports/c8s/ghostscript-9.25-7.el8
rpms:imports/c8/ghostscript-9.27-1.el8
rpms:imports/c8/ghostscript-9.25-7.el8
rpms:imports/c8/ghostscript-9.25-5.el8_1.1
rpms:imports/c8/ghostscript-9.25-5.el8
rpms:imports/c8/ghostscript-9.25-2.el8_0.3

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

45 changed files with 1400 additions and 2137 deletions
Show Stats Expand all files Collapse all files

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

1
.ghostscript.metadata
View File

@ -1 +0,0 @@
f926d2cfb418a7c5d92dce0a9843fa01ee62fe2c SOURCES/ghostscript-9.27.tar.xz

68
.gitignore vendored
View File

@ -1 +1,67 @@
SOURCES/ghostscript-9.27.tar.xz
acro5-cmaps-2001.tar.gz
adobe-cmaps-200202.tar.gz
eplaser-3.1.4-705.tgz
epson740.tgz
gdevmd2k-0.2a.tar.gz
ghostscript-7.07.tar.bz2
gs550j1.tar.gz
gs6.51-cjk-M2-R3.tar.gz
gs704-j-vlib.zip
lexmarkgs990908.tar.gz
lxm3200-tweaked-20030501.tar.gz
pcl3-3.3.tar.gz
espgs-8.15rc3-source.tar.bz2
adobe-cmaps-200204.tar.gz
espgs-8.15rc4-source.tar.bz2
espgs-8.15.1-source.tar.bz2
adobe-cmaps-200406.tar.gz
espgs-8.15.2-source.tar.bz2
espgs-8.15.3-source.tar.bz2
espgs-8.15.4-source.tar.bz2
ghostscript-8.60-r8117.tar.bz2
ghostscript-8.60.tar.bz2
ghostscript-8.61.tar.bz2
ghostscript-8.62.tar.bz2
ghostscript-8.63.tar.bz2
ghostscript-8.64.tar.bz2
ghostscript-8.70.tar.xz
ghostscript-8.71.tar.xz
/ghostscript-9.00.tar.xz
/ghostscript-9.01.tar.bz2
/ghostscript-9.02.tar.bz2
/ghostscript-9.04.tar.bz2
/ghostscript-9.05.tar.bz2
/ghostscript-9.06.tar.bz2
/ghostscript-9.06-cleaned.tar.bz2
/ghostscript-9.07.tar.bz2
/ghostscript-9.07-cleaned.tar.bz2
/ghostscript-9.08rc1.tar.gz
/ghostscript-9.08.tar.bz2
/ghostscript-9.09rc1.tar.gz
/ghostscript-9.09.tar.bz2
/ghostscript-9.10.tar.bz2
/ghostscript-9.10-cleaned.tar.bz2
/ghostscript-9.12-cleaned.tar.bz2
/ghostscript-9.14-cleaned.tar.bz2
/ghostscript-9.14-cleaned-1.tar.bz2
/ghostscript-9.15-cleaned.tar.bz2
/ghostscript-9.15-cleaned-1.tar.bz2
/ghostscript-9.16-cleaned-1.tar.bz2
/ghostscript-9.20.tar.xz
/ghostscript-9.22.tar.xz
/ghostscript-9.23.tar.xz
/ghostscript-9.24.tar.xz
/ghostscript-9.25.tar.xz
/ghostscript-9.26.tar.xz
/ghostscript-9.27.tar.xz
/ghostscript-9.50.tar.xz
/ghostscript-9.52.tar.xz
/ghostscript-9.53.1.tar.xz
/ghostscript-9.53.3.tar.xz
/ghostscript-9.54.0.tar.xz
/ghostscript-9.55.0.tar.xz
/ghostscript-9.56.1.tar.xz
/ghostscript-10.0.0.tar.xz
/ghostscript-10.01.0.tar.xz
/ghostscript-10.01.2.tar.xz
/ghostscript-10.02.1.tar.xz

25
0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch Normal file
View File

@ -0,0 +1,25 @@
From b7beb19ad06e08b889a44694ff813ed5f6c96da4 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 14 Sep 2023 09:01:43 +0100
Subject: [PATCH] Bug 707130: Cast to void ** to avoid compiler warning
---
base/fapi_ft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/fapi_ft.c b/base/fapi_ft.c
index ccd629757..fc185bfd7 100644
--- a/base/fapi_ft.c
+++ b/base/fapi_ft.c
@@ -1280,7 +1280,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_server * a_server, gs_fapi_font * a_font,
if (a_font->retrieve_tt_font != NULL) {
unsigned int ms;
- code = a_font->retrieve_tt_font(a_font, &own_font_data, &ms);
+ code = a_font->retrieve_tt_font(a_font, (void **)&own_font_data, &ms);
if (code == 0) {
data_owned = false;
open_args.memory_base = own_font_data;
--
2.43.0

76
0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch Normal file
View File

@ -0,0 +1,76 @@
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index 5f82b7f..6819cb7 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -297,22 +297,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context *ctx, pdf_dict *font_dict, pdf_dic
memcpy(fontfname, fsprefix, fsprefixlen);
}
else {
- memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size);
- fsprefixlen = ctx->args.cidfsubstpath.size;
+ if (ctx->args.cidfsubstpath.size + 1 > gp_file_name_sizeof) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstPath parameter too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname, fsprefix, fsprefixlen);
+ }
+ else {
+ memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size);
+ fsprefixlen = ctx->args.cidfsubstpath.size;
+ }
}
if (ctx->args.cidfsubstfont.data == NULL) {
int len = 0;
- if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) {
- (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
+ if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0) {
+ if (len + fsprefixlen + 1 > gp_file_name_sizeof) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSUBSTFONT environment variable too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+ }
+ else {
+ (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
+ }
}
else {
memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
}
}
else {
- memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size);
- defcidfallacklen = ctx->args.cidfsubstfont.size;
+ if (ctx->args.cidfsubstfont.size > gp_file_name_sizeof - 1) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstFont parameter too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+ }
+ else {
+ memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size);
+ defcidfallacklen = ctx->args.cidfsubstfont.size;
+ }
}
fontfname[fsprefixlen + defcidfallacklen] = '\0';
diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h
index 6402d8f..d1e0019 100644
--- a/pdf/pdf_warnings.h
+++ b/pdf/pdf_warnings.h
@@ -97,4 +97,5 @@ PARAM(W_PDF_MISMATCH_GENERATION, "The generation number of an indirectly refe
PARAM(W_PDF_BAD_RENDERINGINTENT, "A ri or /RI used an unknown named rendering intent"),
PARAM(W_PDF_BAD_VIEW, "Couldn't read the initial document view"),
PARAM(W_PDF_BAD_WMODE, "A Font or CMap has a WMode which is neither 0 (horizontal) nor 1 (vertical)"),
+PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."),
#undef PARAM

46
0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch Normal file
View File

@ -0,0 +1,46 @@
From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:55:49 +0000
Subject: [PATCH] Bug 707510 - don't allow PDF files with bad Filters to
overflow the debug buffer
Item #2 of the report.
Allocate a buffer to hold the filter name, instead of assuming it will
fit in a fixed buffer.
Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like
this.
---
pdf/pdf_file.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c
index 6680ae2db..4b04e3582 100644
--- a/pdf/pdf_file.c
+++ b/pdf/pdf_file.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2018-2023 Artifex Software, Inc.
+/* Copyright (C) 2018-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -777,10 +777,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_
if (ctx->args.pdfdebug)
{
- char str[100];
+ char *str;
+ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug");
+ if (str == NULL)
+ return_error(gs_error_VMerror);
memcpy(str, (const char *)n->data, n->length);
str[n->length] = '\0';
dmprintf1(ctx->memory, "FILTER NAME:%s\n", str);
+ gs_free_object(ctx->memory, str, "temp string for debug");
}
if (pdfi_name_is(n, "RunLengthDecode")) {
--
2.45.2

46
0001-Bug-707510-don-t-use-strlen-on-passwords.patch Normal file
View File

@ -0,0 +1,46 @@
From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:58:22 +0000
Subject: [PATCH] Bug 707510 - don't use strlen on passwords
Item #1 of the report. This looks like an oversight when first coding
the routine. We should use the PostScript string length, because
PostScript strings may not be NULL terminated (and as here may contain
internal NULL characters).
Fix the R6 handler which has the same problem too.
---
pdf/pdf_sec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c
index e968b89c5..e02e040f9 100644
--- a/pdf/pdf_sec.c
+++ b/pdf/pdf_sec.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020-2023 Artifex Software, Inc.
+/* Copyright (C) 2020-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1283,7 +1283,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen,
/* If the supplied Password fails as the user *and* owner password, maybe its in
* the locale, not UTF-8, try converting to UTF-8
*/
- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
+ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
if (code < 0)
return code;
memcpy(P->data, Password, PasswordLen);
@@ -1330,7 +1330,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen,
/* If the supplied Password fails as the user *and* owner password, maybe its in
* the locale, not UTF-8, try converting to UTF-8
*/
- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
+ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
if (code < 0)
return code;
memcpy(P->data, Password, PasswordLen);
--
2.45.2

430
0001-Bug-707510-review-printing-of-pointers.patch Normal file
View File

@ -0,0 +1,430 @@
From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:53:44 +0000
Subject: [PATCH] Bug 707510 - review printing of pointers
This is for item 4 of the report, which is addressed by the change in
gdevpdtb.c. That change uses a fixed name for fonts which have no name
instead of using the pointer to the address of the font.
The remaining changes are all due to reviewing the use of PRI_INTPTR.
In general we only use that for debugging purposes but there were a few
places which were printing pointers arbitrarily, even in a release build.
We really don't want to do that so I've modified the places which were
printing pointer unconditionally so that they only do so if DEBUG is
set at compile time, or a specific debug flag is set.
---
base/gsfont.c | 4 ++--
base/gsicc_cache.c | 8 ++++----
base/gsmalloc.c | 4 ++--
base/gxclmem.c | 5 ++---
base/gxcpath.c | 6 +++++-
base/gxpath.c | 8 +++++++-
base/szlibc.c | 4 +++-
devices/gdevupd.c | 7 ++++++-
devices/vector/gdevpdtb.c | 4 ++--
psi/ialloc.c | 4 ++--
psi/igc.c | 6 +++---
psi/igcstr.c | 6 +++---
psi/iinit.c | 6 +++++-
psi/imainarg.c | 5 +++--
psi/isave.c | 4 ++--
psi/iutil.c | 6 +++++-
16 files changed, 56 insertions(+), 31 deletions(-)
diff --git a/base/gsfont.c b/base/gsfont.c
index 351954776..8b0da819b 100644
--- a/base/gsfont.c
+++ b/base/gsfont.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -791,7 +791,7 @@ gs_purge_font(gs_font * pfont)
else if (pdir->scaled_fonts == pfont)
pdir->scaled_fonts = next;
else { /* Shouldn't happen! */
- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
+ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
}
/* Purge the font from the scaled font cache. */
diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c
index c2a59107e..c3026c136 100644
--- a/base/gsicc_cache.c
+++ b/base/gsicc_cache.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -161,7 +161,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr)
return;
while (link_cache->head != NULL) {
if (link_cache->head->ref_count != 0) {
- emprintf2(link_cache->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
+ if_debug2m(gs_debug_flag_icc, link_cache->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
(intptr_t)link_cache->head, link_cache->head->ref_count);
link_cache->head->ref_count = 0; /* force removal */
}
@@ -586,7 +586,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache,
/* that was building it failed to be able to complete building it. Try this only
a limited number of times before we bail. */
if (curr->valid == false) {
- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
+ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
}
gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */
}
@@ -614,7 +614,7 @@ gsicc_remove_link(gsicc_link_t *link)
/* NOTE: link->ref_count must be 0: assert ? */
gx_monitor_enter(icc_link_cache->lock);
if (link->ref_count != 0) {
- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
+ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
}
curr = icc_link_cache->head;
prev = NULL;
diff --git a/base/gsmalloc.c b/base/gsmalloc.c
index 5d5b0f4d1..6b8da1fba 100644
--- a/base/gsmalloc.c
+++ b/base/gsmalloc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -420,7 +420,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new
client_name_t cname)
{
if (gs_heap_object_type(mem, data) != &st_bytes)
- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n",
+ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n",
client_name_string(cname), (intptr_t)data);
return gs_heap_resize_object(mem, data, new_num, cname);
}
diff --git a/base/gxclmem.c b/base/gxclmem.c
index 9b9bbcf35..68125303e 100644
--- a/base/gxclmem.c
+++ b/base/gxclmem.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete)
/* leaks if other users of the memfile don't 'fclose with delete=true */
if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) {
/* TODO: do the cleanup rather than just giving an error */
- emprintf1(f->memory,
- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
+ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
(intptr_t)f);
return_error(gs_error_invalidfileaccess);
} else {
diff --git a/base/gxcpath.c b/base/gxcpath.c
index e277f3172..a7a127db2 100644
--- a/base/gxcpath.c
+++ b/base/gxcpath.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -178,8 +178,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath,
{
if (shared) {
if (shared->path.segments == &shared->path.local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*pcpath = *shared;
@@ -236,8 +238,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath,
if (shared) {
if ((shared->path.segments == &shared->path.local_segments) &&
!safely_nested) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
pcpath->path = shared->path;
diff --git a/base/gxpath.c b/base/gxpath.c
index eb0f3bf2e..817c247b2 100644
--- a/base/gxpath.c
+++ b/base/gxpath.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem,
ppath->procs = &default_path_procs;
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
gs_free_object(mem, ppath, cname);
return 0;
}
@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
diff --git a/base/szlibc.c b/base/szlibc.c
index e2b0d68c3..5f315c3c3 100644
--- a/base/szlibc.c
+++ b/base/szlibc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data)
gs_free_object(mem, data, "s_zlib_free(data)");
for (; ; block = block->next) {
if (block == 0) {
+#ifdef DEBUG
lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data);
+#endif
return;
}
if (block->data == data)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index 740dae012..cb479d21f 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1040,8 +1040,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out)
*/
if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) {
#if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS)
+#ifdef DEBUG
errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
(intptr_t)udev,(intptr_t) out);
+#else
+ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+ (intptr_t)udev,(intptr_t) out);
+#endif
#endif
return_error(gs_error_undefined);
}
diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c
index 41046aa21..3d7dcae53 100644
--- a/devices/vector/gdevpdtb.c
+++ b/devices/vector/gdevpdtb.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -373,7 +373,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, pdf_base_font_t **ppbfont,
font_name.size -= SUBSET_PREFIX_SIZE;
}
} else {
- gs_snprintf(fnbuf, sizeof(fnbuf), ".F" PRI_INTPTR, (intptr_t)copied);
+ gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous");
font_name.data = (byte *)fnbuf;
font_name.size = strlen(fnbuf);
}
diff --git a/psi/ialloc.c b/psi/ialloc.c
index 6d22110e8..40216e41c 100644
--- a/psi/ialloc.c
+++ b/psi/ialloc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -391,7 +391,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, ref * parr, client_name_t cname)
size = num_refs * sizeof(ref);
break;
default:
- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
+ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
r_type(parr), num_refs, (intptr_t)obj);
return;
}
diff --git a/psi/igc.c b/psi/igc.c
index 121723f79..ab6565c6b 100644
--- a/psi/igc.c
+++ b/psi/igc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1062,7 +1062,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_state_t * pstate)
if (cp == 0) { /* We were tracing outside collectible */
/* storage. This can't happen. */
- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
+ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
(intptr_t)cptr);
gs_abort(pstate->heap);
}
@@ -1291,7 +1291,7 @@ igc_reloc_struct_ptr(const void /*obj_header_t */ *obj, gc_state_t * gcst)
if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj <cp->ctop) {
if (back > (cp->ctop - cp->cbase) >> obj_back_shift) {
- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n",
+ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n",
back, (intptr_t)obj);
gs_abort(NULL);
}
diff --git a/psi/igcstr.c b/psi/igcstr.c
index bfaee419b..c43c12875 100644
--- a/psi/igcstr.c
+++ b/psi/igcstr.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
return false;
#ifdef DEBUG
if (ptr < cp->ctop) {
- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
(intptr_t)ptr, size, (intptr_t)cp->ctop, (intptr_t)cp->climit);
return false;
} else if (ptr + size > cp->climit) { /*
@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
while (ptr == scp->climit && scp->outer != 0)
scp = scp->outer;
if (ptr + size > scp->climit) {
- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
(intptr_t)ptr, size,
(intptr_t)scp->ctop, (intptr_t)scp->climit);
return false;
diff --git a/psi/iinit.c b/psi/iinit.c
index ed41b36da..0af7ee9c1 100644
--- a/psi/iinit.c
+++ b/psi/iinit.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p)
if (def->proc != 0) {
code = def->proc(i_ctx_p);
if (code < 0) {
+#ifdef DEBUG
lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n",
(intptr_t)def->proc, code);
+#else
+ lprintf("op_init proc returned error !\n");
+#endif
return code;
}
}
diff --git a/psi/imainarg.c b/psi/imainarg.c
index 638694ba2..29ad1d633 100644
--- a/psi/imainarg.c
+++ b/psi/imainarg.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instance * minst, int argc, char *argv[])
if (gs_debug[':'] && !have_dumped_args) {
int i;
- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
+ if (gs_debug_c(gs_debug_flag_init_details))
+ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
(intptr_t)minst);
for (i=1; i<argc; i++)
dmprintf1(minst->heap, "%s ", argv[i]);
diff --git a/psi/isave.c b/psi/isave.c
index 80cf9c1f7..795170fcb 100644
--- a/psi/isave.c
+++ b/psi/isave.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *mem, const ref * pcont,
else if (r_is_struct(pcont))
cp->offset = (byte *) where - (byte *) pcont->value.pstruct;
else {
- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
+ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
r_type(pcont), (intptr_t) pcont, (intptr_t) where);
gs_abort((const gs_memory_t *)mem);
}
diff --git a/psi/iutil.c b/psi/iutil.c
index 405869666..239c26b85 100644
--- a/psi/iutil.c
+++ b/psi/iutil.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -537,7 +537,11 @@ other:
break;
}
/* Internal operator, no name. */
+#if DEBUG
gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc);
+#else
+ gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc);
+#endif
break;
}
case t_real:
--
2.45.2

