rpms
/
ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c9
rpms:c9s
rpms:c8s
rpms:c8-beta
rpms:c9-beta
rpms:imports/c9/ghostscript-9.54.0-16.el9_4
rpms:imports/c8/ghostscript-9.27-13.el8_10
rpms:imports/c8/ghostscript-9.27-12.el8
rpms:imports/c8-beta/ghostscript-9.27-12.el8
rpms:imports/c8/ghostscript-9.27-11.el8
rpms:imports/c9/ghostscript-9.54.0-14.el9_3
rpms:imports/c9/ghostscript-9.54.0-11.el9_2
rpms:imports/c9/ghostscript-9.54.0-10.el9_2
rpms:imports/c8-beta/ghostscript-9.27-11.el8
rpms:imports/c9-beta/ghostscript-9.54.0-13.el9
rpms:imports/c8/ghostscript-9.27-6.el8
rpms:imports/c9/ghostscript-9.54.0-9.el9
rpms:imports/c9-beta/ghostscript-9.54.0-9.el9
rpms:imports/c8-beta/ghostscript-9.27-6.el8
rpms:imports/c8s/ghostscript-9.27-6.el8
rpms:imports/c8s/ghostscript-9.27-5.el8
rpms:imports/c8/ghostscript-9.27-4.el8
rpms:imports/c8-beta/ghostscript-9.27-4.el8
rpms:imports/c8s/ghostscript-9.27-4.el8
rpms:imports/c9/ghostscript-9.54.0-7.el9
rpms:imports/c9-beta/ghostscript-9.54.0-7.el9
rpms:imports/c9-beta/ghostscript-9.54.0-4.el9
rpms:imports/c9-beta/ghostscript-9.54.0-2.el9
rpms:imports/c8-beta/ghostscript-9.27-1.el8
rpms:imports/c8-beta/ghostscript-9.25-7.el8
rpms:imports/c8-beta/ghostscript-9.25-5.el8_1.1
rpms:imports/c8-beta/ghostscript-9.25-3.el8
rpms:imports/c8s/ghostscript-9.27-1.el8
rpms:imports/c8s/ghostscript-9.25-7.el8
rpms:imports/c8/ghostscript-9.27-1.el8
rpms:imports/c8/ghostscript-9.25-7.el8
rpms:imports/c8/ghostscript-9.25-5.el8_1.1
rpms:imports/c8/ghostscript-9.25-5.el8
rpms:imports/c8/ghostscript-9.25-2.el8_0.3
...
pull from: rpms:c9s
Branches Tags
rpms:c10s
rpms:c9
rpms:c8
rpms:c9s
rpms:c8s
rpms:c8-beta
rpms:c9-beta
rpms:imports/c9/ghostscript-9.54.0-16.el9_4
rpms:imports/c8/ghostscript-9.27-13.el8_10
rpms:imports/c8/ghostscript-9.27-12.el8
rpms:imports/c8-beta/ghostscript-9.27-12.el8
rpms:imports/c8/ghostscript-9.27-11.el8
rpms:imports/c9/ghostscript-9.54.0-14.el9_3
rpms:imports/c9/ghostscript-9.54.0-11.el9_2
rpms:imports/c9/ghostscript-9.54.0-10.el9_2
rpms:imports/c8-beta/ghostscript-9.27-11.el8
rpms:imports/c9-beta/ghostscript-9.54.0-13.el9
rpms:imports/c8/ghostscript-9.27-6.el8
rpms:imports/c9/ghostscript-9.54.0-9.el9
rpms:imports/c9-beta/ghostscript-9.54.0-9.el9
rpms:imports/c8-beta/ghostscript-9.27-6.el8
rpms:imports/c8s/ghostscript-9.27-6.el8
rpms:imports/c8s/ghostscript-9.27-5.el8
rpms:imports/c8/ghostscript-9.27-4.el8
rpms:imports/c8-beta/ghostscript-9.27-4.el8
rpms:imports/c8s/ghostscript-9.27-4.el8
rpms:imports/c9/ghostscript-9.54.0-7.el9
rpms:imports/c9-beta/ghostscript-9.54.0-7.el9
rpms:imports/c9-beta/ghostscript-9.54.0-4.el9
rpms:imports/c9-beta/ghostscript-9.54.0-2.el9
rpms:imports/c8-beta/ghostscript-9.27-1.el8
rpms:imports/c8-beta/ghostscript-9.25-7.el8
rpms:imports/c8-beta/ghostscript-9.25-5.el8_1.1
rpms:imports/c8-beta/ghostscript-9.25-3.el8
rpms:imports/c8s/ghostscript-9.27-1.el8
rpms:imports/c8s/ghostscript-9.25-7.el8
rpms:imports/c8/ghostscript-9.27-1.el8
rpms:imports/c8/ghostscript-9.25-7.el8
rpms:imports/c8/ghostscript-9.25-5.el8_1.1
rpms:imports/c8/ghostscript-9.25-5.el8
rpms:imports/c8/ghostscript-9.25-2.el8_0.3

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

37 changed files with 893 additions and 1822 deletions
Show Stats Expand all files Collapse all files

1
.ghostscript.metadata
View File

@ -1 +0,0 @@
f926d2cfb418a7c5d92dce0a9843fa01ee62fe2c SOURCES/ghostscript-9.27.tar.xz

62
.gitignore vendored
View File

@ -1 +1,61 @@
SOURCES/ghostscript-9.27.tar.xz
acro5-cmaps-2001.tar.gz
adobe-cmaps-200202.tar.gz
eplaser-3.1.4-705.tgz
epson740.tgz
gdevmd2k-0.2a.tar.gz
ghostscript-7.07.tar.bz2
gs550j1.tar.gz
gs6.51-cjk-M2-R3.tar.gz
gs704-j-vlib.zip
lexmarkgs990908.tar.gz
lxm3200-tweaked-20030501.tar.gz
pcl3-3.3.tar.gz
espgs-8.15rc3-source.tar.bz2
adobe-cmaps-200204.tar.gz
espgs-8.15rc4-source.tar.bz2
espgs-8.15.1-source.tar.bz2
adobe-cmaps-200406.tar.gz
espgs-8.15.2-source.tar.bz2
espgs-8.15.3-source.tar.bz2
espgs-8.15.4-source.tar.bz2
ghostscript-8.60-r8117.tar.bz2
ghostscript-8.60.tar.bz2
ghostscript-8.61.tar.bz2
ghostscript-8.62.tar.bz2
ghostscript-8.63.tar.bz2
ghostscript-8.64.tar.bz2
ghostscript-8.70.tar.xz
ghostscript-8.71.tar.xz
/ghostscript-9.00.tar.xz
/ghostscript-9.01.tar.bz2
/ghostscript-9.02.tar.bz2
/ghostscript-9.04.tar.bz2
/ghostscript-9.05.tar.bz2
/ghostscript-9.06.tar.bz2
/ghostscript-9.06-cleaned.tar.bz2
/ghostscript-9.07.tar.bz2
/ghostscript-9.07-cleaned.tar.bz2
/ghostscript-9.08rc1.tar.gz
/ghostscript-9.08.tar.bz2
/ghostscript-9.09rc1.tar.gz
/ghostscript-9.09.tar.bz2
/ghostscript-9.10.tar.bz2
/ghostscript-9.10-cleaned.tar.bz2
/ghostscript-9.12-cleaned.tar.bz2
/ghostscript-9.14-cleaned.tar.bz2
/ghostscript-9.14-cleaned-1.tar.bz2
/ghostscript-9.15-cleaned.tar.bz2
/ghostscript-9.15-cleaned-1.tar.bz2
/ghostscript-9.16-cleaned-1.tar.bz2
/ghostscript-9.20.tar.xz
/ghostscript-9.22.tar.xz
/ghostscript-9.23.tar.xz
/ghostscript-9.24.tar.xz
/ghostscript-9.25.tar.xz
/ghostscript-9.26.tar.xz
/ghostscript-9.27.tar.xz
/ghostscript-9.50.tar.xz
/ghostscript-9.52.tar.xz
/ghostscript-9.53.1.tar.xz
/ghostscript-9.53.3.tar.xz
/ghostscript-9.54.0.tar.xz

22
SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch
View File

@ -1,22 +0,0 @@
From 91c9c6d17d445781ee572c281b8b9d75d96f9df8 Mon Sep 17 00:00:00 2001
From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
Date: Fri, 7 Oct 2016 13:57:01 +0200
Subject: [PATCH] Make sure 'dvipdf' is being run securely
---
lib/dvipdf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dvipdf b/lib/dvipdf
index 802aeab..c92dfb0 100755
--- a/lib/dvipdf
+++ b/lib/dvipdf
@@ -43,4 +43,4 @@ fi
# We have to include the options twice because -I only takes effect if it
# appears before other options.
-exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
+exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
--
2.14.3

28
SOURCES/ghostscript-9.27-CVE-2023-4042.patch
View File

@ -1,28 +0,0 @@
From 2793769ff107d8d22dadd30c6e68cd781b569550 Mon Sep 17 00:00:00 2001
From: Julian Smith <jules@op59.net>
Date: Mon, 4 Nov 2019 12:30:33 +0000
Subject: [PATCH] Bug 701819: fixed ordering in if expression to avoid
out-of-bounds access.
Fixes:
./sanbin/gs -dBATCH -dNOPAUSE -r965 -sOutputFile=tmp -sDEVICE=pcx16 ../bug-701819.pdf
---
devices/gdevpcx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/devices/gdevpcx.c b/devices/gdevpcx.c
index 1735851d2..91de4abb6 100644
--- a/devices/gdevpcx.c
+++ b/devices/gdevpcx.c
@@ -442,7 +442,7 @@ pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file)
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
putc(0xc1, file);
} else {
--
2.41.0

88
SOURCES/ghostscript-9.27-avoid-divide-by-zero-in-devices.patch
View File

@ -1,88 +0,0 @@
From f70ab2044429fe4b991801476ea3f4b4a5c0cdf4 Mon Sep 17 00:00:00 2001
From: Julian Smith <jules@op59.net>
Date: Wed, 6 Nov 2019 11:46:10 +0000
Subject: [PATCH 1/2] Bug 701843: avoid divide by zero caused by custom
resolution being too low.
Fixes:
./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r8 -dNOCIE -dFitPage -sOutputFile=tmp -sDEVICE=eps9mid ../bug-701843.pdf
---
devices/gdevepsn.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/devices/gdevepsn.c b/devices/gdevepsn.c
index 49faaf3d7..3e5388322 100644
--- a/devices/gdevepsn.c
+++ b/devices/gdevepsn.c
@@ -159,10 +159,10 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high,
int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
/* Note that in_size is a multiple of 8. */
int in_size = line_size * (8 * in_y_mult);
- byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)");
- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)");
- byte *in = buf1;
- byte *out = buf2;
+ byte *buf1;
+ byte *buf2;
+ byte *in;
+ byte *out;
int out_y_mult = (y_24pin ? 3 : 1);
int x_dpi = (int)pdev->x_pixels_per_inch;
char start_graphics =
@@ -174,6 +174,17 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high,
int bytes_per_space = dots_per_space * out_y_mult;
int tab_min_pixels = x_dpi * MIN_TAB_10THS / 10;
int skip = 0, lnum = 0, pass, ypass;
+
+ if (bytes_per_space == 0) {
+ /* This avoids divide by zero later on, bug 701843. */
+ return_error(gs_error_rangecheck);
+ }
+
+ buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)");
+ buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)");
+ in = buf1;
+ out = buf2;
+
/* Check allocations */
if ( buf1 == 0 || buf2 == 0 )
diff --git a/devices/gdevepsc.c b/devices/gdevepsc.c
--- a/devices/gdevepsc.c
+++ b/devices/gdevepsc.c
@@ -174,13 +174,7 @@
int y_mult = (y_24pin ? 3 : 1);
int line_size = (pdev->width + 7) >> 3; /* always mono */
int in_size = line_size * (8 * y_mult);
- byte *in =
- (byte *) gs_malloc(pdev->memory, in_size + 1, 1,
- "epsc_print_page(in)");
int out_size = ((pdev->width + 7) & -8) * y_mult;
- byte *out =
- (byte *) gs_malloc(pdev->memory, out_size + 1, 1,
- "epsc_print_page(out)");
int x_dpi = (int)pdev->x_pixels_per_inch;
char start_graphics = (char)
((y_24pin ? graphics_modes_24 : graphics_modes_9)[x_dpi / 60]);
@@ -195,6 +189,20 @@
int color_line_size, color_in_size;
int spare_bits = (pdev->width % 8); /* left over bits to go to margin */
int whole_bits = pdev->width - spare_bits;
+ byte *out;
+ byte *in;
+
+ if (bytes_per_space == 0) {
+ /* This avoids divide by zero later on, bug 701843. */
+ return_error(gs_error_rangecheck);
+ }
+
+ in =
+ (byte *) gs_malloc(pdev->memory, in_size + 1, 1,
+ "epsc_print_page(in)");
+ out =
+ (byte *) gs_malloc(pdev->memory, out_size + 1, 1,
+ "epsc_print_page(out)");
/* Check allocations */
if (in == 0 || out == 0) {

