Compare commits

..

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

5 changed files with 1 additions and 464 deletions

View File

@ -1,64 +0,0 @@
From 68c7275d4a580dca6c0ed3798f3717eea3513403 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 12 Sep 2019 09:35:01 +0100
Subject: [PATCH] Bug 701568: Fix gdevpx.c RLE stream handling.
The current code in pclxl_write_image_data_RLE passes
lines of data to the RLE compression routine. It tells
each invocation of that routine that this is the "last"
block of data, when clearly it is not.
Accordingly, the compression routine inserts the "EOD" byte
into the stream, and returns EOFC.
Independently of the return value used, having multiple EOD
bytes in the data is clearly wrong. Update the caller to only
pass "last" in for the last block.
The code still returns EOFC at the end of the data, so update
this final call to accept (indeed, expect) that return value
there.
---
devices/vector/gdevpx.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/devices/vector/gdevpx.c b/devices/vector/gdevpx.c
index 825e6b4c5..5d2d0edf5 100644
--- a/devices/vector/gdevpx.c
+++ b/devices/vector/gdevpx.c
@@ -714,6 +714,7 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base,
uint num_bytes = ROUND_UP(width_bytes, 4) * height;
bool compress = num_bytes >= 8;
int i;
+ int code;
/* cannot handle data_bit not multiple of 8, but we don't invoke this routine that way */
int offset = data_bit >> 3;
@@ -752,19 +753,20 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base,
r.ptr = data + i * raster - 1;
r.limit = r.ptr + width_bytes;
if ((*s_RLE_template.process)
- ((stream_state *) & rlstate, &r, &w, true) != 0 ||
+ ((stream_state *) & rlstate, &r, &w, false) != 0 ||
r.ptr != r.limit)
goto ncfree;
r.ptr = (const byte *)"\000\000\000\000\000";
r.limit = r.ptr + (-(int)width_bytes & 3);
if ((*s_RLE_template.process)
- ((stream_state *) & rlstate, &r, &w, true) != 0 ||
+ ((stream_state *) & rlstate, &r, &w, false) != 0 ||
r.ptr != r.limit)
goto ncfree;
}
r.ptr = r.limit;
- if ((*s_RLE_template.process)
- ((stream_state *) & rlstate, &r, &w, true) != 0)
+ code = (*s_RLE_template.process)
+ ((stream_state *) & rlstate, &r, &w, true);
+ if (code != EOFC && code != 0)
goto ncfree;
{
uint count = w.ptr + 1 - buf;
--
2.46.2

View File

@ -1,118 +0,0 @@
From 3b2ad1f24d2e9705481f9feb6835aa3e851726ac Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 12 Sep 2019 17:09:50 +0100
Subject: [PATCH] Bug 701568 followup: Fix RLE compressor.
The previous fix to the RLE compressor reveals an additional
existing issue to do with us not checking whether we have
space in the buffer to write the EOD byte.
Fixed here.
---
base/srle.c | 78 ++++++++++++++++++++++++++++++-----------------------
1 file changed, 45 insertions(+), 33 deletions(-)
diff --git a/base/srle.c b/base/srle.c
index 50de0d847..0c0186e04 100644
--- a/base/srle.c
+++ b/base/srle.c
@@ -59,7 +59,13 @@ enum {
state_gt_012,
/* -n bytes into a repeated run, n0 and n1 read. */
- state_lt_01
+ state_lt_01,
+
+ /* We have reached the end of data, but not written the marker. */
+ state_eod_unmarked,
+
+ /* We have reached the end of data, and written the marker. */
+ state_eod
};
#ifdef DEBUG_RLE
@@ -294,43 +300,49 @@ run_len_0_n0_read:
}
}
}
- }
- /* n1 is never valid here */
+ /* n1 is never valid here */
- if (last) {
- if (run_len == 0) {
- /* EOD */
- if (wlimit - q < 1) {
- ss->state = state_0;
- goto no_output_room;
- }
- } else if (run_len > 0) {
- /* Flush literal run + EOD */
- if (wlimit - q < run_len+2) {
- ss->state = state_0;
- goto no_output_room;
+ if (last) {
+ if (run_len == 0) {
+ /* EOD */
+ if (wlimit - q < 1) {
+ ss->state = state_0;
+ goto no_output_room;
+ }
+ } else if (run_len > 0) {
+ /* Flush literal run + EOD */
+ if (wlimit - q < run_len+2) {
+ ss->state = state_0;
+ goto no_output_room;
+ }
+ *++q = run_len;
+ memcpy(q+1, ss->literals, run_len);
+ q += run_len;
+ *++q = n0;
+ } else if (run_len < 0) {
+ /* Flush repeated run + EOD */
+ if (wlimit - q < 3) {
+ ss->state = state_0;
+ goto no_output_room;
+ }
+ *++q = 257+run_len; /* Repeated run */
+ *++q = n0;
}
- *++q = run_len;
- memcpy(q+1, ss->literals, run_len);
- q += run_len;
- *++q = n0;
- } else if (run_len < 0) {
- /* Flush repeated run + EOD */
- if (wlimit - q < 3) {
- ss->state = state_0;
+ case state_eod_unmarked:
+ if (wlimit - q < 1) {
+ ss->state = state_eod_unmarked;
goto no_output_room;
}
- *++q = 257+run_len; /* Repeated run */
- *++q = n0;
+ *++q = 128; /* EOD */
+ case state_eod:
+ ss->run_len = 0;
+ ss->state = state_0;
+ pr->ptr = p;
+ pw->ptr = q;
+ ss->record_left = rlimit - p;
+ debug_ate(pinit, p, qinit, q, EOFC);
+ return EOFC;
}
- *++q = 128; /* EOD */
- ss->run_len = 0;
- ss->state = state_0;
- pr->ptr = p;
- pw->ptr = q;
- ss->record_left = rlimit - p;
- debug_ate(pinit, p, qinit, q, EOFC);
- return EOFC;
}
/* Normal exit */
--
2.46.2