94
0001-Bug-707686.patch Normal file
View File

@ -0,0 +1,94 @@
From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Tue, 26 Mar 2024 12:00:14 +0000
Subject: [PATCH] Bug #707686
See bug thread for details
In addition to the noted bug; an error path (return from
gp_file_name_reduce not successful) could elad to a memory leak as we
did not free 'bufferfull'. Fix that too.
This addresses CVE-2024-33870
---
base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 2b0064bea..c4a69b03a 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
const uint len,
const char *mode)
{
- char *buffer, *bufferfull;
+ char *buffer, *bufferfull = NULL;
uint rlen;
int code = 0;
const char *cdirstr = gp_file_name_current();
@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem,
return gs_error_VMerror;
buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
buffer[rlen] = 0;
}
while (1) {
@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem,
code = gs_note_error(gs_error_invalidfileaccess);
}
if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
+ uint newlen = rlen + cdirstrl + dirsepstrl;
+ char *newbuffer;
+ int code;
+
buffer = bufferfull;
memcpy(buffer, cdirstr, cdirstrl);
memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
+
+ /* We've prepended a './' or similar for the current working directory. We need
+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
+ * the (new) full path.
+ */
+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
+ if (newbuffer == NULL) {
+ code = gs_note_error(gs_error_VMerror);
+ goto exit;
+ }
+
+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
+ newbuffer[newlen] = 0x00;
+
+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
+ if (code != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+
continue;
}
else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem,
gs_path_control_flag_is_scratch_file);
}
+exit:
gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
#ifdef EACCES
if (code == gs_error_invalidfileaccess)
--
2.45.2

43
0001-Bug-707691.patch Normal file
View File

@ -0,0 +1,43 @@
diff --git a/base/gpmisc.c b/base/gpmisc.c
index c4a69b0..b0d5c71 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem,
rlen = len;
}
else {
+ char *test = (char *)path, *test1;
+ uint tlen = len, slen;
+
+ /* Look for any pipe (%pipe% or '|' specifications between path separators
+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
+ */
+ while (tlen > 0) {
+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+ test1 = test;
+ slen = search_separator((const char **)&test, path + len, test1, 1);
+ if(slen == 0)
+ break;
+ test += slen;
+ tlen -= test - test1;
+ if (test >= path + len)
+ break;
+ }
+
rlen = len+1;
bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
if (bufferfull == NULL)
@@ -1164,8 +1185,8 @@ gp_validate_path_len(const gs_memory_t *mem,
continue;
}
- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
- buffer = bufferfull + cdirstrl + dirsepstrl;
+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
continue;
}
break;

26
0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 74200cf..dc45b22 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -3296,7 +3296,7 @@ _get_params(gx_device* dev, gs_param_list *plist)
/* vector driver name */
pname = "Driver";
vdps.data = (byte *)opdev->globals.vectorDriver;
- vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) + 1 : 0);
+ vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) : 0);
vdps.persistent = false;
code = param_write_string(plist, pname, &vdps);
if (code) ecode = code;
@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (gs_is_path_control_active(dev->memory)
+ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
+ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;

79
0001-Uniprint-device-prevent-string-configuration-changes.patch Normal file
View File

@ -0,0 +1,79 @@
From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 21 Mar 2024 09:01:15 +0000
Subject: [PATCH] Uniprint device - prevent string configuration changes when
SAFER
Bug #707662
We cannot sanitise the string arguments used by the Uniprint device
because they can potentially include anything.
This commit ensures that these strings are locked and cannot be
changed by PostScript once SAFER is activated. Full configuration from
the command line is still possible (see the *.upp files in lib).
This addresses CVE-2024-29510
---
devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index c9389e7bc..016a9260a 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1891,6 +1891,16 @@ out on this copies.
if(!upd_strings[i]) continue;
UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (strings[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRINGS;
UPD_MM_DEL_PARAM(udev->memory, strings[i]);
if(!value.size) {
@@ -1908,6 +1918,26 @@ out on this copies.
if(!upd_string_a[i]) continue;
UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (string_a[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ int loop;
+ for (loop = 0;loop < string_a[i].size;loop++) {
+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+ if (tmp1->size != tmp2->size)
+ error = gs_error_invalidaccess;
+ else {
+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ }
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRING_A;
UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
if(!value.size) {
@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may
if(0 > code) error = code;
}
+exit:
if(0 < error) { /* Actually something loaded without error */
if(!(upd = udev->upd)) {
--
2.45.2

60
0001-X-device-fix-compiler-warning.patch Normal file
View File

@ -0,0 +1,60 @@
From 8f5c77af6c0b84bdea719010cf4f67877e857b2b Mon Sep 17 00:00:00 2001
Message-ID: <8f5c77af6c0b84bdea719010cf4f67877e857b2b.1705768875.git.mjg@fedoraproject.org>
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Fri, 19 Jan 2024 08:44:33 +0000
Subject: [PATCH] X device - fix compiler 'warning'
Bug #707502 "- -Wincompatible-pointer-types warning in devices/gdevxini.c"
This is probably an oversight from when we changed a load of variables
to size_t.
Seems odd that compilers (well gcc) should refuse to compile becuase of
a warning, but that's compilers. The pointer type is incorrect so let's
fix it.
---
devices/gdevx.h | 4 ++--
devices/gdevxini.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/devices/gdevx.h b/devices/gdevx.h
index 82855ae15..1a513afcd 100644
--- a/devices/gdevx.h
+++ b/devices/gdevx.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -39,7 +39,7 @@ typedef struct gx_device_X_s {
bool is_buffered;
bool IsPageDevice;
byte *buffer; /* full-window image */
- long buffer_size;
+ size_t buffer_size;
gx_device_color_info orig_color_info;
/* An XImage object for writing bitmap images to the screen */
diff --git a/devices/gdevxini.c b/devices/gdevxini.c
index df489617c..5f68ce035 100644
--- a/devices/gdevxini.c
+++ b/devices/gdevxini.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -621,7 +621,7 @@ x_set_buffer(gx_device_X * xdev)
}
if (mdev->width != xdev->width || mdev->height != xdev->height) {
byte *buffer;
- ulong space;
+ size_t space;
if (gdev_mem_data_size(mdev, xdev->width, xdev->height, &space) < 0 ||
space > xdev->space_params.MaxBitmap) {
--
2.43.0.462.gcdfa2ea447

22
SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch
View File

@ -1,22 +0,0 @@
From 91c9c6d17d445781ee572c281b8b9d75d96f9df8 Mon Sep 17 00:00:00 2001
From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
Date: Fri, 7 Oct 2016 13:57:01 +0200
Subject: [PATCH] Make sure 'dvipdf' is being run securely
---
lib/dvipdf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dvipdf b/lib/dvipdf
index 802aeab..c92dfb0 100755
--- a/lib/dvipdf
+++ b/lib/dvipdf
@@ -43,4 +43,4 @@ fi
# We have to include the options twice because -I only takes effect if it
# appears before other options.
-exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
+exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
--
2.14.3

44
SOURCES/ghostscript-9.27-CVE-2023-28879.patch
View File

@ -1,44 +0,0 @@
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Mar 2023 13:19:57 +0000
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
Bug #706494 "Buffer Overflow in s_xBCPE_process"
As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.
This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).
Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
base/sbcp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/base/sbcp.c b/base/sbcp.c
index 979ae0992..47fc233ec 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;
--
2.39.2

27
SOURCES/ghostscript-9.27-CVE-2023-38559.patch
View File

@ -1,27 +0,0 @@
From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 17 Jul 2023 14:06:37 +0100
Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
devices/gdevpcx.c
Bounds check the buffer, before dereferencing the pointer.
---
base/gdevdevn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/gdevdevn.c b/base/gdevdevn.c
index 7b14d9c71..6351fb77a 100644
--- a/base/gdevdevn.c
+++ b/base/gdevdevn.c
@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
putc(0xc1, file);
} else {
--
2.41.0

28
SOURCES/ghostscript-9.27-CVE-2023-4042.patch
View File

@ -1,28 +0,0 @@
From 2793769ff107d8d22dadd30c6e68cd781b569550 Mon Sep 17 00:00:00 2001
From: Julian Smith <jules@op59.net>
Date: Mon, 4 Nov 2019 12:30:33 +0000
Subject: [PATCH] Bug 701819: fixed ordering in if expression to avoid
out-of-bounds access.
Fixes:
./sanbin/gs -dBATCH -dNOPAUSE -r965 -sOutputFile=tmp -sDEVICE=pcx16 ../bug-701819.pdf
---
devices/gdevpcx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/devices/gdevpcx.c b/devices/gdevpcx.c
index 1735851d2..91de4abb6 100644
--- a/devices/gdevpcx.c
+++ b/devices/gdevpcx.c
@@ -442,7 +442,7 @@ pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file)
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
putc(0xc1, file);
} else {
--
2.41.0

88
SOURCES/ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch
View File

@ -1,88 +0,0 @@
From 0b74b65ecc0f36d40b8d04a7fa1fa8b5f9d2b3ff Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 13 Oct 2022 14:55:28 +0100
Subject: [PATCH] Deal with different VM modes during CIDFont loading
To help differentiate between a substituted CIDFont and an embedded one, a
change was made to store the file path in the CIDFont dictionary. That change
failed to account for the possibility that the file object and the CIDFont
dictionary may not be in compatible VM modes.
This adds code to ensure that the string holding the path is in a suitable VM
mode to be stored into the dictionary.
Reported by Richard Lescak <rlescak@redhat.com>
---
Resource/Init/gs_cidfn.ps | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/Resource/Init/gs_cidfn.ps b/Resource/Init/gs_cidfn.ps
index 870a2e11c..fa050ed7a 100644
--- a/Resource/Init/gs_cidfn.ps
+++ b/Resource/Init/gs_cidfn.ps
@@ -1,4 +1,4 @@
-% Copyright (C) 2001-2019 Artifex Software, Inc.
+% Copyright (C) 2001-2022 Artifex Software, Inc.
% All Rights Reserved.
%
% This software is provided AS-IS with no warranty, either express or
@@ -36,6 +36,17 @@
30 dict begin
+/.gcompatstringcopy % <string> <global> .gcompatstringcopy <string>
+{
+ dup 2 index gcheck eq
+ { pop }
+ {
+ currentglobal 3 1 roll setglobal
+ dup length string copy
+ exch setglobal
+ } ifelse
+} bind def
+
% The key in .cidfonttypes is the CIDFontType value;
% the value is a procedure that takes a font name and the CIDFont dictionary
% and replaces the latter with a real font.
@@ -58,7 +69,7 @@ dup 0 {
end
} if
1 index exch .buildfont9
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse
exch pop
} put % Don't bind it here, because gs_fapi.ps redefines .buildfont9
@@ -138,10 +149,11 @@ dup 0 {
% ------ CIDFontType 1 (FontType 10) ------ %
+
dup 1 {
10 //.checkfonttype exec pop
1 index exch .buildfont10
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse
exch pop
} put % Don't bind it here because gs_fapi.ps redefines .buildfont10
@@ -150,12 +162,15 @@ dup 1 {
dup 2 {
11 //.checkfonttype exec pop
1 index exch .buildfont11
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse
exch pop
} put % Don't bind it here because gs_fapi.ps redefines .buildfont11
+currentdict /.gcompatstringcopy .undef
+
pop % .cidfonttypes
+
% ---------------- Reading CIDFontType 0 files ---------------- %
/StartData { % <(Binary)|(Hex)> <datalength> StartData -
--
2.37.3