63
SOURCES/ghostscript-9.27-fix-bbox.patch
View File

@ -1,63 +0,0 @@
diff -Napur ghostscript-9.27.old/base/fapi_ft.c ghostscript-9.27.new/base/fapi_ft.c
--- ghostscript-9.27.old/base/fapi_ft.c 2019-04-04 00:43:14.000000000 -0700
+++ ghostscript-9.27.new/base/fapi_ft.c 2023-03-07 16:41:56.217995052 -0800
@@ -974,13 +974,19 @@ make_rotation(FT_Matrix * a_transform, c
*/
static void
transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp,
- FT_Fixed * a_x_scale, FT_Fixed * a_y_scale)
+ FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM)
{
double scalex, scaley, fact = 1.0;
double factx = 1.0, facty = 1.0;
FT_Matrix ftscale_mat;
FT_UInt xres;
FT_UInt yres;
+ /* We have to account for units_per_EM as we fiddle with the scaling
+ * in order to avoid underflow (mostly in the TTF hinting code), but
+ * we also want to clamp to a lower value (512, admittedly arrived at
+ * via experimentation) in order to preserve the fidelity of the outlines.
+ */
+ double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0;
scalex = hypot((double)a_transform->xx, (double)a_transform->xy);
scaley = hypot((double)a_transform->yx, (double)a_transform->yy);
@@ -1067,10 +1073,25 @@ transform_decompose(FT_Matrix * a_transf
scalex *= fact;
}
- ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex);
- ftscale_mat.xy = (FT_Fixed) 0;
- ftscale_mat.yx = (FT_Fixed) 0;
- ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley);
+ /* see above */
+ fact = 1.0;
+ while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0)
+ && (scalex > 0.0 && scaley > 0.0)) {
+ if (scaley < yres) {
+ xres >>= 1;
+ yres >>= 1;
+ fact *= 2.0;
+ }
+ else {
+ scalex /= 1.25;
+ scaley /= 1.25;
+ }
+ }
+
+ ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact);
+ ftscale_mat.xy = 0;
+ ftscale_mat.yx = 0;
+ ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact);
FT_Matrix_Multiply(a_transform, &ftscale_mat);
memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix));
@@ -1315,7 +1336,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_serve
* transform.
*/
transform_decompose(&face->ft_transform, &face->horz_res,
- &face->vert_res, &face->width, &face->height);
+ &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM);
ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height,
face->horz_res, face->vert_res);

16
SOURCES/ghostscript-9.27-fix-use-of-HWMargins.patch
View File

@ -1,16 +0,0 @@
diff -Napur '--exclude=.git' ghostscript-9.27.old/devices/vector/opdfread.ps ghostscript-9.27.new/devices/vector/opdfread.ps
--- ghostscript-9.27.old/devices/vector/opdfread.ps 2019-04-04 00:43:14.000000000 -0700
+++ ghostscript-9.27.new/devices/vector/opdfread.ps 2022-06-14 17:44:27.963033829 -0700
@@ -998,10 +998,10 @@ currentdict end readonly def
} if % id obj node
1 index exch /Context exch put % id obj
dup /ImmediateExec true put
- dup /IsPage true put
- SetPageSize {dup /Context get //SetupPageView exec} if
% This gets restored at the end of ExecuteStream if IsPage is true.
/pagesave save def
+ dup /IsPage true put
+ SetPageSize {dup /Context get //SetupPageView exec} if
} bind def
/FontFileDaemon % <id> <obj> <font_descriptor> FontFileDaemon <id> <obj>

43
SOURCES/ghostscript-cve-2019-10216.patch
View File

@ -1,43 +0,0 @@
From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 2 Aug 2019 15:18:26 +0100
Subject: Bug 701394: protect use of .forceput with executeonly
diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
index 6c7735bc0c..a039ccee35 100644
--- a/Resource/Init/gs_type1.ps
+++ b/Resource/Init/gs_type1.ps
@@ -118,25 +118,25 @@
( to be the same as glyph: ) print 1 index //== exec } if
3 index exch 3 index .forceput
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
- }
+ }executeonly
{pop} ifelse
- } forall
+ } executeonly forall
pop pop
- }
+ } executeonly
{
pop pop pop
} ifelse
- }
+ } executeonly
{
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
pop pop
} ifelse
- } forall
+ } executeonly forall
3 1 roll pop pop
- } if
+ } executeonly if
pop
dup /.AGLprocessed~GS //true .forceput
- } if
+ } executeonly if
%% We need to excute the C .buildfont1 in a stopped context so that, if there
%% are errors we can put the stack back sanely and exit. Otherwise callers won't

56
SOURCES/ghostscript-cve-2019-14811-14812-14813.patch
View File

@ -1,56 +0,0 @@
From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 20 Aug 2019 10:10:28 +0100
Subject: make .forceput inaccessible
Bug #701343, #701344, #701345
More defensive programming. We don't want people to access .forecput
even though it is no longer sufficient to bypass SAFER. The exploit
in #701343 didn't work anyway because of earlier work to stop the error
handler being used, but nevertheless, prevent access to .forceput from
.setuserparams2.
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
index 4cc7f820f..0fd416465 100644
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -158,7 +158,7 @@ end
{
pop pop
} ifelse
- } forall
+ } executeonly forall
% A context switch might have occurred during the above loop,
% causing the interpreter-level parameters to be reset.
% Set them again to the new values. From here on, we are safe,
@@ -229,9 +229,9 @@ end
{ pop pop
}
ifelse
- }
+ } executeonly
forall pop
-} .bind odef
+} .bind executeonly odef
% Initialize the passwords.
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
index c158a8faf..422e66e1a 100644
--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
systemdict /.pdf_hooked_DSC_Creator //true .forceput
} executeonly if
pop
- } if
+ } executeonly if
} {
pop
} ifelse
- }
+ } executeonly
{
pop
} ifelse

189
SOURCES/ghostscript-cve-2019-14817.patch
View File

@ -1,189 +0,0 @@
diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
index 1a218f4..cffde5c 100644
--- a/Resource/Init/pdf_base.ps
+++ b/Resource/Init/pdf_base.ps
@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
{
dup ==only () = flush
} ifelse % PDFSTEP
- } if % PDFDEBUG
+ } executeonly if % PDFDEBUG
2 copy .knownget {
exch pop exch pop exch pop exec
} {
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
index e18a7c2..0a3924c 100644
--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
@@ -501,8 +501,8 @@ end
( Output may be incorrect.\n) pdfformaterror
//pdfdict /.gs_warning_issued //true .forceput
PDFSTOPONERROR { /gs /undefined signalerror } if
- } if
- }
+ } executeonly if
+ } executeonly
ifelse
} bind executeonly def
@@ -1142,7 +1142,7 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
@@ -1150,8 +1150,8 @@ currentdict end readonly def
pdfformaterror
} executeonly ifelse
end
- } ifelse
- } loop
+ } executeonly ifelse
+ } executeonly loop
{
(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
//pdfdict /.Qqwarning_issued .knownget
@@ -1165,14 +1165,14 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
pop
% restore pdfemptycount
diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
index 9fb85f6..357ba30 100644
--- a/Resource/Init/pdf_font.ps
+++ b/Resource/Init/pdf_font.ps
@@ -677,7 +677,7 @@ currentdict end readonly def
currentglobal 2 index dup gcheck setglobal
/FontInfo 5 dict dup 5 1 roll .forceput
setglobal
- } if
+ } executeonly if
dup /GlyphNames2Unicode .knownget not {
//true % No existing G2U, make one
} {
@@ -701,9 +701,9 @@ currentdict end readonly def
} if
PDFDEBUG {
(.processToUnicode end) =
- } if
- } if
- } stopped
+ } executeonly if
+ } executeonly if
+ } executeonly stopped
{
.dstackdepth 1 countdictstack 1 sub
{pop end} for
@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef
//pdfdict /.Qqwarning_issued //true .forceput
} executeonly if
Q
- } repeat
+ } executeonly repeat
Q
- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
PDFfile exch setfileposition
- } ifelse
- } {
+ } executeonly ifelse
+ } executeonly
+ {
% PDF Type 3 fonts don't use .notdef
% d1 implementation adjusts the width as needed
0 0 0 0 0 0
pdfopdict /d1 get exec
} ifelse
end end
- } bdef
+ } executeonly bdef
dup currentdict Encoding .processToUnicode
currentdict end .completefont exch pop
} bind executeonly odef
@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef
(Will continue, but content may be missing.) = flush
} ifelse
} if
- } if
+ } executeonly if
/findresource cvx /undefined signalerror
- } loop
+ } executeonly loop
} bind executeonly odef
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
index 5305ea6..a59e63c 100644
--- a/Resource/Init/pdf_main.ps
+++ b/Resource/Init/pdf_main.ps
@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
- } if
+ } executeonly if
+ } executeonly if
pop
count PDFexecstackcount sub { pop } repeat
(after exec) VMDEBUG
diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
index 285e582..6c1f100 100644
--- a/Resource/Init/pdf_ops.ps
+++ b/Resource/Init/pdf_ops.ps
@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
} bind executeonly odef
% Save PDF gstate
@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
dup type /booleantype eq {
.currentSMask type /dicttype eq {
.currentSMask /Processed 2 index .forceput
+ } executeonly
+ {
+ .setSMask
+ }ifelse
} executeonly
{
- .setSMask
- }ifelse
- }{
.setSMask
}ifelse

18
SOURCES/ghostscript-cve-2020-16290.patch
View File

@ -1,18 +0,0 @@
diff --git a/devices/gdev3852.c b/devices/gdev3852.c
index e21b403..2bee8ec 100644
--- a/devices/gdev3852.c
+++ b/devices/gdev3852.c
@@ -76,6 +76,13 @@ jetp3852_print_page(gx_device_printer *pdev, FILE *prn_stream)
{ int lnum;
int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
int num_blank_lines = 0;
+
+ if (line_size > DATA_SIZE) {
+ emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
+ line_size, DATA_SIZE);
+ return_error(gs_error_rangecheck);
+ }
+
for ( lnum = 0; lnum < pdev->height; lnum++ )
{ byte *end_data = data + line_size;
gdev_prn_copy_scan_lines(pdev, lnum,