View File

@ -1,101 +0,0 @@
From b772aaf901a3cd37baf5c06eb141c689829bf673 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Tue, 26 Nov 2019 14:35:05 +0000
Subject: [PATCH] Bug 701949: Add 'omitEOD' flag to RLE compressor and use for
PXL.
It turns out that some printers (Samsung ML-2250 and Canon
ImageRunner iRC2380i at least) object to the EOD byte appearing
in RLE data in PXL streams.
Ken kindly checked the PXL spec for me, and found that: "The PXL
spec does say a control code of -128 is ignored and not included
in the decompressed data and the byte following a control byte
of 128 (I assume they mean -128 here) is treated as the next
control byte. And PCL only uses RLE data for images, so they do
know how much data they expect."
Thus, the conclusion we reached is that PCL/PXL don't need
(indeed, really does not want) the EOD byte.
The Postscript spec clearly defines the EOD byte though. Rather
than break the streams for postscript, we introduce a flag
'omitEOD' that can be set for the encoder when we want to produce
a stream for use with PCL/PXL.
---
base/srle.c | 10 ++++++----
base/srlx.h | 3 ++-
devices/vector/gdevpx.c | 1 +
psi/zfilter.c | 1 +
4 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/base/srle.c b/base/srle.c
index 0c0186e04..21b729f31 100644
--- a/base/srle.c
+++ b/base/srle.c
@@ -329,11 +329,13 @@ run_len_0_n0_read:
*++q = n0;
}
case state_eod_unmarked:
- if (wlimit - q < 1) {
- ss->state = state_eod_unmarked;
- goto no_output_room;
+ if (!ss->omitEOD) {
+ if (wlimit - q < 1) {
+ ss->state = state_eod_unmarked;
+ goto no_output_room;
+ }
+ *++q = 128; /* EOD */
}
- *++q = 128; /* EOD */
case state_eod:
ss->run_len = 0;
ss->state = state_0;
diff --git a/base/srlx.h b/base/srlx.h
index ebf172064..98309dbdb 100644
--- a/base/srlx.h
+++ b/base/srlx.h
@@ -32,6 +32,7 @@ typedef struct stream_RLE_state_s {
stream_RL_state_common;
/* The following parameters are set by the client. */
ulong record_size;
+ bool omitEOD;
/* The following change dynamically. */
ulong record_left; /* bytes left in current record */
byte n0;
@@ -47,7 +48,7 @@ typedef struct stream_RLE_state_s {
/* We define the initialization procedure here, so that clients */
/* can avoid a procedure call. */
#define s_RLE_set_defaults_inline(ss)\
- ((ss)->EndOfData = true, (ss)->record_size = 0)
+ ((ss)->EndOfData = true, (ss)->omitEOD = false, (ss)->record_size = 0)
#define s_RLE_init_inline(ss)\
((ss)->record_left =\
((ss)->record_size == 0 ? ((ss)->record_size = max_uint) :\
diff --git a/devices/vector/gdevpx.c b/devices/vector/gdevpx.c
index 5d2d0edf5..a1fce1b7c 100644
--- a/devices/vector/gdevpx.c
+++ b/devices/vector/gdevpx.c
@@ -741,6 +741,7 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base,
goto nc;
s_RLE_set_defaults_inline(&rlstate);
rlstate.EndOfData = false;
+ rlstate.omitEOD = true;
s_RLE_init_inline(&rlstate);
w.ptr = buf - 1;
w.limit = w.ptr + num_bytes;
diff --git a/psi/zfilter.c b/psi/zfilter.c
index dfe3a1d5b..3ce7652c6 100644
--- a/psi/zfilter.c
+++ b/psi/zfilter.c
@@ -109,6 +109,7 @@ zRLE(i_ctx_t *i_ctx_p)
stream_RLE_state state;
int code;
+ s_RLE_template.set_defaults((stream_state *)&state);
check_op(2);
code = rl_setup(op - 1, &state.EndOfData);
if (code < 0)
--
2.47.0