22
SOURCES/ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch
View File

@ -1,22 +0,0 @@
diff -x .git -Napur ghostscript-9.27.old/contrib/japanese/gdevespg.c ghostscript-9.27.new/contrib/japanese/gdevespg.c
--- ghostscript-9.27.old/contrib/japanese/gdevespg.c 2019-04-04 00:43:14.000000000 -0700
+++ ghostscript-9.27.new/contrib/japanese/gdevespg.c 2023-01-24 11:25:32.588189093 -0800
@@ -273,6 +273,9 @@ escpage_paper_set(gx_device_printer * pd
int width, height, w, h, wp, hp, bLandscape;
EpagPaperTable *pt;
+ /* Page size match tolerance in points */
+ #define TOL 5
+
width = pdev->MediaSize[0];
height = pdev->MediaSize[1];
@@ -291,7 +294,7 @@ escpage_paper_set(gx_device_printer * pd
}
for (pt = epagPaperTable; pt->escpage > 0; pt++)
- if (pt->width == w && pt->height == h)
+ if (abs(w - pt->width) <= TOL && abs(h - pt->height) <= TOL)
break;
fprintf(fp, "%c%d", GS, pt->escpage);

88
SOURCES/ghostscript-9.27-avoid-divide-by-zero-in-devices.patch
View File

@ -1,88 +0,0 @@
From f70ab2044429fe4b991801476ea3f4b4a5c0cdf4 Mon Sep 17 00:00:00 2001
From: Julian Smith <jules@op59.net>
Date: Wed, 6 Nov 2019 11:46:10 +0000
Subject: [PATCH 1/2] Bug 701843: avoid divide by zero caused by custom
resolution being too low.
Fixes:
./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r8 -dNOCIE -dFitPage -sOutputFile=tmp -sDEVICE=eps9mid ../bug-701843.pdf
---
devices/gdevepsn.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/devices/gdevepsn.c b/devices/gdevepsn.c
index 49faaf3d7..3e5388322 100644
--- a/devices/gdevepsn.c
+++ b/devices/gdevepsn.c
@@ -159,10 +159,10 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high,
int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
/* Note that in_size is a multiple of 8. */
int in_size = line_size * (8 * in_y_mult);
- byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)");
- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)");
- byte *in = buf1;
- byte *out = buf2;
+ byte *buf1;
+ byte *buf2;
+ byte *in;
+ byte *out;
int out_y_mult = (y_24pin ? 3 : 1);
int x_dpi = (int)pdev->x_pixels_per_inch;
char start_graphics =
@@ -174,6 +174,17 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high,
int bytes_per_space = dots_per_space * out_y_mult;
int tab_min_pixels = x_dpi * MIN_TAB_10THS / 10;
int skip = 0, lnum = 0, pass, ypass;
+
+ if (bytes_per_space == 0) {
+ /* This avoids divide by zero later on, bug 701843. */
+ return_error(gs_error_rangecheck);
+ }
+
+ buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)");
+ buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)");
+ in = buf1;
+ out = buf2;
+
/* Check allocations */
if ( buf1 == 0 || buf2 == 0 )
diff --git a/devices/gdevepsc.c b/devices/gdevepsc.c
--- a/devices/gdevepsc.c
+++ b/devices/gdevepsc.c
@@ -174,13 +174,7 @@
int y_mult = (y_24pin ? 3 : 1);
int line_size = (pdev->width + 7) >> 3; /* always mono */
int in_size = line_size * (8 * y_mult);
- byte *in =
- (byte *) gs_malloc(pdev->memory, in_size + 1, 1,
- "epsc_print_page(in)");
int out_size = ((pdev->width + 7) & -8) * y_mult;
- byte *out =
- (byte *) gs_malloc(pdev->memory, out_size + 1, 1,
- "epsc_print_page(out)");
int x_dpi = (int)pdev->x_pixels_per_inch;
char start_graphics = (char)
((y_24pin ? graphics_modes_24 : graphics_modes_9)[x_dpi / 60]);
@@ -195,6 +189,20 @@
int color_line_size, color_in_size;
int spare_bits = (pdev->width % 8); /* left over bits to go to margin */
int whole_bits = pdev->width - spare_bits;
+ byte *out;
+ byte *in;
+
+ if (bytes_per_space == 0) {
+ /* This avoids divide by zero later on, bug 701843. */
+ return_error(gs_error_rangecheck);
+ }
+
+ in =
+ (byte *) gs_malloc(pdev->memory, in_size + 1, 1,
+ "epsc_print_page(in)");
+ out =
+ (byte *) gs_malloc(pdev->memory, out_size + 1, 1,
+ "epsc_print_page(out)");
/* Check allocations */
if (in == 0 || out == 0) {

63
SOURCES/ghostscript-9.27-fix-bbox.patch
View File

@ -1,63 +0,0 @@
diff -Napur ghostscript-9.27.old/base/fapi_ft.c ghostscript-9.27.new/base/fapi_ft.c
--- ghostscript-9.27.old/base/fapi_ft.c 2019-04-04 00:43:14.000000000 -0700
+++ ghostscript-9.27.new/base/fapi_ft.c 2023-03-07 16:41:56.217995052 -0800
@@ -974,13 +974,19 @@ make_rotation(FT_Matrix * a_transform, c
*/
static void
transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp,
- FT_Fixed * a_x_scale, FT_Fixed * a_y_scale)
+ FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM)
{
double scalex, scaley, fact = 1.0;
double factx = 1.0, facty = 1.0;
FT_Matrix ftscale_mat;
FT_UInt xres;
FT_UInt yres;
+ /* We have to account for units_per_EM as we fiddle with the scaling
+ * in order to avoid underflow (mostly in the TTF hinting code), but
+ * we also want to clamp to a lower value (512, admittedly arrived at
+ * via experimentation) in order to preserve the fidelity of the outlines.
+ */
+ double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0;
scalex = hypot((double)a_transform->xx, (double)a_transform->xy);
scaley = hypot((double)a_transform->yx, (double)a_transform->yy);
@@ -1067,10 +1073,25 @@ transform_decompose(FT_Matrix * a_transf
scalex *= fact;
}
- ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex);
- ftscale_mat.xy = (FT_Fixed) 0;
- ftscale_mat.yx = (FT_Fixed) 0;
- ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley);
+ /* see above */
+ fact = 1.0;
+ while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0)
+ && (scalex > 0.0 && scaley > 0.0)) {
+ if (scaley < yres) {
+ xres >>= 1;
+ yres >>= 1;
+ fact *= 2.0;
+ }
+ else {
+ scalex /= 1.25;
+ scaley /= 1.25;
+ }
+ }
+
+ ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact);
+ ftscale_mat.xy = 0;
+ ftscale_mat.yx = 0;
+ ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact);
FT_Matrix_Multiply(a_transform, &ftscale_mat);
memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix));
@@ -1315,7 +1336,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_serve
* transform.
*/
transform_decompose(&face->ft_transform, &face->horz_res,
- &face->vert_res, &face->width, &face->height);
+ &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM);
ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height,
face->horz_res, face->vert_res);

16
SOURCES/ghostscript-9.27-fix-use-of-HWMargins.patch
View File

@ -1,16 +0,0 @@
diff -Napur '--exclude=.git' ghostscript-9.27.old/devices/vector/opdfread.ps ghostscript-9.27.new/devices/vector/opdfread.ps
--- ghostscript-9.27.old/devices/vector/opdfread.ps 2019-04-04 00:43:14.000000000 -0700
+++ ghostscript-9.27.new/devices/vector/opdfread.ps 2022-06-14 17:44:27.963033829 -0700
@@ -998,10 +998,10 @@ currentdict end readonly def
} if % id obj node
1 index exch /Context exch put % id obj
dup /ImmediateExec true put
- dup /IsPage true put
- SetPageSize {dup /Context get //SetupPageView exec} if
% This gets restored at the end of ExecuteStream if IsPage is true.
/pagesave save def
+ dup /IsPage true put
+ SetPageSize {dup /Context get //SetupPageView exec} if
} bind def
/FontFileDaemon % <id> <obj> <font_descriptor> FontFileDaemon <id> <obj>

106
SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
View File

@ -1,106 +0,0 @@
From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 15 Mar 2023 15:38:29 +0000
Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling
The PS interpreter callback that handles converting a CID to a TTF GID did
not handle the case of substituted CIDFonts.
It requires looking up the CID on the Decoding (to get a Unicode code point),
and then looking up the code point in the TTF cmap table to get the GID.
The rendering code already handled it.
---
psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++-------------------
1 file changed, 46 insertions(+), 27 deletions(-)
diff --git a/psi/zfcid1.c b/psi/zfcid1.c
index fd502ff12..55de85d45 100644
--- a/psi/zfcid1.c
+++ b/psi/zfcid1.c
@@ -77,37 +77,56 @@
int gdbytes = pfont->cidata.common.GDBytes;
int gnum = 0;
const byte *data;
- int i, code;
+ int i, code = -1;
ref rcid;
ref *prgnum;
+ ref *p, *fdict = pfont_dict(pfont);
+
+ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) {
+ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type;
+ uint c;
+
+ code = dict_find_string(fdict, "Decoding", &Decoding);
+ if (code > 0)
+ code = dict_find_string(fdict, "TT_cmap", &TT_cmap);
+ if (code > 0)
+ code = dict_find_string(fdict, "SubstNWP", &SubstNWP);
+ if (code > 0) {
+ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type);
+ if (code >= 0)
+ gnum = c;
+ }
+ }
- switch (r_type(pcidmap)) {
- case t_string:
- if (cid >= r_size(pcidmap) / gdbytes)
- return_error(gs_error_rangecheck);
- data = pcidmap->value.const_bytes + cid * gdbytes;
- break;
- case t_integer:
- return cid + pcidmap->value.intval;
- case t_dictionary:
- make_int(&rcid, cid);
- code = dict_find(pcidmap, &rcid, &prgnum);
- if (code <= 0)
- return (code < 0 ? code : gs_note_error(gs_error_undefined));
- if (!r_has_type(prgnum, t_integer))
- return_error(gs_error_typecheck);
- return prgnum->value.intval;
- default: /* array type */
- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
- gdbytes, NULL, NULL, &data);
+ if (code < 0) {
+ switch (r_type(pcidmap)) {
+ case t_string:
+ if (cid >= r_size(pcidmap) / gdbytes)
+ return_error(gs_error_rangecheck);
+ data = pcidmap->value.const_bytes + cid * gdbytes;
+ break;
+ case t_integer:
+ return cid + pcidmap->value.intval;
+ case t_dictionary:
+ make_int(&rcid, cid);
+ code = dict_find(pcidmap, &rcid, &prgnum);
+ if (code <= 0)
+ return (code < 0 ? code : gs_note_error(gs_error_undefined));
+ if (!r_has_type(prgnum, t_integer))
+ return_error(gs_error_typecheck);
+ return prgnum->value.intval;
+ default: /* array type */
+ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
+ gdbytes, NULL, NULL, &data);
- if (code < 0)
- return code;
- if ( code > 0 )
- return_error(gs_error_invalidfont);
+ if (code < 0)
+ return code;
+ if ( code > 0 )
+ return_error(gs_error_invalidfont);
+ }
+ for (i = 0; i < gdbytes; ++i)
+ gnum = (gnum << 8) + data[i];
}
- for (i = 0; i < gdbytes; ++i)
- gnum = (gnum << 8) + data[i];
if (gnum >= pfont->data.trueNumGlyphs)
return_error(gs_error_invalidfont);
return gnum;
--
2.39.2

43
SOURCES/ghostscript-cve-2019-10216.patch
View File

@ -1,43 +0,0 @@
From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 2 Aug 2019 15:18:26 +0100
Subject: Bug 701394: protect use of .forceput with executeonly
diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
index 6c7735bc0c..a039ccee35 100644
--- a/Resource/Init/gs_type1.ps
+++ b/Resource/Init/gs_type1.ps
@@ -118,25 +118,25 @@
( to be the same as glyph: ) print 1 index //== exec } if
3 index exch 3 index .forceput
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
- }
+ }executeonly
{pop} ifelse
- } forall
+ } executeonly forall
pop pop
- }
+ } executeonly
{
pop pop pop
} ifelse
- }
+ } executeonly
{
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
pop pop
} ifelse
- } forall
+ } executeonly forall
3 1 roll pop pop
- } if
+ } executeonly if
pop
dup /.AGLprocessed~GS //true .forceput
- } if
+ } executeonly if
%% We need to excute the C .buildfont1 in a stopped context so that, if there
%% are errors we can put the stack back sanely and exit. Otherwise callers won't

56
SOURCES/ghostscript-cve-2019-14811-14812-14813.patch
View File

@ -1,56 +0,0 @@
From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 20 Aug 2019 10:10:28 +0100
Subject: make .forceput inaccessible
Bug #701343, #701344, #701345
More defensive programming. We don't want people to access .forecput
even though it is no longer sufficient to bypass SAFER. The exploit
in #701343 didn't work anyway because of earlier work to stop the error
handler being used, but nevertheless, prevent access to .forceput from
.setuserparams2.
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
index 4cc7f820f..0fd416465 100644
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -158,7 +158,7 @@ end
{
pop pop
} ifelse
- } forall
+ } executeonly forall
% A context switch might have occurred during the above loop,
% causing the interpreter-level parameters to be reset.
% Set them again to the new values. From here on, we are safe,
@@ -229,9 +229,9 @@ end
{ pop pop
}
ifelse
- }
+ } executeonly
forall pop
-} .bind odef
+} .bind executeonly odef
% Initialize the passwords.
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
index c158a8faf..422e66e1a 100644
--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
systemdict /.pdf_hooked_DSC_Creator //true .forceput
} executeonly if
pop
- } if
+ } executeonly if
} {
pop
} ifelse
- }
+ } executeonly
{
pop
} ifelse