257
SOURCES/ghostscript-cve-2020-16291.patch
View File

@ -1,257 +0,0 @@
diff --git a/contrib/gdevdj9.c b/contrib/gdevdj9.c
index eec1c77..a4e8e9c 100644
--- a/contrib/gdevdj9.c
+++ b/contrib/gdevdj9.c
@@ -575,26 +575,55 @@ static int cdj_set_bpp(gx_device *, int, int);
static int
hp_colour_open(gx_device * pdev)
{
- int retCode;
+ int retCode = 0;
+
+ /* Change the margins if necessary. */
+ static const float dj_a4[4] = {
+ DESKJET_MARGINS_A4
+ };
+
+ static const float dj_letter[4] = {
+ DESKJET_MARGINS_LETTER
+ };
+ const float *m = (float *)0;
cdj970->PageCtr = 0;
+ /* quality setup */
+ if (cdj970->quality == DRAFT) {
+ gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0);
+ cdj970->xscal = 0;
+ cdj970->yscal = 0;
+ cdj970->intensities = 2;
+ } else if (cdj970->quality == NORMAL) {
+ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
+ cdj970->xscal = 1;
+ cdj970->yscal = 1;
+ /* intensities = 4 from initialization */
+ } else { /* quality == PRESENTATION */
+ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
+ cdj970->xscal = 0;
+ cdj970->yscal = 0;
+ /* intensities = 4 from initialization */
+ }
+
+ m = (gdev_pcl_paper_size((gx_device *) pdev) ==
+ PAPER_SIZE_A4 ? dj_a4 : dj_letter);
+
+ gx_device_set_margins((gx_device *) pdev, m, true);
+
/* Set up colour params if put_params has not already done so */
if (pdev->color_info.num_components == 0) {
- int code = cdj_set_bpp(pdev, pdev->color_info.depth,
+ retCode = cdj_set_bpp(pdev, pdev->color_info.depth,
pdev->color_info.num_components);
- if (code < 0)
- return code;
+ if (retCode < 0)
+ return retCode;
}
retCode = gdev_prn_open(pdev);
- if (retCode < 0)
- return (retCode);
- else {
+ if (retCode >= 0) {
retCode = gdev_prn_open_printer(pdev, true);
- if (retCode < 0)
- return (retCode);
}
return 0;
@@ -648,26 +677,25 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
int bpp = 0;
int code = 0;
- code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code);
- code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code);
- code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code);
- code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code);
- code =
- cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0,
- code);
- code =
- cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code);
- code =
- cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code);
- code =
- cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code);
- code =
- cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code);
- code =
- cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0,
- code);
-
- if (code < 0)
+ if ((code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code)) < 0)
+ return code;
+ if ((code = cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0, code)) < 0)
return code;
code = cdj_put_param_bpp(pdev, plist, bpp, bpp, 0);
@@ -676,6 +704,12 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
return code;
cdj970->quality = quality;
+ if (cdj970->quality != quality) {
+ if (pdev->is_open)
+ gs_closedevice(pdev); /* quality can change resolution, force re-open */
+ cdj970->quality = quality;
+ }
+
cdj970->papertype = papertype;
cdj970->duplex = duplex;
cdj970->mastergamma = mastergamma;
@@ -685,7 +719,7 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
cdj970->gammavalk = gammavalk;
cdj970->blackcorrect = blackcorrect;
- return 0;
+ return code;
}
/**********************************************************************************/
@@ -784,47 +818,6 @@ cdj970_terminate_page(gx_device_printer * pdev, FILE * prn_stream)
fputs("\033*rC\f\033&l-2H", prn_stream); /* End Graphics, Reset */
}
-/* cdj970_one_time_initialisation:
-----------------------------------------------------------------------------------*/
-static void
-cdj970_one_time_initialisation(gx_device_printer * pdev)
-{
- /* Change the margins if necessary. */
- static const float dj_a4[4] = {
- DESKJET_MARGINS_A4
- };
-
- static const float dj_letter[4] = {
- DESKJET_MARGINS_LETTER
- };
- const float *m = (float *)0;
-
- /* quality setup */
- if (cdj970->quality == DRAFT) {
- gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0);
- cdj970->xscal = 0;
- cdj970->yscal = 0;
- cdj970->intensities = 2;
- } else if (cdj970->quality == NORMAL) {
- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
- cdj970->xscal = 1;
- cdj970->yscal = 1;
- /* intensities = 4 from initialization */
- } else { /* quality == PRESENTATION */
- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
- cdj970->xscal = 0;
- cdj970->yscal = 0;
- /* intensities = 4 from initialization */
- }
-
- m = (gdev_pcl_paper_size((gx_device *) pdev) ==
- PAPER_SIZE_A4 ? dj_a4 : dj_letter);
-
- gx_device_set_margins((gx_device *) pdev, m, true);
-
- cdj970_write_header((gx_device *) pdev, pdev->file);
-}
-
/* cdj970_print_page: Here comes the hp970 output routine
----------------------------------------------------------------------------------*/
static int
@@ -837,7 +830,7 @@ cdj970_print_page(gx_device_printer * pdev, FILE * prn_stream)
Gamma gamma;
if (cdj970->PageCtr == 0 && cdj970->ptype == DJ970C) {
- cdj970_one_time_initialisation(pdev);
+ cdj970_write_header((gx_device *)pdev, prn_stream);
}
/* make a local writable copy of the Gamma tables */
@@ -2280,6 +2273,11 @@ cdj_set_bpp(gx_device * pdev, int bpp, int ccomps)
ci->dither_colors = (bpp >= 8 ? 5 : bpp > 1 ? 2 : 0);
}
+ if (ci->depth != ((bpp > 1) && (bpp < 8) ? 8 : bpp)) {
+ if (pdev->is_open)
+ gs_closedevice(pdev); /* depth changed, make sure we re-open */
+ }
+
ci->depth = ((bpp > 1) && (bpp < 8) ? 8 : bpp);
return (0);
@@ -2598,16 +2596,15 @@ cdj_put_param_bpp(gx_device * pdev,
gs_param_list * plist,
int new_bpp, int real_bpp, int ccomps)
{
- if (new_bpp == 0 && ccomps == 0)
- return gdev_prn_put_params(pdev, plist);
- else {
- gx_device_color_info save_info;
- int save_bpp;
- int code;
-
- save_info = pdev->color_info;
- save_bpp = save_info.depth;
+ int code = 0;
+ int save_bpp;
+ gx_device_color_info save_info;
+ save_info = pdev->color_info;
+ save_bpp = save_info.depth;
+ if (new_bpp == 0 && ccomps == 0) {
+ code = gdev_prn_put_params(pdev, plist);
+ } else {
if (save_bpp == 8 && save_ccomps == 3 && !cprn_device->cmyk)
save_bpp = 3;
@@ -2631,12 +2628,22 @@ cdj_put_param_bpp(gx_device * pdev,
if ((cdj970->color_info.depth != save_bpp
|| (ccomps != 0 && ccomps != save_ccomps))
&& pdev->is_open)
- return (gs_closedevice(pdev));
+ gs_closedevice(pdev);
+ }
+
+ /* check for valid resolutions */
+ if (pdev->HWResolution[0] != pdev->HWResolution[1] ||
+ (pdev->HWResolution[0] != 300.0 && pdev->HWResolution[0] != 600.0) ) {
+ param_signal_error(plist, "HWResolution", gs_error_rangecheck);
+ emprintf1(pdev->memory, "\ncdj970: Invalid resolution: '%f'. Only 300 or 600 supported.\n\n",
+ pdev->HWResolution[0]);
+ cdj_set_bpp(pdev, save_bpp, save_ccomps);
+ return gs_error_rangecheck;
+ }
+ return code;
- return (0);
#undef save_ccomps
- }
}
/* cdj970_write_header:

13
SOURCES/ghostscript-cve-2020-16293.patch
View File

@ -1,13 +0,0 @@
diff --git a/base/gxblend.c b/base/gxblend.c
index 7c3d55b..55215d6 100644
--- a/base/gxblend.c
+++ b/base/gxblend.c
@@ -2174,7 +2174,7 @@ pdf14_compose_group(pdf14_buf *tos, pdf14_buf *nos, pdf14_buf *maskbuf,
overprint == 0) {
/* Additive vs Subtractive makes no difference in normal blend mode with no spots */
if (tos_isolated) {
- if (has_mask || maskbuf) {/* 7% */
+ if (has_mask && maskbuf) {/* 7% */
/* AirPrint test case hits this */
if (maskbuf && maskbuf->rect.p.x <= x0 && maskbuf->rect.p.y <= y0 &&
maskbuf->rect.q.x >= x1 && maskbuf->rect.q.y >= y1)

13
SOURCES/ghostscript-cve-2020-16295.patch
View File

@ -1,13 +0,0 @@
diff --git a/devices/gdevclj.c b/devices/gdevclj.c
index bed13bc..fe17ece 100644
--- a/devices/gdevclj.c
+++ b/devices/gdevclj.c
@@ -254,7 +254,7 @@ clj_media_size(float mediasize[2], gs_param_list *plist)
gs_param_int_array hwsize;
int have_pagesize = 0;
- if ( (param_read_float_array(plist, "HWResolution", &fres) == 0) &&
+ if ( param_read_float_array(plist, "HWResolution", &fres) != 0 ||
!is_supported_resolution(fres.data) )
return_error(gs_error_rangecheck);

58
SOURCES/ghostscript-cve-2020-16299.patch
View File

@ -1,58 +0,0 @@
diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
index 5c8b7fb..53da0ec 100644
--- a/contrib/japanese/gdev10v.c
+++ b/contrib/japanese/gdev10v.c
@@ -73,8 +73,20 @@ gx_device_procs prn_bj10v_procs =
prn_matrix_procs(gdev_prn_open, bj10v_get_initial_matrix,
gdev_prn_output_page, gdev_prn_close);
#endif
+
+static int
+bj10v_open(gx_device * pdev)
+{
+ if (pdev->HWResolution[0] < 180 ||
+ pdev->HWResolution[1] < 180)
+ {
+ emprintf(pdev->memory, "device requires a resolution of at least 180dpi\n");
+ return_error(gs_error_rangecheck);
+ }
+ return gdev_prn_open(pdev);
+}
gx_device_procs prn_bj10v_procs =
- prn_procs(gdev_prn_open, gdev_prn_output_page, gdev_prn_close);
+ prn_procs(bj10v_open, gdev_prn_output_page, gdev_prn_close);
gx_device_printer gs_bj10v_device =
prn_device(prn_bj10v_procs, "bj10v",
diff --git a/contrib/japanese/gdevalps.c b/contrib/japanese/gdevalps.c
index f29aeb1..d4de619 100644
--- a/contrib/japanese/gdevalps.c
+++ b/contrib/japanese/gdevalps.c
@@ -155,13 +155,20 @@ static const char end_md[] = {
static int
md_open(gx_device *pdev)
{
- static const float md_margins[4] =
- { MD_SIDE_MARGIN, MD_BOTTOM_MARGIN,
- MD_SIDE_MARGIN, MD_TOP_MARGIN
- };
-
- gx_device_set_margins(pdev, md_margins, true);
- return gdev_prn_open(pdev);
+ static const float md_margins[4] =
+ {
+ MD_SIDE_MARGIN, MD_BOTTOM_MARGIN,
+ MD_SIDE_MARGIN, MD_TOP_MARGIN
+ };
+
+ if (pdev->HWResolution[0] != 600)
+ {
+ emprintf(pdev->memory, "device must have an X resolution of 600dpi\n");
+ return_error(gs_error_rangecheck);
+ }
+
+ gx_device_set_margins(pdev, md_margins, true);
+ return gdev_prn_open(pdev);
}
/* MD5000 monochrome mode entrance. */

75
SOURCES/ghostscript-cve-2020-16301.patch
View File

@ -1,75 +0,0 @@
From f54414c8b15b2c27d1dcadd92cfe84f6d15f18dc Mon Sep 17 00:00:00 2001
From: Julian Smith <jules@op59.net>
Date: Thu, 31 Oct 2019 13:12:47 +0000
Subject: [PATCH] Bug 701808: return error from okiibm_print_page1() if x_dpi
too high.
Avoids asan error in:
./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r599 -sOutputFile=tmp -sDEVICE=okiibm ../bug-701808.pdf
---
devices/gdevokii.c | 46 ++++++++++++++++++++++++++++++++--------------
1 file changed, 32 insertions(+), 14 deletions(-)
diff --git a/devices/gdevokii.c b/devices/gdevokii.c
index d8929a22c..97a1c3b88 100644
--- a/devices/gdevokii.c
+++ b/devices/gdevokii.c
@@ -96,23 +96,41 @@ okiibm_print_page1(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high
-1, 0 /*60*/, 1 /*120*/, -1, 3 /*240*/
};
- int in_y_mult = (y_9pin_high ? 2 : 1);
- int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
- /* Note that in_size is a multiple of 8. */
- int in_size = line_size * (8 * in_y_mult);
- byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)");
- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)");
- byte *in = buf1;
- byte *out = buf2;
- int out_y_mult = 1;
- int x_dpi = pdev->x_pixels_per_inch;
- char start_graphics = graphics_modes_9[x_dpi / 60];
- int first_pass = (start_graphics == 3 ? 1 : 0);
- int last_pass = first_pass * 2;
- int y_passes = (y_9pin_high ? 2 : 1);
+ int in_y_mult;
+ int line_size;
+ int in_size;
+ byte *buf1;
+ byte *buf2;
+ byte *in;
+ byte *out;
+ int out_y_mult;
+ int x_dpi;
+ char start_graphics;
+ int first_pass;
+ int last_pass;
+ int y_passes;
int skip = 0, lnum = 0, pass, ypass;
int y_step = 0;
+ x_dpi = pdev->x_pixels_per_inch;
+ if (x_dpi / 60 >= sizeof(graphics_modes_9)/sizeof(graphics_modes_9[0])) {
+ return_error(gs_error_rangecheck);
+ }
+ in_y_mult = (y_9pin_high ? 2 : 1);
+ line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
+ /* Note that in_size is a multiple of 8. */
+ in_size = line_size * (8 * in_y_mult);
+ buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)");
+ buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)");
+ in = buf1;
+ out = buf2;
+ out_y_mult = 1;
+ start_graphics = graphics_modes_9[x_dpi / 60];
+ first_pass = (start_graphics == 3 ? 1 : 0);
+ last_pass = first_pass * 2;
+ y_passes = (y_9pin_high ? 2 : 1);
+ y_step = 0;
+
/* Check allocations */
if ( buf1 == 0 || buf2 == 0 )
{ if ( buf1 )
--
2.35.3