189
SOURCES/ghostscript-cve-2019-14817.patch
View File

@ -1,189 +0,0 @@
diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
index 1a218f4..cffde5c 100644
--- a/Resource/Init/pdf_base.ps
+++ b/Resource/Init/pdf_base.ps
@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
{
dup ==only () = flush
} ifelse % PDFSTEP
- } if % PDFDEBUG
+ } executeonly if % PDFDEBUG
2 copy .knownget {
exch pop exch pop exch pop exec
} {
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
index e18a7c2..0a3924c 100644
--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
@@ -501,8 +501,8 @@ end
( Output may be incorrect.\n) pdfformaterror
//pdfdict /.gs_warning_issued //true .forceput
PDFSTOPONERROR { /gs /undefined signalerror } if
- } if
- }
+ } executeonly if
+ } executeonly
ifelse
} bind executeonly def
@@ -1142,7 +1142,7 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
@@ -1150,8 +1150,8 @@ currentdict end readonly def
pdfformaterror
} executeonly ifelse
end
- } ifelse
- } loop
+ } executeonly ifelse
+ } executeonly loop
{
(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
//pdfdict /.Qqwarning_issued .knownget
@@ -1165,14 +1165,14 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
pop
% restore pdfemptycount
diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
index 9fb85f6..357ba30 100644
--- a/Resource/Init/pdf_font.ps
+++ b/Resource/Init/pdf_font.ps
@@ -677,7 +677,7 @@ currentdict end readonly def
currentglobal 2 index dup gcheck setglobal
/FontInfo 5 dict dup 5 1 roll .forceput
setglobal
- } if
+ } executeonly if
dup /GlyphNames2Unicode .knownget not {
//true % No existing G2U, make one
} {
@@ -701,9 +701,9 @@ currentdict end readonly def
} if
PDFDEBUG {
(.processToUnicode end) =
- } if
- } if
- } stopped
+ } executeonly if
+ } executeonly if
+ } executeonly stopped
{
.dstackdepth 1 countdictstack 1 sub
{pop end} for
@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef
//pdfdict /.Qqwarning_issued //true .forceput
} executeonly if
Q
- } repeat
+ } executeonly repeat
Q
- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
PDFfile exch setfileposition
- } ifelse
- } {
+ } executeonly ifelse
+ } executeonly
+ {
% PDF Type 3 fonts don't use .notdef
% d1 implementation adjusts the width as needed
0 0 0 0 0 0
pdfopdict /d1 get exec
} ifelse
end end
- } bdef
+ } executeonly bdef
dup currentdict Encoding .processToUnicode
currentdict end .completefont exch pop
} bind executeonly odef
@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef
(Will continue, but content may be missing.) = flush
} ifelse
} if
- } if
+ } executeonly if
/findresource cvx /undefined signalerror
- } loop
+ } executeonly loop
} bind executeonly odef
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
index 5305ea6..a59e63c 100644
--- a/Resource/Init/pdf_main.ps
+++ b/Resource/Init/pdf_main.ps
@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
- } if
+ } executeonly if
+ } executeonly if
pop
count PDFexecstackcount sub { pop } repeat
(after exec) VMDEBUG
diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
index 285e582..6c1f100 100644
--- a/Resource/Init/pdf_ops.ps
+++ b/Resource/Init/pdf_ops.ps
@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
} bind executeonly odef
% Save PDF gstate
@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
dup type /booleantype eq {
.currentSMask type /dicttype eq {
.currentSMask /Processed 2 index .forceput
+ } executeonly
+ {
+ .setSMask
+ }ifelse
} executeonly
{
- .setSMask
- }ifelse
- }{
.setSMask
}ifelse

18
SOURCES/ghostscript-cve-2020-16290.patch
View File

@ -1,18 +0,0 @@
diff --git a/devices/gdev3852.c b/devices/gdev3852.c
index e21b403..2bee8ec 100644
--- a/devices/gdev3852.c
+++ b/devices/gdev3852.c
@@ -76,6 +76,13 @@ jetp3852_print_page(gx_device_printer *pdev, FILE *prn_stream)
{ int lnum;
int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
int num_blank_lines = 0;
+
+ if (line_size > DATA_SIZE) {
+ emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
+ line_size, DATA_SIZE);
+ return_error(gs_error_rangecheck);
+ }
+
for ( lnum = 0; lnum < pdev->height; lnum++ )
{ byte *end_data = data + line_size;
gdev_prn_copy_scan_lines(pdev, lnum,

257
SOURCES/ghostscript-cve-2020-16291.patch
View File

@ -1,257 +0,0 @@
diff --git a/contrib/gdevdj9.c b/contrib/gdevdj9.c
index eec1c77..a4e8e9c 100644
--- a/contrib/gdevdj9.c
+++ b/contrib/gdevdj9.c
@@ -575,26 +575,55 @@ static int cdj_set_bpp(gx_device *, int, int);
static int
hp_colour_open(gx_device * pdev)
{
- int retCode;
+ int retCode = 0;
+
+ /* Change the margins if necessary. */
+ static const float dj_a4[4] = {
+ DESKJET_MARGINS_A4
+ };
+
+ static const float dj_letter[4] = {
+ DESKJET_MARGINS_LETTER
+ };
+ const float *m = (float *)0;
cdj970->PageCtr = 0;
+ /* quality setup */
+ if (cdj970->quality == DRAFT) {
+ gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0);
+ cdj970->xscal = 0;
+ cdj970->yscal = 0;
+ cdj970->intensities = 2;
+ } else if (cdj970->quality == NORMAL) {
+ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
+ cdj970->xscal = 1;
+ cdj970->yscal = 1;
+ /* intensities = 4 from initialization */
+ } else { /* quality == PRESENTATION */
+ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
+ cdj970->xscal = 0;
+ cdj970->yscal = 0;
+ /* intensities = 4 from initialization */
+ }
+
+ m = (gdev_pcl_paper_size((gx_device *) pdev) ==
+ PAPER_SIZE_A4 ? dj_a4 : dj_letter);
+
+ gx_device_set_margins((gx_device *) pdev, m, true);
+
/* Set up colour params if put_params has not already done so */
if (pdev->color_info.num_components == 0) {
- int code = cdj_set_bpp(pdev, pdev->color_info.depth,
+ retCode = cdj_set_bpp(pdev, pdev->color_info.depth,
pdev->color_info.num_components);
- if (code < 0)
- return code;
+ if (retCode < 0)
+ return retCode;
}
retCode = gdev_prn_open(pdev);
- if (retCode < 0)
- return (retCode);
- else {
+ if (retCode >= 0) {
retCode = gdev_prn_open_printer(pdev, true);
- if (retCode < 0)
- return (retCode);
}
return 0;
@@ -648,26 +677,25 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
int bpp = 0;
int code = 0;
- code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code);
- code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code);
- code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code);
- code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code);
- code =
- cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0,
- code);
- code =
- cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code);
- code =
- cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code);
- code =
- cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code);
- code =
- cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code);
- code =
- cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0,
- code);
-
- if (code < 0)
+ if ((code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0, code)) < 0)
return code;
code = cdj_put_param_bpp(pdev, plist, bpp, bpp, 0);
@@ -676,6 +704,12 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
return code;
cdj970->quality = quality;
+ if (cdj970->quality != quality) {
+ if (pdev->is_open)
+ gs_closedevice(pdev); /* quality can change resolution, force re-open */
+ cdj970->quality = quality;
+ }
+
cdj970->papertype = papertype;
cdj970->duplex = duplex;
cdj970->mastergamma = mastergamma;
@@ -685,7 +719,7 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
cdj970->gammavalk = gammavalk;
cdj970->blackcorrect = blackcorrect;
- return 0;
+ return code;
}
/**********************************************************************************/
@@ -784,47 +818,6 @@ cdj970_terminate_page(gx_device_printer * pdev, FILE * prn_stream)
fputs("\033*rC\f\033&l-2H", prn_stream); /* End Graphics, Reset */
}
-/* cdj970_one_time_initialisation:
-----------------------------------------------------------------------------------*/
-static void
-cdj970_one_time_initialisation(gx_device_printer * pdev)
-{
- /* Change the margins if necessary. */
- static const float dj_a4[4] = {
- DESKJET_MARGINS_A4
- };
-
- static const float dj_letter[4] = {
- DESKJET_MARGINS_LETTER
- };
- const float *m = (float *)0;
-
- /* quality setup */
- if (cdj970->quality == DRAFT) {
- gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0);
- cdj970->xscal = 0;
- cdj970->yscal = 0;
- cdj970->intensities = 2;
- } else if (cdj970->quality == NORMAL) {
- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
- cdj970->xscal = 1;
- cdj970->yscal = 1;
- /* intensities = 4 from initialization */
- } else { /* quality == PRESENTATION */
- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
- cdj970->xscal = 0;
- cdj970->yscal = 0;
- /* intensities = 4 from initialization */
- }
-
- m = (gdev_pcl_paper_size((gx_device *) pdev) ==
- PAPER_SIZE_A4 ? dj_a4 : dj_letter);
-
- gx_device_set_margins((gx_device *) pdev, m, true);
-
- cdj970_write_header((gx_device *) pdev, pdev->file);
-}
-
/* cdj970_print_page: Here comes the hp970 output routine
----------------------------------------------------------------------------------*/
static int
@@ -837,7 +830,7 @@ cdj970_print_page(gx_device_printer * pdev, FILE * prn_stream)
Gamma gamma;
if (cdj970->PageCtr == 0 && cdj970->ptype == DJ970C) {
- cdj970_one_time_initialisation(pdev);
+ cdj970_write_header((gx_device *)pdev, prn_stream);
}
/* make a local writable copy of the Gamma tables */
@@ -2280,6 +2273,11 @@ cdj_set_bpp(gx_device * pdev, int bpp, int ccomps)
ci->dither_colors = (bpp >= 8 ? 5 : bpp > 1 ? 2 : 0);
}
+ if (ci->depth != ((bpp > 1) && (bpp < 8) ? 8 : bpp)) {
+ if (pdev->is_open)
+ gs_closedevice(pdev); /* depth changed, make sure we re-open */
+ }
+
ci->depth = ((bpp > 1) && (bpp < 8) ? 8 : bpp);
return (0);
@@ -2598,16 +2596,15 @@ cdj_put_param_bpp(gx_device * pdev,
gs_param_list * plist,
int new_bpp, int real_bpp, int ccomps)
{
- if (new_bpp == 0 && ccomps == 0)
- return gdev_prn_put_params(pdev, plist);
- else {
- gx_device_color_info save_info;
- int save_bpp;
- int code;
-
- save_info = pdev->color_info;
- save_bpp = save_info.depth;
+ int code = 0;
+ int save_bpp;
+ gx_device_color_info save_info;
+ save_info = pdev->color_info;
+ save_bpp = save_info.depth;
+ if (new_bpp == 0 && ccomps == 0) {
+ code = gdev_prn_put_params(pdev, plist);
+ } else {
if (save_bpp == 8 && save_ccomps == 3 && !cprn_device->cmyk)
save_bpp = 3;
@@ -2631,12 +2628,22 @@ cdj_put_param_bpp(gx_device * pdev,
if ((cdj970->color_info.depth != save_bpp
|| (ccomps != 0 && ccomps != save_ccomps))
&& pdev->is_open)
- return (gs_closedevice(pdev));
+ gs_closedevice(pdev);
+ }
+
+ /* check for valid resolutions */
+ if (pdev->HWResolution[0] != pdev->HWResolution[1] ||
+ (pdev->HWResolution[0] != 300.0 && pdev->HWResolution[0] != 600.0) ) {
+ param_signal_error(plist, "HWResolution", gs_error_rangecheck);
+ emprintf1(pdev->memory, "\ncdj970: Invalid resolution: '%f'. Only 300 or 600 supported.\n\n",
+ pdev->HWResolution[0]);
+ cdj_set_bpp(pdev, save_bpp, save_ccomps);
+ return gs_error_rangecheck;
+ }
+ return code;
- return (0);
#undef save_ccomps
- }
}
/* cdj970_write_header:

13
SOURCES/ghostscript-cve-2020-16293.patch
View File

@ -1,13 +0,0 @@
diff --git a/base/gxblend.c b/base/gxblend.c
index 7c3d55b..55215d6 100644
--- a/base/gxblend.c
+++ b/base/gxblend.c
@@ -2174,7 +2174,7 @@ pdf14_compose_group(pdf14_buf *tos, pdf14_buf *nos, pdf14_buf *maskbuf,
overprint == 0) {
/* Additive vs Subtractive makes no difference in normal blend mode with no spots */
if (tos_isolated) {
- if (has_mask || maskbuf) {/* 7% */
+ if (has_mask && maskbuf) {/* 7% */
/* AirPrint test case hits this */
if (maskbuf && maskbuf->rect.p.x <= x0 && maskbuf->rect.p.y <= y0 &&
maskbuf->rect.q.x >= x1 && maskbuf->rect.q.y >= y1)

13
SOURCES/ghostscript-cve-2020-16295.patch
View File

@ -1,13 +0,0 @@
diff --git a/devices/gdevclj.c b/devices/gdevclj.c
index bed13bc..fe17ece 100644
--- a/devices/gdevclj.c
+++ b/devices/gdevclj.c
@@ -254,7 +254,7 @@ clj_media_size(float mediasize[2], gs_param_list *plist)
gs_param_int_array hwsize;
int have_pagesize = 0;
- if ( (param_read_float_array(plist, "HWResolution", &fres) == 0) &&
+ if ( param_read_float_array(plist, "HWResolution", &fres) != 0 ||
!is_supported_resolution(fres.data) )
return_error(gs_error_rangecheck);

58
SOURCES/ghostscript-cve-2020-16299.patch
View File

@ -1,58 +0,0 @@
diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
index 5c8b7fb..53da0ec 100644
--- a/contrib/japanese/gdev10v.c
+++ b/contrib/japanese/gdev10v.c
@@ -73,8 +73,20 @@ gx_device_procs prn_bj10v_procs =
prn_matrix_procs(gdev_prn_open, bj10v_get_initial_matrix,
gdev_prn_output_page, gdev_prn_close);
#endif
+
+static int
+bj10v_open(gx_device * pdev)
+{
+ if (pdev->HWResolution[0] < 180 ||
+ pdev->HWResolution[1] < 180)
+ {
+ emprintf(pdev->memory, "device requires a resolution of at least 180dpi\n");
+ return_error(gs_error_rangecheck);
+ }
+ return gdev_prn_open(pdev);
+}
gx_device_procs prn_bj10v_procs =
- prn_procs(gdev_prn_open, gdev_prn_output_page, gdev_prn_close);
+ prn_procs(bj10v_open, gdev_prn_output_page, gdev_prn_close);
gx_device_printer gs_bj10v_device =
prn_device(prn_bj10v_procs, "bj10v",
diff --git a/contrib/japanese/gdevalps.c b/contrib/japanese/gdevalps.c
index f29aeb1..d4de619 100644
--- a/contrib/japanese/gdevalps.c
+++ b/contrib/japanese/gdevalps.c
@@ -155,13 +155,20 @@ static const char end_md[] = {
static int
md_open(gx_device *pdev)
{
- static const float md_margins[4] =
- { MD_SIDE_MARGIN, MD_BOTTOM_MARGIN,
- MD_SIDE_MARGIN, MD_TOP_MARGIN
- };
-
- gx_device_set_margins(pdev, md_margins, true);
- return gdev_prn_open(pdev);
+ static const float md_margins[4] =
+ {
+ MD_SIDE_MARGIN, MD_BOTTOM_MARGIN,
+ MD_SIDE_MARGIN, MD_TOP_MARGIN
+ };
+
+ if (pdev->HWResolution[0] != 600)
+ {
+ emprintf(pdev->memory, "device must have an X resolution of 600dpi\n");
+ return_error(gs_error_rangecheck);
+ }
+
+ gx_device_set_margins(pdev, md_margins, true);
+ return gdev_prn_open(pdev);
}
/* MD5000 monochrome mode entrance. */

75
SOURCES/ghostscript-cve-2020-16301.patch
View File

@ -1,75 +0,0 @@
From f54414c8b15b2c27d1dcadd92cfe84f6d15f18dc Mon Sep 17 00:00:00 2001
From: Julian Smith <jules@op59.net>
Date: Thu, 31 Oct 2019 13:12:47 +0000
Subject: [PATCH] Bug 701808: return error from okiibm_print_page1() if x_dpi
too high.
Avoids asan error in:
./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r599 -sOutputFile=tmp -sDEVICE=okiibm ../bug-701808.pdf
---
devices/gdevokii.c | 46 ++++++++++++++++++++++++++++++++--------------
1 file changed, 32 insertions(+), 14 deletions(-)
diff --git a/devices/gdevokii.c b/devices/gdevokii.c
index d8929a22c..97a1c3b88 100644
--- a/devices/gdevokii.c
+++ b/devices/gdevokii.c
@@ -96,23 +96,41 @@ okiibm_print_page1(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high
-1, 0 /*60*/, 1 /*120*/, -1, 3 /*240*/
};
- int in_y_mult = (y_9pin_high ? 2 : 1);
- int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
- /* Note that in_size is a multiple of 8. */
- int in_size = line_size * (8 * in_y_mult);
- byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)");
- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)");
- byte *in = buf1;
- byte *out = buf2;
- int out_y_mult = 1;
- int x_dpi = pdev->x_pixels_per_inch;
- char start_graphics = graphics_modes_9[x_dpi / 60];
- int first_pass = (start_graphics == 3 ? 1 : 0);
- int last_pass = first_pass * 2;
- int y_passes = (y_9pin_high ? 2 : 1);
+ int in_y_mult;
+ int line_size;
+ int in_size;
+ byte *buf1;
+ byte *buf2;
+ byte *in;
+ byte *out;
+ int out_y_mult;
+ int x_dpi;
+ char start_graphics;
+ int first_pass;
+ int last_pass;
+ int y_passes;
int skip = 0, lnum = 0, pass, ypass;
int y_step = 0;
+ x_dpi = pdev->x_pixels_per_inch;
+ if (x_dpi / 60 >= sizeof(graphics_modes_9)/sizeof(graphics_modes_9[0])) {
+ return_error(gs_error_rangecheck);
+ }
+ in_y_mult = (y_9pin_high ? 2 : 1);
+ line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
+ /* Note that in_size is a multiple of 8. */
+ in_size = line_size * (8 * in_y_mult);
+ buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)");
+ buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)");
+ in = buf1;
+ out = buf2;
+ out_y_mult = 1;
+ start_graphics = graphics_modes_9[x_dpi / 60];
+ first_pass = (start_graphics == 3 ? 1 : 0);
+ last_pass = first_pass * 2;
+ y_passes = (y_9pin_high ? 2 : 1);
+ y_step = 0;
+
/* Check allocations */
if ( buf1 == 0 || buf2 == 0 )
{ if ( buf1 )
--
2.35.3

228
SOURCES/ghostscript-cve-2020-16302.patch
View File

@ -1,228 +0,0 @@
diff --git a/devices/gdev3852.c b/devices/gdev3852.c
index 2bee8ec..9d99068 100644
--- a/devices/gdev3852.c
+++ b/devices/gdev3852.c
@@ -62,116 +62,117 @@ jetp3852_print_page(gx_device_printer *pdev, FILE *prn_stream)
#define DATA_SIZE (LINE_SIZE * 8)
unsigned int cnt_2prn;
- unsigned int count,tempcnt;
- unsigned char vtp,cntc1,cntc2;
- int line_size_color_plane;
-
- byte data[DATA_SIZE];
- byte plane_data[LINE_SIZE * 3];
-
- /* Set initial condition for printer */
- fputs("\033@",prn_stream);
-
- /* Send each scan line in turn */
- { int lnum;
- int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
- int num_blank_lines = 0;
-
- if (line_size > DATA_SIZE) {
- emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
- line_size, DATA_SIZE);
- return_error(gs_error_rangecheck);
- }
-
- for ( lnum = 0; lnum < pdev->height; lnum++ )
- { byte *end_data = data + line_size;
- gdev_prn_copy_scan_lines(pdev, lnum,
- (byte *)data, line_size);
- /* Remove trailing 0s. */
- while ( end_data > data && end_data[-1] == 0 )
- end_data--;
- if ( end_data == data )
- { /* Blank line */
- num_blank_lines++;
- }
- else
- { int i;
- byte *odp;
- byte *row;
-
- /* Pad with 0s to fill out the last */
- /* block of 8 bytes. */
- memset(end_data, 0, 7);
-
- /* Transpose the data to get pixel planes. */
- for ( i = 0, odp = plane_data; i < DATA_SIZE;
- i += 8, odp++
- )
- { /* The following is for 16-bit machines */
+ unsigned int count,tempcnt;
+ unsigned char vtp,cntc1,cntc2;
+ int line_size_color_plane;
+
+ byte data[DATA_SIZE];
+ byte plane_data[LINE_SIZE * 3];
+
+ /* Initialise data to zeros, otherwise later on, uninitialised bytes in
+ dp[] can be greater than 7, which breaks spr8[dp[]]. */
+ memset(data, 0x00, DATA_SIZE);
+
+
+ /* Set initial condition for printer */
+ fputs("\033@",prn_stream);
+
+ /* Send each scan line in turn */
+ { int lnum;
+ int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
+ int num_blank_lines = 0;
+
+ if (line_size > DATA_SIZE) {
+ emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
+ line_size, DATA_SIZE);
+ return_error(gs_error_rangecheck);
+ }
+
+ for ( lnum = 0; lnum < pdev->height; lnum++ )
+ { byte *end_data = data + line_size;
+ gdev_prn_copy_scan_lines(pdev, lnum,
+ (byte *)data, line_size);
+ /* Remove trailing 0s. */
+ while ( end_data > data && end_data[-1] == 0 )
+ end_data--;
+ if ( end_data == data )
+ { /* Blank line */
+ num_blank_lines++;
+ }
+ else
+ { int i;
+ byte *odp;
+ byte *row;
+
+ /* Transpose the data to get pixel planes. */
+ for ( i = 0, odp = plane_data; i < DATA_SIZE;
+ i += 8, odp++
+ )
+ { /* The following is for 16-bit machines */
#define spread3(c)\
{ 0, c, c*0x100, c*0x101, c*0x10000L, c*0x10001L, c*0x10100L, c*0x10101L }
- static ulong spr40[8] = spread3(0x40);
- static ulong spr8[8] = spread3(8);
- static ulong spr2[8] = spread3(2);
- register byte *dp = data + i;
- register ulong pword =
- (spr40[dp[0]] << 1) +
- (spr40[dp[1]]) +
- (spr40[dp[2]] >> 1) +
- (spr8[dp[3]] << 1) +
- (spr8[dp[4]]) +
- (spr8[dp[5]] >> 1) +
- (spr2[dp[6]]) +
- (spr2[dp[7]] >> 1);
- odp[0] = (byte)(pword >> 16);
- odp[LINE_SIZE] = (byte)(pword >> 8);
- odp[LINE_SIZE*2] = (byte)(pword);
- }
- /* Skip blank lines if any */
- if ( num_blank_lines > 0 )
- {
- /* Do "dot skips" */
- while(num_blank_lines > 255)
- {
- fputs("\033e\377",prn_stream);
- num_blank_lines -= 255;
- }
- vtp = num_blank_lines;
- fprintf(prn_stream,"\033e%c",vtp);
- num_blank_lines = 0;
- }
-
- /* Transfer raster graphics in the order R, G, B. */
- /* Apparently it is stored in B, G, R */
- /* Calculate the amount of data to send by what */
- /* Ghostscript tells us the scan line_size in (bytes) */
-
- count = line_size / 3;
- line_size_color_plane = count / 3;
- cnt_2prn = line_size_color_plane * 3 + 5;
- tempcnt = cnt_2prn;
- cntc1 = (tempcnt & 0xFF00) >> 8;
- cntc2 = (tempcnt & 0x00FF);
- fprintf(prn_stream, "\033[O%c%c\200\037",cntc2,cntc1);
- fputc('\000',prn_stream);
+ static ulong spr40[8] = spread3(0x40);
+ static ulong spr8[8] = spread3(8);
+ static ulong spr2[8] = spread3(2);
+ register byte *dp = data + i;
+ register ulong pword =
+ (spr40[dp[0]] << 1) +
+ (spr40[dp[1]]) +
+ (spr40[dp[2]] >> 1) +
+ (spr8[dp[3]] << 1) +
+ (spr8[dp[4]]) +
+ (spr8[dp[5]] >> 1) +
+ (spr2[dp[6]]) +
+ (spr2[dp[7]] >> 1);
+ odp[0] = (byte)(pword >> 16);
+ odp[LINE_SIZE] = (byte)(pword >> 8);
+ odp[LINE_SIZE*2] = (byte)(pword);
+ }
+ /* Skip blank lines if any */
+ if ( num_blank_lines > 0 )
+ {
+ /* Do "dot skips" */
+ while(num_blank_lines > 255)
+ {
+ fputs("\033e\377",prn_stream);
+ num_blank_lines -= 255;
+ }
+ vtp = num_blank_lines;
+ fprintf(prn_stream,"\033e%c",vtp);
+ num_blank_lines = 0;
+ }
+
+ /* Transfer raster graphics in the order R, G, B. */
+ /* Apparently it is stored in B, G, R */
+ /* Calculate the amount of data to send by what */
+ /* Ghostscript tells us the scan line_size in (bytes) */
+
+ count = line_size / 3;
+ line_size_color_plane = count / 3;
+ cnt_2prn = line_size_color_plane * 3 + 5;
+ tempcnt = cnt_2prn;
+ cntc1 = (tempcnt & 0xFF00) >> 8;
+ cntc2 = (tempcnt & 0x00FF);
+ fprintf(prn_stream, "\033[O%c%c\200\037",cntc2,cntc1);
+ fputc('\000',prn_stream);
fputs("\124\124",prn_stream);
- for ( row = plane_data + LINE_SIZE * 2, i = 0;
- i < 3; row -= LINE_SIZE, i++ )
- { int jj;
- byte ctemp;
- odp = row;
- /* Complement bytes */
- for (jj=0; jj< line_size_color_plane; jj++)
- { ctemp = *odp;
- *odp++ = ~ctemp;
- }
- fwrite(row, sizeof(byte),
- line_size_color_plane, prn_stream);
- }
- }
- }
- }
+ for ( row = plane_data + LINE_SIZE * 2, i = 0;
+ i < 3; row -= LINE_SIZE, i++ )
+ { int jj;
+ byte ctemp;
+ odp = row;
+ /* Complement bytes */
+ for (jj=0; jj< line_size_color_plane; jj++)
+ { ctemp = *odp;
+ *odp++ = ~ctemp;
+ }
+ fwrite(row, sizeof(byte),
+ line_size_color_plane, prn_stream);
+ }
+ }
+ }
+ }
/* eject page */
fputs("\014", prn_stream);

77
SOURCES/ghostscript-cve-2020-16304.patch
View File

@ -1,77 +0,0 @@
diff --git a/base/gxicolor.c b/base/gxicolor.c
index 34cfaa4..585bd81 100644
--- a/base/gxicolor.c
+++ b/base/gxicolor.c
@@ -644,16 +644,16 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
*(devc_contone_gray+1) = *psrc_temp;
}
} else {
- /* Mono case, forward */
- psrc_temp = psrc_cm;
- for (k=0; k<src_size; k++) {
- dda_next(dda_ht);
- xn = fixed2int_var_rounded(dda_current(dda_ht));
- while (xr < xn) {
- *devc_contone_gray++ = *psrc_temp;
- xr++;
- } /* at loop exit xn will be >= xr */
- psrc_temp++;
+ /* Mono case, forward */
+ psrc_temp = psrc_cm;
+ for (k=0; k<src_size; k++) {
+ dda_next(dda_ht);
+ xn = fixed2int_var_rounded(dda_current(dda_ht));
+ while (xr < xn) {
+ *devc_contone_gray++ = *psrc_temp;
+ xr++;
+ } /* at loop exit xn will be >= xr */
+ psrc_temp++;
}
}
} else {
@@ -668,7 +668,7 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
xr--;
} /* at loop exit xn will be >= xr */
psrc_temp++;
- }
+ }
}
break;
/* Monochrome landscape */
@@ -811,10 +811,9 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
dda_next(dda_ht);
xn = fixed2int_var_rounded(dda_current(dda_ht));
while (xr > xn) {
- for (j = 0; j < spp_out; j++) {
+ for (j = 0; j < spp_out; j++)
*(devc_contone[j] + position) = (psrc_plane[j])[i];
- position -= LAND_BITS;
- }
+ position -= LAND_BITS;
xr--;
} /* at loop exit xn will be <= xr */
i++;
@@ -825,9 +824,8 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
and 2x scaling which we will run into in 300 and
600dpi devices and content */
/* Apply initial offset */
- for (k = 0; k < spp_out; k++) {
+ for (k = 0; k < spp_out; k++)
devc_contone[k] = devc_contone[k] + position;
- }
if (src_size == dest_height) {
for (k = 0; k < data_length; k++) {
/* Is it better to unwind this? We know it is 4 */
@@ -853,10 +851,9 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
dda_next(dda_ht);
xn = fixed2int_var_rounded(dda_current(dda_ht));
while (xr > xn) {
- for (j = 0; j < spp_out; j++) {
+ for (j = 0; j < spp_out; j++)
*(devc_contone[j] + position) = (psrc_plane[j])[i];
- position -= LAND_BITS;
- }
+ position -= LAND_BITS;
xr--;
} /* at loop exit xn will be <= xr */
i++;