228
SOURCES/ghostscript-cve-2020-16302.patch
View File

@ -1,228 +0,0 @@
diff --git a/devices/gdev3852.c b/devices/gdev3852.c
index 2bee8ec..9d99068 100644
--- a/devices/gdev3852.c
+++ b/devices/gdev3852.c
@@ -62,116 +62,117 @@ jetp3852_print_page(gx_device_printer *pdev, FILE *prn_stream)
#define DATA_SIZE (LINE_SIZE * 8)
unsigned int cnt_2prn;
- unsigned int count,tempcnt;
- unsigned char vtp,cntc1,cntc2;
- int line_size_color_plane;
-
- byte data[DATA_SIZE];
- byte plane_data[LINE_SIZE * 3];
-
- /* Set initial condition for printer */
- fputs("\033@",prn_stream);
-
- /* Send each scan line in turn */
- { int lnum;
- int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
- int num_blank_lines = 0;
-
- if (line_size > DATA_SIZE) {
- emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
- line_size, DATA_SIZE);
- return_error(gs_error_rangecheck);
- }
-
- for ( lnum = 0; lnum < pdev->height; lnum++ )
- { byte *end_data = data + line_size;
- gdev_prn_copy_scan_lines(pdev, lnum,
- (byte *)data, line_size);
- /* Remove trailing 0s. */
- while ( end_data > data && end_data[-1] == 0 )
- end_data--;
- if ( end_data == data )
- { /* Blank line */
- num_blank_lines++;
- }
- else
- { int i;
- byte *odp;
- byte *row;
-
- /* Pad with 0s to fill out the last */
- /* block of 8 bytes. */
- memset(end_data, 0, 7);
-
- /* Transpose the data to get pixel planes. */
- for ( i = 0, odp = plane_data; i < DATA_SIZE;
- i += 8, odp++
- )
- { /* The following is for 16-bit machines */
+ unsigned int count,tempcnt;
+ unsigned char vtp,cntc1,cntc2;
+ int line_size_color_plane;
+
+ byte data[DATA_SIZE];
+ byte plane_data[LINE_SIZE * 3];
+
+ /* Initialise data to zeros, otherwise later on, uninitialised bytes in
+ dp[] can be greater than 7, which breaks spr8[dp[]]. */
+ memset(data, 0x00, DATA_SIZE);
+
+
+ /* Set initial condition for printer */
+ fputs("\033@",prn_stream);
+
+ /* Send each scan line in turn */
+ { int lnum;
+ int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
+ int num_blank_lines = 0;
+
+ if (line_size > DATA_SIZE) {
+ emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
+ line_size, DATA_SIZE);
+ return_error(gs_error_rangecheck);
+ }
+
+ for ( lnum = 0; lnum < pdev->height; lnum++ )
+ { byte *end_data = data + line_size;
+ gdev_prn_copy_scan_lines(pdev, lnum,
+ (byte *)data, line_size);
+ /* Remove trailing 0s. */
+ while ( end_data > data && end_data[-1] == 0 )
+ end_data--;
+ if ( end_data == data )
+ { /* Blank line */
+ num_blank_lines++;
+ }
+ else
+ { int i;
+ byte *odp;
+ byte *row;
+
+ /* Transpose the data to get pixel planes. */
+ for ( i = 0, odp = plane_data; i < DATA_SIZE;
+ i += 8, odp++
+ )
+ { /* The following is for 16-bit machines */
#define spread3(c)\
{ 0, c, c*0x100, c*0x101, c*0x10000L, c*0x10001L, c*0x10100L, c*0x10101L }
- static ulong spr40[8] = spread3(0x40);
- static ulong spr8[8] = spread3(8);
- static ulong spr2[8] = spread3(2);
- register byte *dp = data + i;
- register ulong pword =
- (spr40[dp[0]] << 1) +
- (spr40[dp[1]]) +
- (spr40[dp[2]] >> 1) +
- (spr8[dp[3]] << 1) +
- (spr8[dp[4]]) +
- (spr8[dp[5]] >> 1) +
- (spr2[dp[6]]) +
- (spr2[dp[7]] >> 1);
- odp[0] = (byte)(pword >> 16);
- odp[LINE_SIZE] = (byte)(pword >> 8);
- odp[LINE_SIZE*2] = (byte)(pword);
- }
- /* Skip blank lines if any */
- if ( num_blank_lines > 0 )
- {
- /* Do "dot skips" */
- while(num_blank_lines > 255)
- {
- fputs("\033e\377",prn_stream);
- num_blank_lines -= 255;
- }
- vtp = num_blank_lines;
- fprintf(prn_stream,"\033e%c",vtp);
- num_blank_lines = 0;
- }
-
- /* Transfer raster graphics in the order R, G, B. */
- /* Apparently it is stored in B, G, R */
- /* Calculate the amount of data to send by what */
- /* Ghostscript tells us the scan line_size in (bytes) */
-
- count = line_size / 3;
- line_size_color_plane = count / 3;
- cnt_2prn = line_size_color_plane * 3 + 5;
- tempcnt = cnt_2prn;
- cntc1 = (tempcnt & 0xFF00) >> 8;
- cntc2 = (tempcnt & 0x00FF);
- fprintf(prn_stream, "\033[O%c%c\200\037",cntc2,cntc1);
- fputc('\000',prn_stream);
+ static ulong spr40[8] = spread3(0x40);
+ static ulong spr8[8] = spread3(8);
+ static ulong spr2[8] = spread3(2);
+ register byte *dp = data + i;
+ register ulong pword =
+ (spr40[dp[0]] << 1) +
+ (spr40[dp[1]]) +
+ (spr40[dp[2]] >> 1) +
+ (spr8[dp[3]] << 1) +
+ (spr8[dp[4]]) +
+ (spr8[dp[5]] >> 1) +
+ (spr2[dp[6]]) +
+ (spr2[dp[7]] >> 1);
+ odp[0] = (byte)(pword >> 16);
+ odp[LINE_SIZE] = (byte)(pword >> 8);
+ odp[LINE_SIZE*2] = (byte)(pword);
+ }
+ /* Skip blank lines if any */
+ if ( num_blank_lines > 0 )
+ {
+ /* Do "dot skips" */
+ while(num_blank_lines > 255)
+ {
+ fputs("\033e\377",prn_stream);
+ num_blank_lines -= 255;
+ }
+ vtp = num_blank_lines;
+ fprintf(prn_stream,"\033e%c",vtp);
+ num_blank_lines = 0;
+ }
+
+ /* Transfer raster graphics in the order R, G, B. */
+ /* Apparently it is stored in B, G, R */
+ /* Calculate the amount of data to send by what */
+ /* Ghostscript tells us the scan line_size in (bytes) */
+
+ count = line_size / 3;
+ line_size_color_plane = count / 3;
+ cnt_2prn = line_size_color_plane * 3 + 5;
+ tempcnt = cnt_2prn;
+ cntc1 = (tempcnt & 0xFF00) >> 8;
+ cntc2 = (tempcnt & 0x00FF);
+ fprintf(prn_stream, "\033[O%c%c\200\037",cntc2,cntc1);
+ fputc('\000',prn_stream);
fputs("\124\124",prn_stream);
- for ( row = plane_data + LINE_SIZE * 2, i = 0;
- i < 3; row -= LINE_SIZE, i++ )
- { int jj;
- byte ctemp;
- odp = row;
- /* Complement bytes */
- for (jj=0; jj< line_size_color_plane; jj++)
- { ctemp = *odp;
- *odp++ = ~ctemp;
- }
- fwrite(row, sizeof(byte),
- line_size_color_plane, prn_stream);
- }
- }
- }
- }
+ for ( row = plane_data + LINE_SIZE * 2, i = 0;
+ i < 3; row -= LINE_SIZE, i++ )
+ { int jj;
+ byte ctemp;
+ odp = row;
+ /* Complement bytes */
+ for (jj=0; jj< line_size_color_plane; jj++)
+ { ctemp = *odp;
+ *odp++ = ~ctemp;
+ }
+ fwrite(row, sizeof(byte),
+ line_size_color_plane, prn_stream);
+ }
+ }
+ }
+ }
/* eject page */
fputs("\014", prn_stream);

77
SOURCES/ghostscript-cve-2020-16304.patch
View File

@ -1,77 +0,0 @@
diff --git a/base/gxicolor.c b/base/gxicolor.c
index 34cfaa4..585bd81 100644
--- a/base/gxicolor.c
+++ b/base/gxicolor.c
@@ -644,16 +644,16 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
*(devc_contone_gray+1) = *psrc_temp;
}
} else {
- /* Mono case, forward */
- psrc_temp = psrc_cm;
- for (k=0; k<src_size; k++) {
- dda_next(dda_ht);
- xn = fixed2int_var_rounded(dda_current(dda_ht));
- while (xr < xn) {
- *devc_contone_gray++ = *psrc_temp;
- xr++;
- } /* at loop exit xn will be >= xr */
- psrc_temp++;
+ /* Mono case, forward */
+ psrc_temp = psrc_cm;
+ for (k=0; k<src_size; k++) {
+ dda_next(dda_ht);
+ xn = fixed2int_var_rounded(dda_current(dda_ht));
+ while (xr < xn) {
+ *devc_contone_gray++ = *psrc_temp;
+ xr++;
+ } /* at loop exit xn will be >= xr */
+ psrc_temp++;
}
}
} else {
@@ -668,7 +668,7 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
xr--;
} /* at loop exit xn will be >= xr */
psrc_temp++;
- }
+ }
}
break;
/* Monochrome landscape */
@@ -811,10 +811,9 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
dda_next(dda_ht);
xn = fixed2int_var_rounded(dda_current(dda_ht));
while (xr > xn) {
- for (j = 0; j < spp_out; j++) {
+ for (j = 0; j < spp_out; j++)
*(devc_contone[j] + position) = (psrc_plane[j])[i];
- position -= LAND_BITS;
- }
+ position -= LAND_BITS;
xr--;
} /* at loop exit xn will be <= xr */
i++;
@@ -825,9 +824,8 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
and 2x scaling which we will run into in 300 and
600dpi devices and content */
/* Apply initial offset */
- for (k = 0; k < spp_out; k++) {
+ for (k = 0; k < spp_out; k++)
devc_contone[k] = devc_contone[k] + position;
- }
if (src_size == dest_height) {
for (k = 0; k < data_length; k++) {
/* Is it better to unwind this? We know it is 4 */
@@ -853,10 +851,9 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
dda_next(dda_ht);
xn = fixed2int_var_rounded(dda_current(dda_ht));
while (xr > xn) {
- for (j = 0; j < spp_out; j++) {
+ for (j = 0; j < spp_out; j++)
*(devc_contone[j] + position) = (psrc_plane[j])[i];
- position -= LAND_BITS;
- }
+ position -= LAND_BITS;
xr--;
} /* at loop exit xn will be <= xr */
i++;

20
SOURCES/ghostscript-cve-2020-16306.patch
View File

@ -1,20 +0,0 @@
diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
index 6a50a4a..471fcb5 100644
--- a/devices/gdevtsep.c
+++ b/devices/gdevtsep.c
@@ -2332,6 +2332,7 @@ tiffsep_print_page(gx_device_printer * pdev, FILE * file)
"\nUse of the %%d format is required to output more than one page to tiffsep.\n"
"See doc/Devices.htm#TIFF for details.\n\n");
code = gs_note_error(gs_error_ioerror);
+ goto done;
}
/* Write the page directory for the CMYK equivalent file. */
if (!tfdev->comp_file) {
@@ -2685,6 +2686,7 @@ tiffsep1_print_page(gx_device_printer * pdev, FILE * file)
"\nUse of the %%d format is required to output more than one page to tiffsep1.\n"
"See doc/Devices.htm#TIFF for details.\n\n");
code = gs_note_error(gs_error_ioerror);
+ goto done;
}
/* If the output file is on disk and the name contains a page #, */
/* then delete the previous file. */