20
SOURCES/ghostscript-cve-2020-16306.patch
View File

@ -1,20 +0,0 @@
diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
index 6a50a4a..471fcb5 100644
--- a/devices/gdevtsep.c
+++ b/devices/gdevtsep.c
@@ -2332,6 +2332,7 @@ tiffsep_print_page(gx_device_printer * pdev, FILE * file)
"\nUse of the %%d format is required to output more than one page to tiffsep.\n"
"See doc/Devices.htm#TIFF for details.\n\n");
code = gs_note_error(gs_error_ioerror);
+ goto done;
}
/* Write the page directory for the CMYK equivalent file. */
if (!tfdev->comp_file) {
@@ -2685,6 +2686,7 @@ tiffsep1_print_page(gx_device_printer * pdev, FILE * file)
"\nUse of the %%d format is required to output more than one page to tiffsep1.\n"
"See doc/Devices.htm#TIFF for details.\n\n");
code = gs_note_error(gs_error_ioerror);
+ goto done;
}
/* If the output file is on disk and the name contains a page #, */
/* then delete the previous file. */

205
SOURCES/ghostscript-cve-2020-16307.patch
View File

@ -1,205 +0,0 @@
diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
index b958027..7f02608 100644
--- a/devices/vector/gdevtxtw.c
+++ b/devices/vector/gdevtxtw.c
@@ -1693,97 +1693,100 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph,
length = font->procs.decode_glyph((gs_font *)font, glyph, ch, NULL, 0);
if (length == 0) {
- code = font->procs.glyph_name(font, glyph, &gnstr);
- if (code >= 0 && gnstr.size == 7) {
- if (!memcmp(gnstr.data, "uni", 3)) {
- static const char *hexdigits = "0123456789ABCDEF";
- char *d0 = strchr(hexdigits, gnstr.data[3]);
- char *d1 = strchr(hexdigits, gnstr.data[4]);
- char *d2 = strchr(hexdigits, gnstr.data[5]);
- char *d3 = strchr(hexdigits, gnstr.data[6]);
-
- if (d0 != NULL && d1 != NULL && d2 != NULL && d3 != NULL) {
- *Buffer++ = ((d0 - hexdigits) << 12) + ((d1 - hexdigits) << 8) + ((d2 - hexdigits) << 4) + (d3 - hexdigits);
- return 1;
- }
- }
- }
- if (length == 0) {
- single_glyph_list_t *sentry = (single_glyph_list_t *)&SingleGlyphList;
- double_glyph_list_t *dentry = (double_glyph_list_t *)&DoubleGlyphList;
- treble_glyph_list_t *tentry = (treble_glyph_list_t *)&TrebleGlyphList;
- quad_glyph_list_t *qentry = (quad_glyph_list_t *)&QuadGlyphList;
-
- /* Search glyph to single Unicode value table */
- while (sentry->Glyph != 0) {
- if (sentry->Glyph[0] < gnstr.data[0]) {
- sentry++;
- continue;
- }
- if (sentry->Glyph[0] > gnstr.data[0]){
- break;
- }
- if (strlen(sentry->Glyph) == gnstr.size) {
- if(memcmp(gnstr.data, sentry->Glyph, gnstr.size) == 0) {
- *Buffer = sentry->Unicode;
+ if (glyph != GS_NO_GLYPH) {
+ code = font->procs.glyph_name(font, glyph, &gnstr);
+ if (code >= 0 && gnstr.size == 7) {
+ if (!memcmp(gnstr.data, "uni", 3)) {
+ static const char *hexdigits = "0123456789ABCDEF";
+ char *d0 = strchr(hexdigits, gnstr.data[3]);
+ char *d1 = strchr(hexdigits, gnstr.data[4]);
+ char *d2 = strchr(hexdigits, gnstr.data[5]);
+ char *d3 = strchr(hexdigits, gnstr.data[6]);
+
+ if (d0 != NULL && d1 != NULL && d2 != NULL && d3 != NULL) {
+ *Buffer++ = ((d0 - hexdigits) << 12) + ((d1 - hexdigits) << 8) + ((d2 - hexdigits) << 4) + (d3 - hexdigits);
return 1;
}
}
- sentry++;
}
- /* Search glyph to double Unicode value table */
- while (dentry->Glyph != 0) {
- if (dentry->Glyph[0] < gnstr.data[0]) {
- dentry++;
- continue;
- }
- if (dentry->Glyph[0] > gnstr.data[0]){
- break;
- }
- if (strlen(dentry->Glyph) == gnstr.size) {
- if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, dentry->Unicode, 2);
- return 2;
+ if (length == 0) {
+ single_glyph_list_t *sentry = (single_glyph_list_t *)&SingleGlyphList;
+ double_glyph_list_t *dentry = (double_glyph_list_t *)&DoubleGlyphList;
+ treble_glyph_list_t *tentry = (treble_glyph_list_t *)&TrebleGlyphList;
+ quad_glyph_list_t *qentry = (quad_glyph_list_t *)&QuadGlyphList;
+
+ /* Search glyph to single Unicode value table */
+ while (sentry->Glyph != 0) {
+ if (sentry->Glyph[0] < gnstr.data[0]) {
+ sentry++;
+ continue;
+ }
+ if (sentry->Glyph[0] > gnstr.data[0]){
+ break;
+ }
+ if (strlen(sentry->Glyph) == gnstr.size) {
+ if(memcmp(gnstr.data, sentry->Glyph, gnstr.size) == 0) {
+ *Buffer = sentry->Unicode;
+ return 1;
+ }
}
+ sentry++;
}
- dentry++;
- }
- /* Search glyph to triple Unicode value table */
- while (tentry->Glyph != 0) {
- if (tentry->Glyph[0] < gnstr.data[0]) {
- tentry++;
- continue;
- }
- if (tentry->Glyph[0] > gnstr.data[0]){
- break;
- }
- if (strlen(tentry->Glyph) == gnstr.size) {
- if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, tentry->Unicode, 3);
- return 3;
+ /* Search glyph to double Unicode value table */
+ while (dentry->Glyph != 0) {
+ if (dentry->Glyph[0] < gnstr.data[0]) {
+ dentry++;
+ continue;
}
+ if (dentry->Glyph[0] > gnstr.data[0]){
+ break;
+ }
+ if (strlen(dentry->Glyph) == gnstr.size) {
+ if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
+ memcpy(Buffer, dentry->Unicode, 2);
+ return 2;
+ }
+ }
+ dentry++;
}
- tentry++;
- }
- /* Search glyph to quadruple Unicode value table */
- while (qentry->Glyph != 0) {
- if (qentry->Glyph[0] < gnstr.data[0]) {
- qentry++;
- continue;
- }
- if (qentry->Glyph[0] > gnstr.data[0]){
- break;
+ /* Search glyph to triple Unicode value table */
+ while (tentry->Glyph != 0) {
+ if (tentry->Glyph[0] < gnstr.data[0]) {
+ tentry++;
+ continue;
+ }
+ if (tentry->Glyph[0] > gnstr.data[0]){
+ break;
+ }
+ if (strlen(tentry->Glyph) == gnstr.size) {
+ if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
+ memcpy(Buffer, tentry->Unicode, 3);
+ return 3;
+ }
+ }
+ tentry++;
}
- if (strlen(qentry->Glyph) == gnstr.size) {
- if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, qentry->Unicode, 4);
- return 4;
+
+ /* Search glyph to quadruple Unicode value table */
+ while (qentry->Glyph != 0) {
+ if (qentry->Glyph[0] < gnstr.data[0]) {
+ qentry++;
+ continue;
+ }
+ if (qentry->Glyph[0] > gnstr.data[0]){
+ break;
}
+ if (strlen(qentry->Glyph) == gnstr.size) {
+ if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
+ memcpy(Buffer, qentry->Unicode, 4);
+ return 4;
+ }
+ }
+ qentry++;
}
- qentry++;
}
}
*Buffer = fallback;
@@ -1890,8 +1893,8 @@ txtwrite_process_cmap_text(gs_text_enum_t *pte)
pte->returned.total_width.x += dpt.x;
pte->returned.total_width.y += dpt.y;
- penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, chr, &penum->TextBuffer[penum->TextBufferIndex]);
penum->Widths[penum->TextBufferIndex] += dpt.x;
+ penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, chr, &penum->TextBuffer[penum->TextBufferIndex]);
break;
case 2: /* end of string */
return 0;
diff --git a/psi/zbfont.c b/psi/zbfont.c
index 262fea9..abc03aa 100644
--- a/psi/zbfont.c
+++ b/psi/zbfont.c
@@ -272,7 +272,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
* can't be a default value for FontInfo.GlyphNames2Unicode .
*/
}
- if (glyph <= GS_MIN_CID_GLYPH) {
+ if (glyph <= GS_MIN_CID_GLYPH && glyph != GS_NO_GLYPH) {
UnicodeDecoding = zfont_get_to_unicode_map(font->dir);
if (UnicodeDecoding != NULL && r_type(UnicodeDecoding) == t_dictionary)
return gs_font_map_glyph_by_dict(font->memory, UnicodeDecoding, glyph, u, length);

57
SOURCES/ghostscript-cve-2020-16310.patch
View File

@ -1,57 +0,0 @@
diff --git a/devices/gdevdm24.c b/devices/gdevdm24.c
index 4736f4f..2f610cd 100644
--- a/devices/gdevdm24.c
+++ b/devices/gdevdm24.c
@@ -51,21 +51,39 @@ static void dot24_improve_bitmap (byte *, int);
static int
dot24_print_page (gx_device_printer *pdev, FILE *prn_stream, char *init_string, int init_len)
{
- int xres = (int)pdev->x_pixels_per_inch;
- int yres = (int)pdev->y_pixels_per_inch;
- int x_high = (xres == 360);
- int y_high = (yres == 360);
- int bits_per_column = (y_high ? 48 : 24);
- uint line_size = gdev_prn_raster (pdev);
- uint in_size = line_size * bits_per_column;
- byte *in = (byte *) gs_malloc (pdev->memory, in_size, 1, "dot24_print_page (in)");
- uint out_size = ((pdev->width + 7) & -8) * 3;
- byte *out = (byte *) gs_malloc (pdev->memory, out_size, 1, "dot24_print_page (out)");
- int y_passes = (y_high ? 2 : 1);
- int dots_per_space = xres / 10; /* pica space = 1/10" */
- int bytes_per_space = dots_per_space * 3;
+ int xres;
+ int yres;
+ int x_high;
+ int y_high;
+ int bits_per_column;
+ uint line_size;
+ uint in_size;
+ byte *in;
+ uint out_size;
+ byte *out;
+ int y_passes;
+ int dots_per_space;
+ int bytes_per_space;
int skip = 0, lnum = 0, ypass;
+ xres = (int)pdev->x_pixels_per_inch;
+ yres = (int)pdev->y_pixels_per_inch;
+ x_high = (xres == 360);
+ y_high = (yres == 360);
+ dots_per_space = xres / 10; /* pica space = 1/10" */
+ bytes_per_space = dots_per_space * 3;
+ if (bytes_per_space == 0) {
+ /* We divide by bytes_per_space later on. */
+ return_error(gs_error_rangecheck);
+ }
+ bits_per_column = (y_high ? 48 : 24);
+ line_size = gdev_prn_raster (pdev);
+ in_size = line_size * bits_per_column;
+ in = (byte *) gs_malloc (pdev->memory, in_size, 1, "dot24_print_page (in)");
+ out_size = ((pdev->width + 7) & -8) * 3;
+ out = (byte *) gs_malloc (pdev->memory, out_size, 1, "dot24_print_page (out)");
+ y_passes = (y_high ? 2 : 1);
+
/* Check allocations */
if (in == 0 || out == 0)
{

154
SOURCES/gs-cve-2024-33871.patch
View File

@ -1,154 +0,0 @@
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 55a785e..be77534 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2607,4 +2607,6 @@ WRITESYSTEMDICT {
% be 'true' in some cases.
userdict /AGM_preserve_spots //false put
+.opvpactivatepathcontrol
+
% The interpreter will run the initial procedure (start).
diff --git a/base/gslibctx.c b/base/gslibctx.c
index 1ed6093..14fb57c 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -435,3 +435,27 @@ gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, co
}
return code;
}
+
+void
+opvp_activate_path_control(gs_memory_t *mem, int enable)
+{
+ gs_lib_ctx_core_t *core;
+
+ if (mem == NULL || mem->gs_lib_ctx == NULL ||
+ (core = mem->gs_lib_ctx->core) == NULL)
+ return;
+
+ core->opvp_path_control_active = enable;
+}
+
+int
+opvp_is_path_control_active(const gs_memory_t *mem)
+{
+ gs_lib_ctx_core_t *core;
+
+ if (mem == NULL || mem->gs_lib_ctx == NULL ||
+ (core = mem->gs_lib_ctx->core) == NULL)
+ return 0;
+
+ return core->opvp_path_control_active;
+}
diff --git a/base/gslibctx.h b/base/gslibctx.h
index 1481cb5..e4b3924 100644
--- a/base/gslibctx.h
+++ b/base/gslibctx.h
@@ -61,6 +61,8 @@ typedef struct {
bool CPSI_mode;
int scanconverter;
int act_on_uel;
+
+ int opvp_path_control_active;
} gs_lib_ctx_core_t;
typedef struct gs_lib_ctx_s
@@ -167,4 +169,10 @@ int sjpxd_create(gs_memory_t *mem);
void sjpxd_destroy(gs_memory_t *mem);
+void
+opvp_activate_path_control(gs_memory_t *mem, int enable);
+
+int
+opvp_is_path_control_active(const gs_memory_t *mem);
+
#endif /* GSLIBCTX_H */
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 9a6b45b..9693673 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int,
static int _get_params(gs_param_list *);
static int opvp_get_params(gx_device *, gs_param_list *);
static int oprp_get_params(gx_device *, gs_param_list *);
-static int _put_params(gs_param_list *);
+static int _put_params(gx_device *, gs_param_list *);
static int opvp_put_params(gx_device *, gs_param_list *);
static int oprp_put_params(gx_device *, gs_param_list *);
static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
@@ -3039,7 +3039,7 @@ _get_params(gs_param_list *plist)
/* vector driver name */
pname = "Driver";
vdps.data = (byte *)vectorDriver;
- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
vdps.persistent = false;
code = param_write_string(plist, pname, &vdps);
if (code) ecode = code;
@@ -3176,7 +3176,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
* put params
*/
static int
-_put_params(gs_param_list *plist)
+_put_params(gx_device *dev, gs_param_list *plist)
{
int code;
int ecode = 0;
@@ -3198,6 +3198,12 @@ _put_params(gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (opvp_is_path_control_active(dev->memory)
+ && (!vectorDriver || strlen(vectorDriver) != vdps.size
+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;
@@ -3399,7 +3405,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
@@ -3415,7 +3421,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
diff --git a/psi/zfile.c b/psi/zfile.c
index 271a1a0..05b8203 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -875,6 +875,12 @@ static int zgetfilename(i_ctx_t *i_ctx_p)
return 0;
}
+static int zopvpactivatepathcontrol(i_ctx_t *i_ctx_p)
+{
+ opvp_activate_path_control(imemory, 1);
+ return 0;
+}
+
/* ------ Initialization procedure ------ */
const op_def zfile_op_defs[] =
@@ -893,6 +899,7 @@ const op_def zfile_op_defs[] =
{"0%file_continue", file_continue},
{"0%execfile_finish", execfile_finish},
{"1.getfilename", zgetfilename},
+ {"0.opvpactivatepathcontrol", zopvpactivatepathcontrol},
op_def_end(0)
};

1
ci.fmf Normal file
View File

@ -0,0 +1 @@
resultsdb-testcase: separate

25
gating.yaml Normal file
View File

@ -0,0 +1,25 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_testing
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
#Rawhide
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_stable
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
#gating rhel
--- !Policy
product_versions:
- rhel-*
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

33
ghostscript-10.02.1-PostScript-Fix-selectdevice.patch Normal file
View File

@ -0,0 +1,33 @@
From 2febe352146a62c77d62a5b5dde9607f66575d14 Mon Sep 17 00:00:00 2001
Message-ID: <2febe352146a62c77d62a5b5dde9607f66575d14.1699398720.git.mjg@fedoraproject.org>
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Mon, 6 Nov 2023 15:30:18 +0000
Subject: [PATCH] PostScript - Fix selectdevice
Bug 707310 "`selectdevice` no longer works"
This was an oversight. Fixed here.
In future I anticipate removing selectdevice as well, as it doesn't do
anything that can't be done using setpagedevice (and .defaultscreen).
However, it is currently documented, so this restores the behaviour.
---
Resource/Init/gs_init.ps | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 958e8247c..d6b55efb2 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -871,7 +871,7 @@ currentdict /.makeinternaldict .undef
ifelse
} bind def
/selectdevice
- { finddevice setdevice .setdefaultscreen } bind def
+ { finddevice setdevice .setdefaultscreen } bind odef
/signalerror % <object> <errorname> signalerror -
{ /errordict .systemvar exch get exec } bind def
/signaloperror { % <object> <errorname> signaloperror -
--
2.43.0.rc0.447.g76a1efa614

31
ghostscript-10.02.1-txtwrite-device-needs-to-countdown-the-device-on-tex.patch Normal file
View File

@ -0,0 +1,31 @@
From ea661034db7eb667375981dae883d0c9e7d79799 Mon Sep 17 00:00:00 2001
Message-ID: <ea661034db7eb667375981dae883d0c9e7d79799.1699398536.git.mjg@fedoraproject.org>
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Mon, 18 Sep 2023 17:40:18 +0100
Subject: [PATCH] txtwrite device - needs to countdown the device on
text_release
Bug #707132 "Error: finalizing subclassing device while child refcount > 1"
The txtwrite device calls gs_text_enum_init() which counts up the
device, but does not count it down again when the enumertor is
released. Fixed here.
---
devices/vector/gdevtxtw.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
index f64284f07..089d32f7e 100644
--- a/devices/vector/gdevtxtw.c
+++ b/devices/vector/gdevtxtw.c
@@ -2059,6 +2059,7 @@ textw_text_release(gs_text_enum_t *pte, client_name_t cname)
gs_free(tdev->memory, penum->text_state, 1, sizeof(penum->text_state), "txtwrite free text state");
penum->text_state = NULL;
}
+ rc_decrement_only(pte->dev, "textw_text_release");
}
/* This is the list of methods for the text enumerator */
--
2.43.0.rc0.447.g76a1efa614