205
SOURCES/ghostscript-cve-2020-16307.patch
View File

@ -1,205 +0,0 @@
diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
index b958027..7f02608 100644
--- a/devices/vector/gdevtxtw.c
+++ b/devices/vector/gdevtxtw.c
@@ -1693,97 +1693,100 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph,
length = font->procs.decode_glyph((gs_font *)font, glyph, ch, NULL, 0);
if (length == 0) {
- code = font->procs.glyph_name(font, glyph, &gnstr);
- if (code >= 0 && gnstr.size == 7) {
- if (!memcmp(gnstr.data, "uni", 3)) {
- static const char *hexdigits = "0123456789ABCDEF";
- char *d0 = strchr(hexdigits, gnstr.data[3]);
- char *d1 = strchr(hexdigits, gnstr.data[4]);
- char *d2 = strchr(hexdigits, gnstr.data[5]);
- char *d3 = strchr(hexdigits, gnstr.data[6]);
-
- if (d0 != NULL && d1 != NULL && d2 != NULL && d3 != NULL) {
- *Buffer++ = ((d0 - hexdigits) << 12) + ((d1 - hexdigits) << 8) + ((d2 - hexdigits) << 4) + (d3 - hexdigits);
- return 1;
- }
- }
- }
- if (length == 0) {
- single_glyph_list_t *sentry = (single_glyph_list_t *)&SingleGlyphList;
- double_glyph_list_t *dentry = (double_glyph_list_t *)&DoubleGlyphList;
- treble_glyph_list_t *tentry = (treble_glyph_list_t *)&TrebleGlyphList;
- quad_glyph_list_t *qentry = (quad_glyph_list_t *)&QuadGlyphList;
-
- /* Search glyph to single Unicode value table */
- while (sentry->Glyph != 0) {
- if (sentry->Glyph[0] < gnstr.data[0]) {
- sentry++;
- continue;
- }
- if (sentry->Glyph[0] > gnstr.data[0]){
- break;
- }
- if (strlen(sentry->Glyph) == gnstr.size) {
- if(memcmp(gnstr.data, sentry->Glyph, gnstr.size) == 0) {
- *Buffer = sentry->Unicode;
+ if (glyph != GS_NO_GLYPH) {
+ code = font->procs.glyph_name(font, glyph, &gnstr);
+ if (code >= 0 && gnstr.size == 7) {
+ if (!memcmp(gnstr.data, "uni", 3)) {
+ static const char *hexdigits = "0123456789ABCDEF";
+ char *d0 = strchr(hexdigits, gnstr.data[3]);
+ char *d1 = strchr(hexdigits, gnstr.data[4]);
+ char *d2 = strchr(hexdigits, gnstr.data[5]);
+ char *d3 = strchr(hexdigits, gnstr.data[6]);
+
+ if (d0 != NULL && d1 != NULL && d2 != NULL && d3 != NULL) {
+ *Buffer++ = ((d0 - hexdigits) << 12) + ((d1 - hexdigits) << 8) + ((d2 - hexdigits) << 4) + (d3 - hexdigits);
return 1;
}
}
- sentry++;
}
- /* Search glyph to double Unicode value table */
- while (dentry->Glyph != 0) {
- if (dentry->Glyph[0] < gnstr.data[0]) {
- dentry++;
- continue;
- }
- if (dentry->Glyph[0] > gnstr.data[0]){
- break;
- }
- if (strlen(dentry->Glyph) == gnstr.size) {
- if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, dentry->Unicode, 2);
- return 2;
+ if (length == 0) {
+ single_glyph_list_t *sentry = (single_glyph_list_t *)&SingleGlyphList;
+ double_glyph_list_t *dentry = (double_glyph_list_t *)&DoubleGlyphList;
+ treble_glyph_list_t *tentry = (treble_glyph_list_t *)&TrebleGlyphList;
+ quad_glyph_list_t *qentry = (quad_glyph_list_t *)&QuadGlyphList;
+
+ /* Search glyph to single Unicode value table */
+ while (sentry->Glyph != 0) {
+ if (sentry->Glyph[0] < gnstr.data[0]) {
+ sentry++;
+ continue;
+ }
+ if (sentry->Glyph[0] > gnstr.data[0]){
+ break;
+ }
+ if (strlen(sentry->Glyph) == gnstr.size) {
+ if(memcmp(gnstr.data, sentry->Glyph, gnstr.size) == 0) {
+ *Buffer = sentry->Unicode;
+ return 1;
+ }
}
+ sentry++;
}
- dentry++;
- }
- /* Search glyph to triple Unicode value table */
- while (tentry->Glyph != 0) {
- if (tentry->Glyph[0] < gnstr.data[0]) {
- tentry++;
- continue;
- }
- if (tentry->Glyph[0] > gnstr.data[0]){
- break;
- }
- if (strlen(tentry->Glyph) == gnstr.size) {
- if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, tentry->Unicode, 3);
- return 3;
+ /* Search glyph to double Unicode value table */
+ while (dentry->Glyph != 0) {
+ if (dentry->Glyph[0] < gnstr.data[0]) {
+ dentry++;
+ continue;
}
+ if (dentry->Glyph[0] > gnstr.data[0]){
+ break;
+ }
+ if (strlen(dentry->Glyph) == gnstr.size) {
+ if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
+ memcpy(Buffer, dentry->Unicode, 2);
+ return 2;
+ }
+ }
+ dentry++;
}
- tentry++;
- }
- /* Search glyph to quadruple Unicode value table */
- while (qentry->Glyph != 0) {
- if (qentry->Glyph[0] < gnstr.data[0]) {
- qentry++;
- continue;
- }
- if (qentry->Glyph[0] > gnstr.data[0]){
- break;
+ /* Search glyph to triple Unicode value table */
+ while (tentry->Glyph != 0) {
+ if (tentry->Glyph[0] < gnstr.data[0]) {
+ tentry++;
+ continue;
+ }
+ if (tentry->Glyph[0] > gnstr.data[0]){
+ break;
+ }
+ if (strlen(tentry->Glyph) == gnstr.size) {
+ if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
+ memcpy(Buffer, tentry->Unicode, 3);
+ return 3;
+ }
+ }
+ tentry++;
}
- if (strlen(qentry->Glyph) == gnstr.size) {
- if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
- memcpy(Buffer, qentry->Unicode, 4);
- return 4;
+
+ /* Search glyph to quadruple Unicode value table */
+ while (qentry->Glyph != 0) {
+ if (qentry->Glyph[0] < gnstr.data[0]) {
+ qentry++;
+ continue;
+ }
+ if (qentry->Glyph[0] > gnstr.data[0]){
+ break;
}
+ if (strlen(qentry->Glyph) == gnstr.size) {
+ if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
+ memcpy(Buffer, qentry->Unicode, 4);
+ return 4;
+ }
+ }
+ qentry++;
}
- qentry++;
}
}
*Buffer = fallback;
@@ -1890,8 +1893,8 @@ txtwrite_process_cmap_text(gs_text_enum_t *pte)
pte->returned.total_width.x += dpt.x;
pte->returned.total_width.y += dpt.y;
- penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, chr, &penum->TextBuffer[penum->TextBufferIndex]);
penum->Widths[penum->TextBufferIndex] += dpt.x;
+ penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, chr, &penum->TextBuffer[penum->TextBufferIndex]);
break;
case 2: /* end of string */
return 0;
diff --git a/psi/zbfont.c b/psi/zbfont.c
index 262fea9..abc03aa 100644
--- a/psi/zbfont.c
+++ b/psi/zbfont.c
@@ -272,7 +272,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
* can't be a default value for FontInfo.GlyphNames2Unicode .
*/
}
- if (glyph <= GS_MIN_CID_GLYPH) {
+ if (glyph <= GS_MIN_CID_GLYPH && glyph != GS_NO_GLYPH) {
UnicodeDecoding = zfont_get_to_unicode_map(font->dir);
if (UnicodeDecoding != NULL && r_type(UnicodeDecoding) == t_dictionary)
return gs_font_map_glyph_by_dict(font->memory, UnicodeDecoding, glyph, u, length);

57
SOURCES/ghostscript-cve-2020-16310.patch
View File

@ -1,57 +0,0 @@
diff --git a/devices/gdevdm24.c b/devices/gdevdm24.c
index 4736f4f..2f610cd 100644
--- a/devices/gdevdm24.c
+++ b/devices/gdevdm24.c
@@ -51,21 +51,39 @@ static void dot24_improve_bitmap (byte *, int);
static int
dot24_print_page (gx_device_printer *pdev, FILE *prn_stream, char *init_string, int init_len)
{
- int xres = (int)pdev->x_pixels_per_inch;
- int yres = (int)pdev->y_pixels_per_inch;
- int x_high = (xres == 360);
- int y_high = (yres == 360);
- int bits_per_column = (y_high ? 48 : 24);
- uint line_size = gdev_prn_raster (pdev);
- uint in_size = line_size * bits_per_column;
- byte *in = (byte *) gs_malloc (pdev->memory, in_size, 1, "dot24_print_page (in)");
- uint out_size = ((pdev->width + 7) & -8) * 3;
- byte *out = (byte *) gs_malloc (pdev->memory, out_size, 1, "dot24_print_page (out)");
- int y_passes = (y_high ? 2 : 1);
- int dots_per_space = xres / 10; /* pica space = 1/10" */
- int bytes_per_space = dots_per_space * 3;
+ int xres;
+ int yres;
+ int x_high;
+ int y_high;
+ int bits_per_column;
+ uint line_size;
+ uint in_size;
+ byte *in;
+ uint out_size;
+ byte *out;
+ int y_passes;
+ int dots_per_space;
+ int bytes_per_space;
int skip = 0, lnum = 0, ypass;
+ xres = (int)pdev->x_pixels_per_inch;
+ yres = (int)pdev->y_pixels_per_inch;
+ x_high = (xres == 360);
+ y_high = (yres == 360);
+ dots_per_space = xres / 10; /* pica space = 1/10" */
+ bytes_per_space = dots_per_space * 3;
+ if (bytes_per_space == 0) {
+ /* We divide by bytes_per_space later on. */
+ return_error(gs_error_rangecheck);
+ }
+ bits_per_column = (y_high ? 48 : 24);
+ line_size = gdev_prn_raster (pdev);
+ in_size = line_size * bits_per_column;
+ in = (byte *) gs_malloc (pdev->memory, in_size, 1, "dot24_print_page (in)");
+ out_size = ((pdev->width + 7) & -8) * 3;
+ out = (byte *) gs_malloc (pdev->memory, out_size, 1, "dot24_print_page (out)");
+ y_passes = (y_high ? 2 : 1);
+
/* Check allocations */
if (in == 0 || out == 0)
{

154
SOURCES/gs-cve-2024-33871.patch
View File

@ -1,154 +0,0 @@
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 55a785e..be77534 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2607,4 +2607,6 @@ WRITESYSTEMDICT {
% be 'true' in some cases.
userdict /AGM_preserve_spots //false put
+.opvpactivatepathcontrol
+
% The interpreter will run the initial procedure (start).
diff --git a/base/gslibctx.c b/base/gslibctx.c
index 1ed6093..14fb57c 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -435,3 +435,27 @@ gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, co
}
return code;
}
+
+void
+opvp_activate_path_control(gs_memory_t *mem, int enable)
+{
+ gs_lib_ctx_core_t *core;
+
+ if (mem == NULL || mem->gs_lib_ctx == NULL ||
+ (core = mem->gs_lib_ctx->core) == NULL)
+ return;
+
+ core->opvp_path_control_active = enable;
+}
+
+int
+opvp_is_path_control_active(const gs_memory_t *mem)
+{
+ gs_lib_ctx_core_t *core;
+
+ if (mem == NULL || mem->gs_lib_ctx == NULL ||
+ (core = mem->gs_lib_ctx->core) == NULL)
+ return 0;
+
+ return core->opvp_path_control_active;
+}
diff --git a/base/gslibctx.h b/base/gslibctx.h
index 1481cb5..e4b3924 100644
--- a/base/gslibctx.h
+++ b/base/gslibctx.h
@@ -61,6 +61,8 @@ typedef struct {
bool CPSI_mode;
int scanconverter;
int act_on_uel;
+
+ int opvp_path_control_active;
} gs_lib_ctx_core_t;
typedef struct gs_lib_ctx_s
@@ -167,4 +169,10 @@ int sjpxd_create(gs_memory_t *mem);
void sjpxd_destroy(gs_memory_t *mem);
+void
+opvp_activate_path_control(gs_memory_t *mem, int enable);
+
+int
+opvp_is_path_control_active(const gs_memory_t *mem);
+
#endif /* GSLIBCTX_H */
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 9a6b45b..9693673 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int,
static int _get_params(gs_param_list *);
static int opvp_get_params(gx_device *, gs_param_list *);
static int oprp_get_params(gx_device *, gs_param_list *);
-static int _put_params(gs_param_list *);
+static int _put_params(gx_device *, gs_param_list *);
static int opvp_put_params(gx_device *, gs_param_list *);
static int oprp_put_params(gx_device *, gs_param_list *);
static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
@@ -3039,7 +3039,7 @@ _get_params(gs_param_list *plist)
/* vector driver name */
pname = "Driver";
vdps.data = (byte *)vectorDriver;
- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
vdps.persistent = false;
code = param_write_string(plist, pname, &vdps);
if (code) ecode = code;
@@ -3176,7 +3176,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
* put params
*/
static int
-_put_params(gs_param_list *plist)
+_put_params(gx_device *dev, gs_param_list *plist)
{
int code;
int ecode = 0;
@@ -3198,6 +3198,12 @@ _put_params(gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (opvp_is_path_control_active(dev->memory)
+ && (!vectorDriver || strlen(vectorDriver) != vdps.size
+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;
@@ -3399,7 +3405,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
@@ -3415,7 +3421,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
diff --git a/psi/zfile.c b/psi/zfile.c
index 271a1a0..05b8203 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -875,6 +875,12 @@ static int zgetfilename(i_ctx_t *i_ctx_p)
return 0;
}
+static int zopvpactivatepathcontrol(i_ctx_t *i_ctx_p)
+{
+ opvp_activate_path_control(imemory, 1);
+ return 0;
+}
+
/* ------ Initialization procedure ------ */
const op_def zfile_op_defs[] =
@@ -893,6 +899,7 @@ const op_def zfile_op_defs[] =
{"0%file_continue", file_continue},
{"0%execfile_finish", execfile_finish},
{"1.getfilename", zgetfilename},
+ {"0.opvpactivatepathcontrol", zopvpactivatepathcontrol},
op_def_end(0)
};