448
SPECS/ghostscript.spec → ghostscript.spec
View File

@ -27,25 +27,40 @@
# tarballs, and their release tags/branches do not use the dot in version
# tag. This makes obtaining the current version harder, and might prevent
# automatic builds of new releases...
%global version_short %(echo "%{version}" | tr -d '.')
%global version_short %%(echo "%{version}" | tr -d '.')
# Starting version of new sup-package layout scheme for Ghostscript, which is
# conflicting with the previous sup-package layout scheme.
#
# Obtain the location of Google Droid fonts directory:
%global google_droid_fontpath %%(dirname $(fc-list : file | grep "DroidSansFallback"))
# Desired jbig2dec header files and library version
# Apparantly, ghostscript complains even about newer versions
# Please update if needed.
%global jbig2dec_version 0.20
# =============================================================================
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 9.27
Version: 10.02.1
Release: 13%{?dist}
License: AGPLv3+
License: AGPL-3.0-or-later
URL: https://ghostscript.com/
Source: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz
Requires: libgs%{?_isa} = %{version}-%{release}
Requires: jbig2dec-libs >= 0.16
Requires: jbig2dec-libs = %{jbig2dec_version}
Requires: %{name}-tools-fonts = %{version}-%{release}
Requires: %{name}-tools-printing = %{version}-%{release}
Provides: ghostscript-core = %{version}-%{release}
Obsoletes: ghostscript-core < 9.53.3-6
Provides: ghostscript-x11 = %{version}-%{release}
Obsoletes: ghostscript-x11 < 10.01.0-1
# Auxiliary build requirements:
BuildRequires: automake
@ -61,11 +76,14 @@ BuildRequires: urw-base35-fonts-devel
# Already packaged software -- needed for debundling of Ghostscript:
BuildRequires: cups-devel
BuildRequires: dbus-devel
# we use fc-list in generating macros at the top of SPEC file
BuildRequires: fontconfig
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
BuildRequires: jbig2dec-devel
BuildRequires: jbig2dec-devel = %{jbig2dec_version}
BuildRequires: jbig2dec-libs = %{jbig2dec_version}
BuildRequires: lcms2-devel
BuildRequires: libidn-devel
BuildRequires: libidn2-devel
BuildRequires: libijs-devel
BuildRequires: libjpeg-turbo-devel
BuildRequires: libpng-devel
@ -77,6 +95,7 @@ BuildRequires: zlib-devel
# Enabling the GUI possibilities of Ghostscript:
BuildRequires: gtk3-devel
BuildRequires: libXt-devel
BuildRequires: make
# =============================================================================
@ -88,48 +107,31 @@ BuildRequires: libXt-devel
# Upstream patches -- official upstream patches released by upstream since the
# ---------------- last rebase that are necessary for any reason:
#Patch000: example000.patch
Patch001: ghostscript-cve-2019-10216.patch
Patch002: ghostscript-cve-2019-14811-14812-14813.patch
Patch003: ghostscript-cve-2019-14817.patch
# fixed in 9.51
Patch004: ghostscript-cve-2020-16290.patch
Patch005: ghostscript-cve-2020-16291.patch
Patch006: ghostscript-cve-2020-16293.patch
Patch007: ghostscript-cve-2020-16295.patch
Patch008: ghostscript-cve-2020-16299.patch
Patch009: ghostscript-cve-2020-16302.patch
Patch010: ghostscript-cve-2020-16304.patch
Patch011: ghostscript-cve-2020-16306.patch
Patch012: ghostscript-cve-2020-16307.patch
Patch013: ghostscript-cve-2020-16310.patch
Patch014: ghostscript-cve-2020-16301.patch
# 2097448 - printed text drifts to the right
Patch015: ghostscript-9.27-fix-use-of-HWMargins.patch
Patch016: ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch
Patch017: ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch
Patch018: ghostscript-9.27-fix-bbox.patch
Patch019: ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch020: ghostscript-9.27-CVE-2023-28879.patch
Patch021: ghostscript-9.27-CVE-2023-38559.patch
Patch022: ghostscript-9.27-CVE-2023-4042.patch
Patch023: ghostscript-9.27-avoid-divide-by-zero-in-devices.patch
# RHEL-38837 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
# the patch is based on upstream code from 9.50, where a new -dSAFER implementation was introduced and
# -dSAFER was made default for any gs calls. To do not backport the whole new -dSAFER implementation,
# to do not collide with any future backports related with -dSAFER and to do not change the current default
# for ghostscript in RHEL 8, only part of the new -dSAFER implementation was backported,
# and the several functions, variables and macros prefix was changed to 'opvp' and used only
# for OPVP device, which results in changing the default only for this device and fixing the CVE.
# Downside of the fix is if someone depends on unsafe settings of driver for OPVP device
# (via Postscript code in command -c, via Postscript code in input file), gs will start to fail.
Patch024: gs-cve-2024-33871.patch
Patch: ghostscript-10.02.1-txtwrite-device-needs-to-countdown-the-device-on-tex.patch
Patch: ghostscript-10.02.1-PostScript-Fix-selectdevice.patch
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7beb19ad06e
Patch: 0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8f5c77af6c0b
Patch: 0001-X-device-fix-compiler-warning.patch
# RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch
# RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
Patch: 0001-Bug-707686.patch
# RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
# RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
Patch: 0001-Bug-707510-review-printing-of-pointers.patch
# RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
# RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
# RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch
# RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
Patch: 0001-Bug-707691.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
Patch100: ghostscript-9.23-100-run-dvipdf-securely.patch
# Downstream patches for RHEL -- patches that we keep only in RHEL for various
# --------------------------- reasons, but are not enabled in Fedora:
%if %{defined rhel} || %{defined centos}
@ -165,6 +167,9 @@ Requires: urw-base35-fonts
This library provides Ghostscript's core functionality, based on Ghostscript's
API, which is useful for many packages that are build on top of Ghostscript.
It also provides an X11-based driver for Ghostscript, which enables displaying
of various document files (including PS and PDF).
# ---------------
%package -n libgs-devel
@ -193,8 +198,9 @@ against Ghostscript's library, which provides Ghostscript's core functionality.
# executable instead of package.
%package tools-dvipdf
Summary: Ghostscript's 'dvipdf' utility
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: /usr/bin/dvips
BuildArch: noarch
Requires: %{name} = %{version}-%{release}
Requires: %{_bindir}/dvips
%description tools-dvipdf
This package provides the utility 'dvipdf' for converting of TeX DVI files into
@ -204,7 +210,8 @@ PDF files using Ghostscript and dvips.
%package tools-fonts
Summary: Ghostscript's font utilities
Requires: %{name}%{?_isa} = %{version}-%{release}
BuildArch: noarch
Requires: %{name} = %{version}-%{release}
%description tools-fonts
This package provides utilities which are useful when you are working with AFM,
@ -214,7 +221,8 @@ PFB or PFA files, mostly for conversion purposes.
%package tools-printing
Summary: Ghostscript's printing utilities
Requires: %{name}%{?_isa} = %{version}-%{release}
BuildArch: noarch
Requires: %{name} = %{version}-%{release}
%description tools-printing
This package provides utilities for formatting and printing text files using
@ -235,16 +243,6 @@ of various document files (including PS and PDF).
# ---------------
%package x11
Summary: Ghostscript's X11-based driver for document rendering
Requires: %{name}%{?_isa} = %{version}-%{release}
%description x11
This package provides X11-based driver for Ghostscript, which enables displaying
of various document files (including PS and PDF).
# ---------------
%package doc
Summary: Documentation files for Ghostscript
Requires: %{name} = %{version}-%{release}
@ -261,16 +259,11 @@ This package provides detailed documentation files for Ghostscript software.
%autosetup -N -S git
# Libraries that we already have packaged in Fedora (see Build Requirements):
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
# Yeah, not actually needed in Fedora (^_^):
rm -rf windows
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* leptonica libpng openjpeg tesseract tiff windows zlib
# Add the remaining source code to the initial commit, patch the source code:
git add --all --force .
git commit --all --amend --no-edit > /dev/null
%autopatch -p1
# ---------------
%build
@ -291,17 +284,20 @@ git commit --all --amend --no-edit > /dev/null
# ... searches for necessary fonts in these column-separated directories,
# not just default ones
#
# --without-x
# ... builds gs library without X functionality (previously provided by ghostscript-x11)
#
# NOTE: In RHEL we need to keep the /usr/share/ghostscript/conf.d/ folder
# for China's GB18030 official certification:
%if %{defined rhel} || %{defined centos}
%configure --enable-dynamic --disable-compile-inits --without-versioned-path \
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/:%{_datadir}/fonts"
%configure --without-x --disable-compile-inits --without-versioned-path \
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/"
%else
%configure --enable-dynamic --disable-compile-inits --without-versioned-path \
%configure --disable-compile-inits --without-versioned-path \
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}"
%endif
%make_build so
%make_build so %{?flatpak:XCFLAGS=-I%{_includedir} XTRALIBS=-L%{_libdir}}
# ---------------
@ -342,7 +338,7 @@ ln -s %{_mandir}/man1/gs.1 %{buildroot}%{_mandir}/man1/ghostscript.1
# process for Ghostscript startup, and they advise using the symlinks where
# possible. The fontconfig (Ghostscript's search path) should be used preferably
# as a fallback only.
ln -fs %{google_droid_fontpath}/DroidSansFallback.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf
ln -fs %{google_droid_fontpath}/DroidSansFallbackFull.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf
for font in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/Font/*); do
ln -fs %{urw_base35_fontpath}/${font}.t1 %{buildroot}%{_datadir}/%{name}/Resource/Font/${font}
@ -403,11 +399,6 @@ done
%{_mandir}/man1/pdf2*
%{_mandir}/man1/ps2*
%lang(de) %{_mandir}/de/man1/gsnd*
%lang(de) %{_mandir}/de/man1/eps2*
%lang(de) %{_mandir}/de/man1/pdf2*
%lang(de) %{_mandir}/de/man1/ps2*
# ---------------
%files tools-dvipdf
@ -415,8 +406,6 @@ done
%{_mandir}/man1/dvipdf*
%lang(de) %{_mandir}/de/man1/dvipdf*
# ---------------
%files tools-fonts
@ -428,8 +417,6 @@ done
%{_mandir}/man1/pfbtopfa*
%{_mandir}/man1/printafm*
%lang(de) %{_mandir}/de/man1/printafm*
# ---------------
%files tools-printing
@ -452,132 +439,257 @@ done
# ---------------
%files x11
%{_libdir}/%{name}/
# ---------------
%files doc
%doc %{_docdir}/%{name}/
# =============================================================================
%changelog
* Wed Jun 12 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-13
- CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
* Wed Jul 17 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-13
- RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
* Tue Sep 19 2023 Richard Lescak <rlescak@redhat.com> - 9.27-12
- fix to prevent divison by zero in devices
- Resolves: rhbz#2235009
* Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
- RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
- RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-11
- fix for CVE-2023-4042
- Resolves: rhbz#2228153
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-10
- fix for CVE-2023-38559
- Resolves: rhbz#2224371
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 10.02.1-11
- Bump release for June 2024 mass rebuild
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.27-9
- fix for CVE-2023-28879
- Resolves: rhbz#2188297
* Fri Jun 21 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-10
- RHEL-38835 run the package with correct tests
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.27-8
* Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-9
- RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 10.02.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Jan 22 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-7
- fix rpmlint errors
* Sat Jan 20 2024 Michael J Gruber <mjg@fedoraproject.org> - 10.02.1-7
- fix another FTBFS with GCC 14
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 10.02.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Jan 09 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-5
- fix FTBFS with GCC 14
* Tue Nov 07 2023 Michael J Gruber <mjg@fedoraproject.org> - 10.02.1-4
- fix txtwrite device and /selectdevice
* Tue Nov 07 2023 Michael J Gruber <mjg@fedoraproject.org> - 10.02.1-3
- revert/adjust spec change for jbig2dec 0.20 and fix FTI (rhbz#2248557)
* Tue Nov 07 2023 Richard Lescak <rlescak@redhat.com> - 10.02.1-2
- change jbig2dec requirement to >= 0.19
* Mon Nov 06 2023 Richard Lescak <rlescak@redhat.com> - 10.02.1-1
- rebase to version 10.02.1 (#2238724)
* Wed Oct 11 2023 Richard Lescak <rlescak@redhat.com> - 10.01.2-4
- fix for CVE-2023-43115 (#2241112)
* Mon Aug 07 2023 Richard Lescak <rlescak@redhat.com> - 10.01.2-3
- fix for CVE-2023-38559 (#2225380)
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 10.01.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jul 14 2023 Michael J Gruber <mjg@fedoraproject.org> - 10.01.2-1
- rebase to bugfix release 10.01.2 (rhbz#2182090)
- fix for CVE-2023-36664 (rhbz#2217806)
* Thu Apr 06 2023 Richard Lescak <rlescak@redhat.com> - 10.01.0-3
- fix for CVE-2023-28879 (#2184586)
- add patch for converting default page name to lowercase (#2183166)
* Mon Apr 03 2023 Richard Lescak <rlescak@redhat.com> - 10.01.0-2
- set 'a4' as a default in gs_init.ps to fix unrecognized 'Letter' page size (#2183166)
* Mon Mar 27 2023 Richard Lescak <rlescak@redhat.com> - 10.01.0-1
- rebase to version 10.01.0 (#2180908)
- ghostscript-x11 removed, X functionality now builds directly into library for Fedora (#2178720)
- German manual pages removed
* Thu Mar 16 2023 Richard Lescak <rlescak@redhat.com> - 10.0.0-4
- fix embedding of CIDFonts
- Resolves: rhbz#2169890
* Wed Mar 15 2023 Richard Lescak <rlescak@redhat.com> - 9.27-7
- fix bbox device calculating bounding box incorrectly
- Resolves: rhbz#2176327
* Tue Feb 14 2023 Richard Lescak <rlescak@redhat.com> - 10.0.0-3
- fix gdevcups to not match custom size against PPD
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.27-6
- set the page size for A4 correctly in ESC/Page driver
- Resolves: rhbz#2164603
* Sun Feb 12 2023 Michael J Gruber <mjg@fedoraproject.org> - 10.0.0-2
- SPDX migration
* Tue Nov 15 2022 Richard Lescak <rlescak@redhat.com> - 9.27-5
- fix loading of CIDFonts
- Resolves: rhbz#2118538
* Mon Jan 23 2023 Richard Lescak <rlescak@redhat.com> - 10.0.0-1
- rebase to new version 10.0.0 (#2128814)
* Mon Jul 25 2022 Richard Lescak <rlescak@redhat.com> - 9.27-4
- changed requirement to jbig2dec-libs
- Resolves: rhbz#2097515, rhbz#2097448
* Thu Oct 27 2022 Richard Lescak <rlescak@redhat.com> - 9.56.1-5
- fix loading of CIDFonts (#2137856)
* Wed Jul 20 2022 Richard Lescak <rlescak@redhat.com> - 9.27-3
- fixed drifting text to the right when printing
- added Requirement for jbig2dec
- added patch for CVE-2020-16301
- Resolves: rhbz#2097515, rhbz#2097448
* Wed Oct 19 2022 Michael J Gruber <mjg@fedoraproject.org> - 9.56.1-4
- fix specifix shading subfunction handling
* Fri Jan 22 2021 Anna Khaitovich <akhaitov@redhat.com> - 9.27-2
- tools-dvipdf: require /usr/bin/dvips not %{_bindir}/dvips
- Resolves: rhbz#1918937
* Wed Oct 05 2022 Michael J Gruber <mjg@fedoraproject.org> - 9.56.1-3
- fix segfaulting X11 devices (rhbz#2125654)
* Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.27-1
- Rebase to 9.27
- Resolves: rhbz#1874523
* Tue Sep 06 2022 Michael J Gruber <mjg@fedoraproject.org> - 9.56.1-2
- fix FitPage with square media (rhbz#2123391)
* Tue Apr 07 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.25-7
- 1813228 - ghostscript fontconfig support broken when gs used with -dSAFER/-dPARANOIDSAFER
* Mon Aug 01 2022 Richard Lescak <rlescak@redhat.com> - 9.56.1-1
- Rebase to new gs version 9.56.1 (#2072297)
* Thu Nov 07 2019 Zdenek Dohnal <zdohnal@redhat.com> - 9.25-6
- 1769343 - CVE-2019-14869 - -dSAFER escape in .charkeys
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 9.55.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Aug 22 2019 Martin Osvald <mosvald@redhat.com> - 9.25-5
- Resolves: #1744011 - CVE-2019-14811 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445)
- Resolves: #1744015 - CVE-2019-14812 ghostscript: Safer Mode Bypass by .forceput Exposure in setuserparams (701444)
- Resolves: #1744006 - CVE-2019-14813 ghostscript: Safer Mode Bypass by .forceput Exposure in setsystemparams (701443)
- Resolves: #1744231 - CVE-2019-14817 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450)
* Fri May 20 2022 Sandro Mani <manisandro@gmail.com> - 9.55.0-4
- Rebuild for gdal-3.5.0 and/or openjpeg-2.5.0
* Mon Aug 05 2019 Martin Osvald <mosvald@redhat.com> - 9.25-4
- Resolves: #1737337 - CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 9.55.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Mar 28 2019 Martin Osvald <mosvald@redhat.com> - 9.25-3
- Resolves: #1692798 - CVE-2019-3839 ghostscript: missing attack vector
protections for CVE-2019-6116
- Resolves: #1678170 - CVE-2019-3835 ghostscript: superexec operator
is available (700585)
- Resolves: #1691414 - CVE-2019-3838 ghostscript: forceput in DefineResource
is still accessible (700576)
- fix included for ghostscript: Regression: double comment chars
'%%' in gs_init.ps leading to missing metadata
- fix for pdf2dsc regression added to allow fix for CVE-2019-3839
* Thu Dec 30 2021 Tom Callaway <spot@fedoraproject.org> - 9.55.0-2
- apply fix from upstream bug 704737, preventing asymptote from working properly
* Wed Jan 23 2019 Martin Osvald <mosvald@redhat.com> - 9.25-2
- Resolves: #1652937 - CVE-2018-19409 ghostscript: Improperly implemented
security check in zsetdevice function in psi/zdevice.c
- Resolves: #1642586 - CVE-2018-18073 ghostscript: saved execution stacks
can leak operator arrays
- Resolves: #1642580 - CVE-2018-17961 ghostscript: saved execution stacks
can leak operator arrays (incomplete fix for CVE-2018-17183)
- Resolves: #1642941 - CVE-2018-18284 ghostscript: 1Policy operator
allows a sandbox protection bypass
- Resolves: #1656336 - CVE-2018-19134 ghostscript: Type confusion in
setpattern (700141)
- Resolves: #1660571 - CVE-2018-19475 ghostscript: access bypass in
psi/zdevice2.c (700153)
- Resolves: #1660830 - CVE-2018-19476 ghostscript: access bypass in
psi/zicc.c
- Resolves: #1661280 - CVE-2018-19477 ghostscript: access bypass in
psi/zfjbig2.c (700168)
- Resolves: #1668891 - CVE-2019-6116 ghostscript: subroutines within
pseudo-operators must themselves be pseudo-operators (700317)
* Mon Oct 11 2021 Richard Lescak <rlescak@redhat.com> - 9.55.0-1
- Rebase to new gs version (#2008146)
* Mon Sep 24 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.25-1
- rebase to latest upstream version to fix issues discovered in previous CVE fixes (bug #1631701 and #1626997)
* Thu Sep 09 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-4
- Added patch for a bug (#1989084) and CVE-2021-3781 (#2003085)
* Fri Sep 07 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-1
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 9.54.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jun 02 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-2
- Added Obsoletes/Provides for old ghostscript-core (#1962993)
* Fri May 14 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-1
- Update to version 9.54.0 (#1944755)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 9.53.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 22 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.53.3-4
- Restore opvp for good (#1909950)
* Tue Nov 24 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.53.3-3
- Restore opvp device (#1899885)
* Wed Nov 04 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.53.3-2
- Drop use of FT_CALLBACK_DEF() def
* Thu Oct 08 2020 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 9.53.1-3
- Update to 9.53.3 (#1882743)
* Tue Sep 22 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.53.1-2
- Bump jbig2dec version
* Thu Sep 10 2020 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 9.53.0-1
- Update to 9.53.1 (#1877781)
* Mon Jul 27 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-8
- Use libidn2 instead of libidn (fixes #1860890)
* Thu Jul 02 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.52-7
- really require the exact jbig2dec version
* Sat Jun 27 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 9.52-6
- standard packages should not require -devel packages
* Wed Jun 24 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-5
- Require the exact jbig2dec version in both build and runtime dependencies
* Thu May 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-4
- Define %%{jbig2dec_version} global macro
* Wed May 20 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-3
- Require the exact jbig2dec version to avoid a mismatch between header files and library
* Mon May 18 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-2
- Require the exact jbig2dec-devel version
* Thu Apr 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.52-1
- 9.52
* Wed Mar 11 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.50-1
- 9.50
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.27-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Nov 14 2019 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-2
- 1772486 - ghostscript: -dSAFER escape in .charkeys (701841)
* Fri Sep 06 2019 Martin Osvald <mosvald@redhat.com> - 9.27-1
- rebase to latest upstream version 9.27
- security fixes added for:
- CVE-2019-14811 (bug #1747908)
- CVE-2019-14812 (bug #1747907)
- CVE-2019-14813 (bug #1747906)
- CVE-2019-14817 (bug #1747909)
* Mon Aug 12 2019 Martin Osvald <mosvald@redhat.com> - 9.26-6
- Fix for CVE-2019-10216 added
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9.26-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Mar 22 2019 Martin Osvald <mosvald@redhat.com> - 9.26-4
- Fixes for CVE-2019-3835 and CVE-2019-3838 added
* Mon Mar 11 2019 Martin Osvald <mosvald@redhat.com> - 9.26-3
- Fix for bug #1687144 added
* Fri Mar 08 2019 Martin Osvald <mosvald@redhat.com> - 9.26-2
- Fix for CVE-2019-6116 added (bug #1668888)
* Thu Feb 07 2019 Martin Osvald <mosvald@redhat.com> - 9.26-1
- rebase to latest upstream version 9.26
- spec change to remove gsdoc.el due to upstream 8bc783cb586
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9.25-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Sep 17 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.25-1
- rebase to latest upstream version to fix additional issues found in 9.24
* Fri Sep 14 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-3
- ghostscript-9.24-002-icc-PermitReading.patch removed
- ghostscript-9.24-002-fix-for-Canon-and-Kyocera-printers.patch added (bug #1626818)
- ghostscript-9.24-003-CVE-2018-16802.patch added (bug #1627960)
* Fri Sep 07 2018 Tom Callaway <spot@fedoraproject.org> - 9.24-2
- add upstream fix for reading in ICC profiles
* Wed Sep 05 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-1
- rebase to latest upstream version, which contains important CVE fixes
- additional ZER0-DAY fixes added
* Wed Aug 29 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-5
* Wed Aug 29 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-7
- ghostscript-9.23-002-fixes-for-set-of-CVEs-reported-by-Google.patch added
* Mon Jul 30 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-6
- ghostscript-9.23-001-create-GC-descriptors-for-JPEG-passthrough.patch added (bug #1589467)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 9.23-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue May 15 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-4
- One more rebuild for libidn ABI fix (BZ#'s 1573961 and 1566414)
* Mon May 14 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-3
- %%conflicts_vers bumped to fix F27->F28 upgrade
* Thu May 10 2018 Stephen Gallagher <sgallagh@redhat.com> - 9.23-2.1
- Rebuilding for libidn ABI fix (BZ#'s 1573961 and 1566414)
* Mon Apr 23 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-2
- Fix for CVE-2018-10194 added (bug #1569821)

36
plans.fmf Normal file
View File

@ -0,0 +1,36 @@
/tier1-internal:
plan:
import:
url: https://src.fedoraproject.org/tests/ghostscript.git
name: /plans/tier1/internal
/tier1-public:
plan:
import:
url: https://src.fedoraproject.org/tests/ghostscript.git
name: /plans/tier1/public
/tier2-tier3-internal:
plan:
import:
url: https://src.fedoraproject.org/tests/ghostscript.git
name: /plans/tier2-tier3/internal
/tier2-tier3-public:
plan:
import:
url: https://src.fedoraproject.org/tests/ghostscript.git
name: /plans/tier2-tier3/public
/others-internal:
plan:
import:
url: https://src.fedoraproject.org/tests/ghostscript.git
name: /plans/others/internal
/others-public:
plan:
import:
url: https://src.fedoraproject.org/tests/ghostscript.git
name: /plans/others/public

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (ghostscript-10.02.1.tar.xz) = ee0f754c1bd8a18428ad14eaa3ead80ff8b96275af5012e7a8384f1f10490da056eec9ae3cc791a7a13a24e16e54df5bccdd109c7d53a14534bbd7360a300b11