8
gating.yaml Normal file
View File

@ -0,0 +1,8 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

0
SOURCES/ghostscript-9.27-CVE-2023-28879.patch → ghostscript-9.54.0-CVE-2023-28879.patch
View File

142
ghostscript-9.54.0-CVE-2023-36664.patch Normal file
View File

@ -0,0 +1,142 @@
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 7 Jun 2023 10:23:06 +0100
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
validation
For regular file names, we try to simplfy relative paths before we use them.
Because the %pipe% device can, effectively, accept command line calls, we
shouldn't be simplifying that string, because the command line syntax can end
up confusing the path simplifying code. That can result in permitting a pipe
command which does not match what was originally permitted.
Special case "%pipe" in the validation code so we always deal with the entire
string.
---
base/gpmisc.c | 31 +++++++++++++++++++--------
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
2 files changed, 64 insertions(+), 23 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 5f39ebba7..2fb87f769 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
-
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
diff --git a/base/gslibctx.c b/base/gslibctx.c
index eb566ed06..d2a1aa91d 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {
--
2.41.0

2
SOURCES/ghostscript-9.27-CVE-2023-38559.patch → ghostscript-9.54.0-CVE-2023-38559.patch
View File

@ -20,7 +20,7 @@ index 7b14d9c71..6351fb77a 100644
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
putc(0xc1, file);
gp_fputc(0xc1, file);
} else {
--
2.41.0

21
ghostscript-9.54.0-CVE-2023-43115.patch Normal file
View File

@ -0,0 +1,21 @@
--- a/devices/gdevijs.c
+++ b/devices/gdevijs.c
@@ -934,6 +934,9 @@
static const char rgb[] = "DeviceRGB";
gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
+ return_error(gs_error_invalidaccess);
+
code = gx_default_finish_copydevice(dev, from_dev);
if(code < 0)
return code;
@@ -1363,7 +1366,7 @@
if (code >= 0)
code = gsijs_read_string(plist, "IjsServer",
ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
- dev->LockSafetyParams, is_open);
+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
if (code >= 0)
code = gsijs_read_string_malloc(plist, "DeviceManufacturer",

2
SOURCES/ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch → ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
View File

@ -21,7 +21,7 @@ index 870a2e11c..fa050ed7a 100644
--- a/Resource/Init/gs_cidfn.ps
+++ b/Resource/Init/gs_cidfn.ps
@@ -1,4 +1,4 @@
-% Copyright (C) 2001-2019 Artifex Software, Inc.
-% Copyright (C) 2001-2021 Artifex Software, Inc.
+% Copyright (C) 2001-2022 Artifex Software, Inc.
% All Rights Reserved.
%

10
SOURCES/ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch → ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
View File

@ -1,17 +1,17 @@
diff -x .git -Napur ghostscript-9.27.old/contrib/japanese/gdevespg.c ghostscript-9.27.new/contrib/japanese/gdevespg.c
--- ghostscript-9.27.old/contrib/japanese/gdevespg.c 2019-04-04 00:43:14.000000000 -0700
+++ ghostscript-9.27.new/contrib/japanese/gdevespg.c 2023-01-24 11:25:32.588189093 -0800
@@ -273,6 +273,9 @@ escpage_paper_set(gx_device_printer * pd
@@ -273,6 +273,9 @@
int width, height, w, h, wp, hp, bLandscape;
EpagPaperTable *pt;
+ /* Page size match tolerance in points */
+ #define TOL 5
+
width = pdev->MediaSize[0];
height = pdev->MediaSize[1];
width = (int)pdev->MediaSize[0];
height = (int)pdev->MediaSize[1];
@@ -291,7 +294,7 @@ escpage_paper_set(gx_device_printer * pd
@@ -291,7 +294,7 @@
}
for (pt = epagPaperTable; pt->escpage > 0; pt++)
@ -19,4 +19,4 @@ diff -x .git -Napur ghostscript-9.27.old/contrib/japanese/gdevespg.c ghostscript
+ if (abs(w - pt->width) <= TOL && abs(h - pt->height) <= TOL)
break;
fprintf(fp, "%c%d", GS, pt->escpage);
gp_fprintf(fp, "%c%d", GS, pt->escpage);

64
ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch Normal file
View File

@ -0,0 +1,64 @@
From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 1 Jun 2021 19:57:16 +0100
Subject: [PATCH] Bug 703902: Fix op stack management in
sampled_data_continue()
Replace pop() (which does no checking, and doesn't handle stack extension
blocks) with ref_stack_pop() which does do all that.
We still use pop() in one case (it's faster), but we have to later use
ref_stack_pop() before calling sampled_data_sample() which also accesses the
op stack.
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
---
psi/zfsample.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/psi/zfsample.c b/psi/zfsample.c
index 0e8e4bc8d..00cd0cfdd 100644
--- a/psi/zfsample.c
+++ b/psi/zfsample.c
@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
for (j = 0; j < bps; j++)
data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
}
- pop(num_out); /* Move op to base of result values */
- /* Check if we are done collecting data. */
+ pop(num_out); /* Move op to base of result values */
+ /* From here on, we have to use ref_stack_pop() rather than pop()
+ so that it handles stack extension blocks properly, before calling
+ sampled_data_sample() which also uses the op stack.
+ */
+ /* Check if we are done collecting data. */
if (increment_cube_indexes(params, penum->indexes)) {
if (stack_depth_adjust == 0)
- pop(O_STACK_PAD); /* Remove spare stack space */
+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
else
- pop(stack_depth_adjust - num_out);
+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
/* Execute the closing procedure, if given */
code = 0;
if (esp_finish_proc != 0)
@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
if ((O_STACK_PAD - stack_depth_adjust) < 0) {
stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
check_op(stack_depth_adjust);
- pop(stack_depth_adjust);
+ ref_stack_pop(&o_stack, stack_depth_adjust);
}
else {
check_ostack(O_STACK_PAD - stack_depth_adjust);
- push(O_STACK_PAD - stack_depth_adjust);
+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
make_null(op - i);
}
--
2.35.1

98
ghostscript-9.54.0-covscan-fixes.patch Normal file
View File

@ -0,0 +1,98 @@
diff -ur ghostscript-9.54.0/base/gdevvec.c ghostscript-9.54.0-patched/base/gdevvec.c
--- ghostscript-9.54.0/base/gdevvec.c
+++ ghostscript-9.54.0-patched/base/gdevvec.c
@@ -643,7 +643,7 @@
*/
int
gdev_vector_dopath_segment(gdev_vector_dopath_state_t *state, int pe_op,
- gs_fixed_point vs[3])
+ gs_fixed_point *vs)
{
gx_device_vector *vdev = state->vdev;
const gs_matrix *const pmat = &state->scale_mat;
diff -ur ghostscript-9.54.0/base/gdevvec.h ghostscript-9.54.0-patched/base/gdevvec.h
--- ghostscript-9.54.0/base/gdevvec.h
+++ ghostscript-9.54.0-patched/base/gdevvec.h
@@ -306,7 +306,7 @@
/* Write a segment of a path using the default implementation. */
int gdev_vector_dopath_segment(gdev_vector_dopath_state_t *state, int pe_op,
- gs_fixed_point vs[3]);
+ gs_fixed_point *vs);
typedef struct gdev_vector_path_seg_record_s {
int op;
diff -ur ghostscript-9.54.0/base/gxclpath.c ghostscript-9.54.0-patched/base/gxclpath.c
--- ghostscript-9.54.0/base/gxclpath.c 2021-03-30 09:40:28.000000000 +0200
+++ ghostscript-9.54.0-patched/base/gxclpath.c 2021-11-23 11:06:14.670137576 +0100
@@ -715,10 +715,10 @@
} else {
code = set_cmd_put_op(&dp, cldev, pcls, cmd_opv_set_color_space,
2 + sizeof(clist_icc_color_t));
- memcpy(dp + 2, &(cldev->color_space.icc_info),
- sizeof(clist_icc_color_t));
if (code < 0)
return code;
+ memcpy(dp + 2, &(cldev->color_space.icc_info),
+ sizeof(clist_icc_color_t));
}
dp[1] = cldev->color_space.byte1;
pcls->known |= color_space_known;
diff -ur ghostscript-9.54.0/extract/src/mem.c ghostscript-9.54.0-patched/extract/src/mem.c
--- ghostscript-9.54.0/extract/src/mem.c 2021-03-30 09:40:28.000000000 +0200
+++ ghostscript-9.54.0-patched/extract/src/mem.c 2021-11-23 11:11:37.293082828 +0100
@@ -19,14 +19,24 @@
int extract_vasprintf(extract_alloc_t* alloc, char** out, const char* format, va_list va)
{
int n;
- int n2;
+ int ret;
va_list va2;
va_copy(va2, va);
n = vsnprintf(NULL, 0, format, va);
- if (n < 0) return n;
- if (extract_malloc(alloc, out, n + 1)) return -1;
- n2 = vsnprintf(*out, n + 1, format, va2);
+ if (n < 0)
+ {
+ ret = n;
+ goto end;
+ }
+ if (extract_malloc(alloc, out, n + 1))
+ {
+ ret = -1;
+ goto end;
+ }
+ vsnprintf(*out, n + 1, format, va2);
+ ret = 0;
+
+ end:
va_end(va2);
- assert(n2 == n);
- return n2;
+ return ret;
}
diff -ur ghostscript-9.54.0/psi/icie.h ghostscript-9.54.0-patched/psi/icie.h
--- ghostscript-9.54.0/psi/icie.h 2021-03-30 09:40:28.000000000 +0200
+++ ghostscript-9.54.0-patched/psi/icie.h 2021-10-29 12:48:43.405814563 +0200
@@ -53,7 +53,7 @@
/* Get 3 procedures from a dictionary. */
int dict_proc3_param(const gs_memory_t *mem, const ref *pdref,
- const char *kstr, ref proc3[3]);
+ const char *kstr, ref *proc3);
/* Get WhitePoint and BlackPoint values. */
int cie_points_param(const gs_memory_t *mem,
diff -ur ghostscript-9.54.0/psi/zcie.c ghostscript-9.54.0-patched/psi/zcie.c
--- ghostscript-9.54.0/psi/zcie.c 2021-03-30 09:40:28.000000000 +0200
+++ ghostscript-9.54.0-patched/psi/zcie.c 2021-11-02 14:36:28.463448728 +0100
@@ -144,7 +144,7 @@
/* Get 3 procedures from a dictionary. */
int
-dict_proc3_param(const gs_memory_t *mem, const ref *pdref, const char *kstr, ref proc3[3])
+dict_proc3_param(const gs_memory_t *mem, const ref *pdref, const char *kstr, ref *proc3)
{
return dict_proc_array_param(mem, pdref, kstr, 3, proc3);
}

46
ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch Normal file
View File

@ -0,0 +1,46 @@
diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
index c6b95ed5b..f103d598b 100644
--- a/devices/vector/gdevtxtw.c
+++ b/devices/vector/gdevtxtw.c
@@ -1982,16 +1982,26 @@ textw_text_release(gs_text_enum_t *pte, client_name_t cname)
gx_device_txtwrite_t *const tdev = (gx_device_txtwrite_t *) pte->dev;
/* Free the working buffer where the Unicode was assembled from the enumerated text */
- if (penum->TextBuffer)
+ if (penum->TextBuffer) {
gs_free(tdev->memory, penum->TextBuffer, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer");
- if (penum->Widths)
+ penum->TextBuffer = NULL;
+ }
+ if (penum->Widths) {
gs_free(tdev->memory, penum->Widths, sizeof(float), pte->text.size, "txtwrite free temporary widths array");
- if (penum->Advs)
+ penum->Widths = NULL;
+ }
+ if (penum->Advs) {
gs_free(tdev->memory, penum->Advs, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer");
- if (penum->GlyphWidths)
+ penum->Advs = NULL;
+ }
+ if (penum->GlyphWidths) {
gs_free(tdev->memory, penum->GlyphWidths, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer");
- if (penum->SpanDeltaX)
+ penum->GlyphWidths = NULL;
+ }
+ if (penum->SpanDeltaX) {
gs_free(tdev->memory, penum->SpanDeltaX, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer");
+ penum->SpanDeltaX = NULL;
+ }
/* If this is copied away when we complete the text enumeration succesfully, then
* we set the pointer to NULL, if we get here with it non-NULL , then there was
* an error.
@@ -2008,6 +2018,7 @@ textw_text_release(gs_text_enum_t *pte, client_name_t cname)
if (penum->text_state->FontName)
gs_free(tdev->memory, penum->text_state->FontName, 1, penum->TextBufferIndex, "txtwrite free temporary font name copy");
gs_free(tdev->memory, penum->text_state, 1, sizeof(penum->text_state), "txtwrite free text state");
+ penum->text_state = NULL;
}
}
--
2.17.1

208
ghostscript-9.54.0-include-pipe-handle-in-validation.patch Normal file
View File

@ -0,0 +1,208 @@
diff --git a/base/gdevpipe.c b/base/gdevpipe.c
index 96d71f5d81..752a2f1d94 100644
--- a/base/gdevpipe.c
+++ b/base/gdevpipe.c
@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
#else
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
gs_fs_list_t *fs = ctx->core->fs;
+ /* The pipe device can be reached in two ways, explicltly with %pipe%
+ or implicitly with "|", so we have to check for both
+ */
+ char f[gp_file_name_sizeof];
+ const char *pipestr = "|";
+ const size_t pipestrlen = strlen(pipestr);
+ int code1;
+ const size_t preflen = strlen(iodev->dname);
+ const size_t nlen = strlen(fname);
+
+ if (preflen + nlen >= gp_file_name_sizeof)
+ return_error(gs_error_invalidaccess);
+
+ memcpy(f, iodev->dname, preflen);
+ memcpy(f + preflen, fname, nlen + 1);
+
+ code1 = gp_validate_path(mem, f, access);
+
+ memcpy(f, pipestr, pipestrlen);
+ memcpy(f + pipestrlen, fname, nlen + 1);
- if (gp_validate_path(mem, fname, access) != 0)
+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
return gs_error_invalidfileaccess;
/*
diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
index 2b964ed749..8d87ceadc0 100644
--- a/base/gp_mshdl.c
+++ b/base/gp_mshdl.c
@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
long hfile; /* Correct for Win32, may be wrong for Win64 */
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
gs_fs_list_t *fs = ctx->core->fs;
+ char f[gp_file_name_sizeof];
+ const size_t preflen = strlen(iodev->dname);
+ const size_t nlen = strlen(fname);
- if (gp_validate_path(mem, fname, access) != 0)
+ if (preflen + nlen >= gp_file_name_sizeof)
+ return_error(gs_error_invalidaccess);
+
+ memcpy(f, iodev->dname, preflen);
+ memcpy(f + preflen, fname, nlen + 1);
+
+ if (gp_validate_path(mem, f, access) != 0)
return gs_error_invalidfileaccess;
/* First we try the open_handle method. */
diff --git a/base/gp_msprn.c b/base/gp_msprn.c
index ed48279685..746a974f78 100644
--- a/base/gp_msprn.c
+++ b/base/gp_msprn.c
@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
gs_fs_list_t *fs = ctx->core->fs;
+ const size_t preflen = strlen(iodev->dname);
+ const size_t nlen = strlen(fname);
- if (gp_validate_path(mem, fname, access) != 0)
+ if (preflen + nlen >= gp_file_name_sizeof)
+ return_error(gs_error_invalidaccess);
+
+ memcpy(pname, iodev->dname, preflen);
+ memcpy(pname + preflen, fname, nlen + 1);
+
+ if (gp_validate_path(mem, pname, access) != 0)
return gs_error_invalidfileaccess;
/* First we try the open_printer method. */
diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
index f852c71fc8..ba54cde66f 100644
--- a/base/gp_os2pr.c
+++ b/base/gp_os2pr.c
@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
FILE ** pfile, char *rfname, uint rnamelen)
{
os2_printer_t *pr = (os2_printer_t *)iodev->state;
- char driver_name[256];
+ char driver_name[gp_file_name_sizeof];
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
gs_fs_list_t *fs = ctx->core->fs;
+ const size_t preflen = strlen(iodev->dname);
+ const int size_t = strlen(fname);
+
+ if (preflen + nlen >= gp_file_name_sizeof)
+ return_error(gs_error_invalidaccess);
+
+ memcpy(driver_name, iodev->dname, preflen);
+ memcpy(driver_name + preflen, fname, nlen + 1);
+
+ if (gp_validate_path(mem, driver_name, access) != 0)
+ return gs_error_invalidfileaccess;
/* First we try the open_printer method. */
/* Note that the loop condition here ensures we don't
diff --git a/base/gslibctx.c b/base/gslibctx.c
index 6dfed6cd5a..318039fad0 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
int
gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
{
- char *fp, f[gp_file_name_sizeof];
- const int pipe = 124; /* ASCII code for '|' */
- const int len = strlen(fname);
- int i, code;
+ char f[gp_file_name_sizeof];
+ int code;
/* Be sure the string copy will fit */
- if (len >= gp_file_name_sizeof)
+ if (strlen(fname) >= gp_file_name_sizeof)
return gs_error_rangecheck;
strcpy(f, fname);
- fp = f;
/* Try to rewrite any %d (or similar) in the string */
rewrite_percent_specifiers(f);
- for (i = 0; i < len; i++) {
- if (f[i] == pipe) {
- fp = &f[i + 1];
- /* Because we potentially have to check file permissions at two levels
- for the output file (gx_device_open_output_file and the low level
- fopen API, if we're using a pipe, we have to add both the full string,
- (including the '|', and just the command to which we pipe - since at
- the pipe_fopen(), the leading '|' has been stripped.
- */
- code = gs_add_control_path(mem, gs_permit_file_writing, f);
- if (code < 0)
- return code;
- code = gs_add_control_path(mem, gs_permit_file_control, f);
- if (code < 0)
- return code;
- break;
- }
- if (!IS_WHITESPACE(f[i]))
- break;
- }
- code = gs_add_control_path(mem, gs_permit_file_control, fp);
+
+ code = gs_add_control_path(mem, gs_permit_file_control, f);
if (code < 0)
return code;
- return gs_add_control_path(mem, gs_permit_file_writing, fp);
+ return gs_add_control_path(mem, gs_permit_file_writing, f);
}
int
gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
{
- char *fp, f[gp_file_name_sizeof];
- const int pipe = 124; /* ASCII code for '|' */
- const int len = strlen(fname);
- int i, code;
+ char f[gp_file_name_sizeof];
+ int code;
/* Be sure the string copy will fit */
- if (len >= gp_file_name_sizeof)
+ if (strlen(fname) >= gp_file_name_sizeof)
return gs_error_rangecheck;
strcpy(f, fname);
- fp = f;
/* Try to rewrite any %d (or similar) in the string */
- for (i = 0; i < len; i++) {
- if (f[i] == pipe) {
- fp = &f[i + 1];
- /* Because we potentially have to check file permissions at two levels
- for the output file (gx_device_open_output_file and the low level
- fopen API, if we're using a pipe, we have to add both the full string,
- (including the '|', and just the command to which we pipe - since at
- the pipe_fopen(), the leading '|' has been stripped.
- */
- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
- if (code < 0)
- return code;
- code = gs_remove_control_path(mem, gs_permit_file_control, f);
- if (code < 0)
- return code;
- break;
- }
- if (!IS_WHITESPACE(f[i]))
- break;
- }
- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+ rewrite_percent_specifiers(f);
+
+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
if (code < 0)
return code;
- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
}
int
--
2.17.1

0
SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch → ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
View File

308
SPECS/ghostscript.spec → ghostscript.spec
View File

@ -27,17 +27,22 @@
# tarballs, and their release tags/branches do not use the dot in version
# tag. This makes obtaining the current version harder, and might prevent
# automatic builds of new releases...
%global version_short %(echo "%{version}" | tr -d '.')
%global version_short %%(echo "%{version}" | tr -d '.')
# Obtain the location of Google Droid fonts directory:
%global google_droid_fontpath %%(dirname $(fc-list : file | grep "DroidSansFallback"))
# Desired jbig2dec header files and library version
# Apparantly, ghostscript complains even about newer versions
# Please update if needed.
%global jbig2dec_version 0.19
# =============================================================================
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 9.27
Release: 13%{?dist}
Version: 9.54.0
Release: 16%{?dist}
License: AGPLv3+
@ -45,7 +50,12 @@ URL: https://ghostscript.com/
Source: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz
Requires: libgs%{?_isa} = %{version}-%{release}
Requires: jbig2dec-libs >= 0.16
Requires: jbig2dec-libs = %{jbig2dec_version}
Requires: %{name}-tools-fonts%{?_isa} = %{version}-%{release}
Requires: %{name}-tools-printing%{?_isa} = %{version}-%{release}
Provides: ghostscript-core = %{version}-%{release}
Obsoletes: ghostscript-core < 9.53.3-6
# Auxiliary build requirements:
BuildRequires: automake
@ -63,9 +73,10 @@ BuildRequires: cups-devel
BuildRequires: dbus-devel
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
BuildRequires: jbig2dec-devel
BuildRequires: jbig2dec-devel = %{jbig2dec_version}
BuildRequires: jbig2dec-libs = %{jbig2dec_version}
BuildRequires: lcms2-devel
BuildRequires: libidn-devel
BuildRequires: libidn2-devel
BuildRequires: libijs-devel
BuildRequires: libjpeg-turbo-devel
BuildRequires: libpng-devel
@ -77,6 +88,7 @@ BuildRequires: zlib-devel
# Enabling the GUI possibilities of Ghostscript:
BuildRequires: gtk3-devel
BuildRequires: libXt-devel
BuildRequires: make
# =============================================================================
@ -88,48 +100,24 @@ BuildRequires: libXt-devel
# Upstream patches -- official upstream patches released by upstream since the
# ---------------- last rebase that are necessary for any reason:
#Patch000: example000.patch
Patch001: ghostscript-cve-2019-10216.patch
Patch002: ghostscript-cve-2019-14811-14812-14813.patch
Patch003: ghostscript-cve-2019-14817.patch
# fixed in 9.51
Patch004: ghostscript-cve-2020-16290.patch
Patch005: ghostscript-cve-2020-16291.patch
Patch006: ghostscript-cve-2020-16293.patch
Patch007: ghostscript-cve-2020-16295.patch
Patch008: ghostscript-cve-2020-16299.patch
Patch009: ghostscript-cve-2020-16302.patch
Patch010: ghostscript-cve-2020-16304.patch
Patch011: ghostscript-cve-2020-16306.patch
Patch012: ghostscript-cve-2020-16307.patch
Patch013: ghostscript-cve-2020-16310.patch
Patch014: ghostscript-cve-2020-16301.patch
# 2097448 - printed text drifts to the right
Patch015: ghostscript-9.27-fix-use-of-HWMargins.patch
Patch016: ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch
Patch017: ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch
Patch018: ghostscript-9.27-fix-bbox.patch
Patch019: ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch020: ghostscript-9.27-CVE-2023-28879.patch
Patch021: ghostscript-9.27-CVE-2023-38559.patch
Patch022: ghostscript-9.27-CVE-2023-4042.patch
Patch023: ghostscript-9.27-avoid-divide-by-zero-in-devices.patch
# RHEL-38837 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
# the patch is based on upstream code from 9.50, where a new -dSAFER implementation was introduced and
# -dSAFER was made default for any gs calls. To do not backport the whole new -dSAFER implementation,
# to do not collide with any future backports related with -dSAFER and to do not change the current default
# for ghostscript in RHEL 8, only part of the new -dSAFER implementation was backported,
# and the several functions, variables and macros prefix was changed to 'opvp' and used only
# for OPVP device, which results in changing the default only for this device and fixing the CVE.
# Downside of the fix is if someone depends on unsafe settings of driver for OPVP device
# (via Postscript code in command -c, via Postscript code in input file), gs will start to fail.
Patch024: gs-cve-2024-33871.patch
Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch
Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch
#2032789 - coverity warnings fixes
Patch003: ghostscript-9.54.0-covscan-fixes.patch
#2049767 - CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch008: ghostscript-9.54.0-CVE-2023-28879.patch
Patch009: ghostscript-9.54.0-CVE-2023-36664.patch
Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
# RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
Patch012: gs-cve-2024-33871.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
Patch100: ghostscript-9.23-100-run-dvipdf-securely.patch
# Downstream patches for RHEL -- patches that we keep only in RHEL for various
# --------------------------- reasons, but are not enabled in Fedora:
%if %{defined rhel} || %{defined centos}
@ -261,10 +249,7 @@ This package provides detailed documentation files for Ghostscript software.
%autosetup -N -S git
# Libraries that we already have packaged in Fedora (see Build Requirements):
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
# Yeah, not actually needed in Fedora (^_^):
rm -rf windows
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* leptonica libpng openjpeg tesseract tiff windows zlib
# Add the remaining source code to the initial commit, patch the source code:
git add --all --force .
@ -295,7 +280,7 @@ git commit --all --amend --no-edit > /dev/null
# for China's GB18030 official certification:
%if %{defined rhel} || %{defined centos}
%configure --enable-dynamic --disable-compile-inits --without-versioned-path \
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/:%{_datadir}/fonts"
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/"
%else
%configure --enable-dynamic --disable-compile-inits --without-versioned-path \
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}"
@ -342,7 +327,7 @@ ln -s %{_mandir}/man1/gs.1 %{buildroot}%{_mandir}/man1/ghostscript.1
# process for Ghostscript startup, and they advise using the symlinks where
# possible. The fontconfig (Ghostscript's search path) should be used preferably
# as a fallback only.
ln -fs %{google_droid_fontpath}/DroidSansFallback.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf
ln -fs %{google_droid_fontpath}/DroidSansFallbackFull.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf
for font in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/Font/*); do
ln -fs %{urw_base35_fontpath}/${font}.t1 %{buildroot}%{_datadir}/%{name}/Resource/Font/${font}
@ -463,121 +448,178 @@ done
# =============================================================================
%changelog
* Wed Jun 12 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-13
- CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
* Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
- RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
* Tue Sep 19 2023 Richard Lescak <rlescak@redhat.com> - 9.27-12
- fix to prevent divison by zero in devices
- Resolves: rhbz#2235009
* Fri Oct 27 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-14
- fix for CVE-2023-43115
- Resolves: RHEL-10185
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-11
- fix for CVE-2023-4042
- Resolves: rhbz#2228153
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-10
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-13
- fix for CVE-2023-38559
- Resolves: rhbz#2224371
- Resolves: rhbz#2224372
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.27-9
* Tue Aug 01 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-12
- fix for CVE-2023-36664
- Resolves: rhbz#2217810
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
- fix for CVE-2023-28879
- Resolves: rhbz#2188297
- Resolves: rhbz#2188300
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.27-8
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
- fix embedding of CIDFonts
- Resolves: rhbz#2169890
- Resolves: rhbz#2179023
* Wed Mar 15 2023 Richard Lescak <rlescak@redhat.com> - 9.27-7
- fix bbox device calculating bounding box incorrectly
- Resolves: rhbz#2176327
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.27-6
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-9
- set the page size for A4 correctly in ESC/Page driver
- Resolves: rhbz#2164603
- Resolves: rhbz#2164613
* Tue Nov 15 2022 Richard Lescak <rlescak@redhat.com> - 9.27-5
- fix loading of CIDFonts
- Resolves: rhbz#2118538
* Fri Dec 09 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-8
- fix loading of CIDFonts (#2138795)
* Mon Jul 25 2022 Richard Lescak <rlescak@redhat.com> - 9.27-4
- changed requirement to jbig2dec-libs
- Resolves: rhbz#2097515, rhbz#2097448
* Thu Feb 24 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-7
- Fix patch for covscan issues (#2032789)
* Wed Jul 20 2022 Richard Lescak <rlescak@redhat.com> - 9.27-3
- fixed drifting text to the right when printing
- added Requirement for jbig2dec
- added patch for CVE-2020-16301
- Resolves: rhbz#2097515, rhbz#2097448
* Tue Feb 22 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-6
- Added fix for vulnerability CVE-2021-45949 (#2049767)
* Fri Jan 22 2021 Anna Khaitovich <akhaitov@redhat.com> - 9.27-2
- tools-dvipdf: require /usr/bin/dvips not %{_bindir}/dvips
- Resolves: rhbz#1918937
* Mon Feb 21 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
- Added coverity fixes (#2032789)
* Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.27-1
- Rebase to 9.27
- Resolves: rhbz#1874523
* Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-4
- Added fix for CVE-2021-3781 (#2002625)
* Tue Apr 07 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.25-7
- 1813228 - ghostscript fontconfig support broken when gs used with -dSAFER/-dPARANOIDSAFER
* Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-3
- Added fix for segfault bug (#1989084)
* Thu Nov 07 2019 Zdenek Dohnal <zdohnal@redhat.com> - 9.25-6
- 1769343 - CVE-2019-14869 - -dSAFER escape in .charkeys
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 9.54.0-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Aug 22 2019 Martin Osvald <mosvald@redhat.com> - 9.25-5
- Resolves: #1744011 - CVE-2019-14811 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445)
- Resolves: #1744015 - CVE-2019-14812 ghostscript: Safer Mode Bypass by .forceput Exposure in setuserparams (701444)
- Resolves: #1744006 - CVE-2019-14813 ghostscript: Safer Mode Bypass by .forceput Exposure in setsystemparams (701443)
- Resolves: #1744231 - CVE-2019-14817 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450)
* Mon Jul 26 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-1
- Update to 9.54.0 (#1923969)
* Mon Aug 05 2019 Martin Osvald <mosvald@redhat.com> - 9.25-4
- Resolves: #1737337 - CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394)
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 9.53.3-6
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Mar 28 2019 Martin Osvald <mosvald@redhat.com> - 9.25-3
- Resolves: #1692798 - CVE-2019-3839 ghostscript: missing attack vector
protections for CVE-2019-6116
- Resolves: #1678170 - CVE-2019-3835 ghostscript: superexec operator
is available (700585)
- Resolves: #1691414 - CVE-2019-3838 ghostscript: forceput in DefineResource
is still accessible (700576)
- fix included for ghostscript: Regression: double comment chars
'%%' in gs_init.ps leading to missing metadata
- fix for pdf2dsc regression added to allow fix for CVE-2019-3839
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 9.53.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 23 2019 Martin Osvald <mosvald@redhat.com> - 9.25-2
- Resolves: #1652937 - CVE-2018-19409 ghostscript: Improperly implemented
security check in zsetdevice function in psi/zdevice.c
- Resolves: #1642586 - CVE-2018-18073 ghostscript: saved execution stacks
can leak operator arrays
- Resolves: #1642580 - CVE-2018-17961 ghostscript: saved execution stacks
can leak operator arrays (incomplete fix for CVE-2018-17183)
- Resolves: #1642941 - CVE-2018-18284 ghostscript: 1Policy operator
allows a sandbox protection bypass
- Resolves: #1656336 - CVE-2018-19134 ghostscript: Type confusion in
setpattern (700141)
- Resolves: #1660571 - CVE-2018-19475 ghostscript: access bypass in
psi/zdevice2.c (700153)
- Resolves: #1660830 - CVE-2018-19476 ghostscript: access bypass in
psi/zicc.c
- Resolves: #1661280 - CVE-2018-19477 ghostscript: access bypass in
psi/zfjbig2.c (700168)
- Resolves: #1668891 - CVE-2019-6116 ghostscript: subroutines within
pseudo-operators must themselves be pseudo-operators (700317)
* Tue Dec 22 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.53.3-4
- Restore opvp for good (#1909950)
* Mon Sep 24 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.25-1
- rebase to latest upstream version to fix issues discovered in previous CVE fixes (bug #1631701 and #1626997)
* Tue Nov 24 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.53.3-3
- Restore opvp device (#1899885)
* Fri Sep 07 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-1
* Wed Nov 04 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.53.3-2
- Drop use of FT_CALLBACK_DEF() def
* Thu Oct 08 2020 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 9.53.1-3
- Update to 9.53.3 (#1882743)
* Tue Sep 22 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.53.1-2
- Bump jbig2dec version
* Thu Sep 10 2020 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 9.53.0-1
- Update to 9.53.1 (#1877781)
* Mon Jul 27 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-8
- Use libidn2 instead of libidn (fixes #1860890)
* Thu Jul 02 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.52-7
- really require the exact jbig2dec version
* Sat Jun 27 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 9.52-6
- standard packages should not require -devel packages
* Wed Jun 24 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-5
- Require the exact jbig2dec version in both build and runtime dependencies
* Thu May 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-4
- Define %%{jbig2dec_version} global macro
* Wed May 20 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-3
- Require the exact jbig2dec version to avoid a mismatch between header files and library
* Mon May 18 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-2
- Require the exact jbig2dec-devel version
* Thu Apr 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.52-1
- 9.52
* Wed Mar 11 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.50-1
- 9.50
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.27-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Nov 14 2019 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-2
- 1772486 - ghostscript: -dSAFER escape in .charkeys (701841)
* Fri Sep 06 2019 Martin Osvald <mosvald@redhat.com> - 9.27-1
- rebase to latest upstream version 9.27
- security fixes added for:
- CVE-2019-14811 (bug #1747908)
- CVE-2019-14812 (bug #1747907)
- CVE-2019-14813 (bug #1747906)
- CVE-2019-14817 (bug #1747909)
* Mon Aug 12 2019 Martin Osvald <mosvald@redhat.com> - 9.26-6
- Fix for CVE-2019-10216 added
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9.26-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Mar 22 2019 Martin Osvald <mosvald@redhat.com> - 9.26-4
- Fixes for CVE-2019-3835 and CVE-2019-3838 added
* Mon Mar 11 2019 Martin Osvald <mosvald@redhat.com> - 9.26-3
- Fix for bug #1687144 added
* Fri Mar 08 2019 Martin Osvald <mosvald@redhat.com> - 9.26-2
- Fix for CVE-2019-6116 added (bug #1668888)
* Thu Feb 07 2019 Martin Osvald <mosvald@redhat.com> - 9.26-1
- rebase to latest upstream version 9.26
- spec change to remove gsdoc.el due to upstream 8bc783cb586
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9.25-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Sep 17 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.25-1
- rebase to latest upstream version to fix additional issues found in 9.24
* Fri Sep 14 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-3
- ghostscript-9.24-002-icc-PermitReading.patch removed
- ghostscript-9.24-002-fix-for-Canon-and-Kyocera-printers.patch added (bug #1626818)
- ghostscript-9.24-003-CVE-2018-16802.patch added (bug #1627960)
* Fri Sep 07 2018 Tom Callaway <spot@fedoraproject.org> - 9.24-2
- add upstream fix for reading in ICC profiles
* Wed Sep 05 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-1
- rebase to latest upstream version, which contains important CVE fixes
- additional ZER0-DAY fixes added
* Wed Aug 29 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-5
* Wed Aug 29 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-7
- ghostscript-9.23-002-fixes-for-set-of-CVEs-reported-by-Google.patch added
* Mon Jul 30 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-6
- ghostscript-9.23-001-create-GC-descriptors-for-JPEG-passthrough.patch added (bug #1589467)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 9.23-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue May 15 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-4
- One more rebuild for libidn ABI fix (BZ#'s 1573961 and 1566414)
* Mon May 14 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-3
- %%conflicts_vers bumped to fix F27->F28 upgrade
* Thu May 10 2018 Stephen Gallagher <sgallagh@redhat.com> - 9.23-2.1
- Rebuilding for libidn ABI fix (BZ#'s 1573961 and 1566414)
* Mon Apr 23 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-2
- Fix for CVE-2018-10194 added (bug #1569821)

62
gs-cve-2024-33871.patch Normal file
View File

@ -0,0 +1,62 @@
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 70475ad..013a497 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int,
static int _get_params(gs_param_list *);
static int opvp_get_params(gx_device *, gs_param_list *);
static int oprp_get_params(gx_device *, gs_param_list *);
-static int _put_params(gs_param_list *);
+static int _put_params(gx_device *, gs_param_list *);
static int opvp_put_params(gx_device *, gs_param_list *);
static int oprp_put_params(gx_device *, gs_param_list *);
static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist)
/* vector driver name */
pname = "Driver";
vdps.data = (byte *)vectorDriver;
- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
vdps.persistent = false;
code = param_write_string(plist, pname, &vdps);
if (code) ecode = code;
@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
* put params
*/
static int
-_put_params(gs_param_list *plist)
+_put_params(gx_device *dev, gs_param_list *plist)
{
int code;
int ecode = 0;
@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (gs_is_path_control_active(dev->memory)
+ && (!vectorDriver || strlen(vectorDriver) != vdps.size
+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;
@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (ghostscript-9.54.0.tar.xz) = a3c96925f4dbf5e276fc543b88df185a0435c68166db15ac532094329ba8db314d739a292da18be7954daaafeeb290e641ea03edf888854d7e752998ec6062cc