View File

@ -1,154 +0,0 @@
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 55a785e..be77534 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2607,4 +2607,6 @@ WRITESYSTEMDICT {
% be 'true' in some cases.
userdict /AGM_preserve_spots //false put
+.opvpactivatepathcontrol
+
% The interpreter will run the initial procedure (start).
diff --git a/base/gslibctx.c b/base/gslibctx.c
index 1ed6093..14fb57c 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -435,3 +435,27 @@ gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, co
}
return code;
}
+
+void
+opvp_activate_path_control(gs_memory_t *mem, int enable)
+{
+ gs_lib_ctx_core_t *core;
+
+ if (mem == NULL || mem->gs_lib_ctx == NULL ||
+ (core = mem->gs_lib_ctx->core) == NULL)
+ return;
+
+ core->opvp_path_control_active = enable;
+}
+
+int
+opvp_is_path_control_active(const gs_memory_t *mem)
+{
+ gs_lib_ctx_core_t *core;
+
+ if (mem == NULL || mem->gs_lib_ctx == NULL ||
+ (core = mem->gs_lib_ctx->core) == NULL)
+ return 0;
+
+ return core->opvp_path_control_active;
+}
diff --git a/base/gslibctx.h b/base/gslibctx.h
index 1481cb5..e4b3924 100644
--- a/base/gslibctx.h
+++ b/base/gslibctx.h
@@ -61,6 +61,8 @@ typedef struct {
bool CPSI_mode;
int scanconverter;
int act_on_uel;
+
+ int opvp_path_control_active;
} gs_lib_ctx_core_t;
typedef struct gs_lib_ctx_s
@@ -167,4 +169,10 @@ int sjpxd_create(gs_memory_t *mem);
void sjpxd_destroy(gs_memory_t *mem);
+void
+opvp_activate_path_control(gs_memory_t *mem, int enable);
+
+int
+opvp_is_path_control_active(const gs_memory_t *mem);
+
#endif /* GSLIBCTX_H */
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 9a6b45b..9693673 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int,
static int _get_params(gs_param_list *);
static int opvp_get_params(gx_device *, gs_param_list *);
static int oprp_get_params(gx_device *, gs_param_list *);
-static int _put_params(gs_param_list *);
+static int _put_params(gx_device *, gs_param_list *);
static int opvp_put_params(gx_device *, gs_param_list *);
static int oprp_put_params(gx_device *, gs_param_list *);
static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
@@ -3039,7 +3039,7 @@ _get_params(gs_param_list *plist)
/* vector driver name */
pname = "Driver";
vdps.data = (byte *)vectorDriver;
- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
vdps.persistent = false;
code = param_write_string(plist, pname, &vdps);
if (code) ecode = code;
@@ -3176,7 +3176,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
* put params
*/
static int
-_put_params(gs_param_list *plist)
+_put_params(gx_device *dev, gs_param_list *plist)
{
int code;
int ecode = 0;
@@ -3198,6 +3198,12 @@ _put_params(gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (opvp_is_path_control_active(dev->memory)
+ && (!vectorDriver || strlen(vectorDriver) != vdps.size
+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;
@@ -3399,7 +3405,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
@@ -3415,7 +3421,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
diff --git a/psi/zfile.c b/psi/zfile.c
index 271a1a0..05b8203 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -875,6 +875,12 @@ static int zgetfilename(i_ctx_t *i_ctx_p)
return 0;
}
+static int zopvpactivatepathcontrol(i_ctx_t *i_ctx_p)
+{
+ opvp_activate_path_control(imemory, 1);
+ return 0;
+}
+
/* ------ Initialization procedure ------ */
const op_def zfile_op_defs[] =
@@ -893,6 +899,7 @@ const op_def zfile_op_defs[] =
{"0%file_continue", file_continue},
{"0%execfile_finish", execfile_finish},
{"1.getfilename", zgetfilename},
+ {"0.opvpactivatepathcontrol", zopvpactivatepathcontrol},
op_def_end(0)
};

View File

@ -37,7 +37,7 @@
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 9.27
Release: 15%{?dist}
Release: 12%{?dist}
License: AGPLv3+
@ -113,23 +113,6 @@ Patch020: ghostscript-9.27-CVE-2023-28879.patch
Patch021: ghostscript-9.27-CVE-2023-38559.patch
Patch022: ghostscript-9.27-CVE-2023-4042.patch
Patch023: ghostscript-9.27-avoid-divide-by-zero-in-devices.patch
# RHEL-38837 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
# the patch is based on upstream code from 9.50, where a new -dSAFER implementation was introduced and
# -dSAFER was made default for any gs calls. To do not backport the whole new -dSAFER implementation,
# to do not collide with any future backports related with -dSAFER and to do not change the current default
# for ghostscript in RHEL 8, only part of the new -dSAFER implementation was backported,
# and the several functions, variables and macros prefix was changed to 'opvp' and used only
# for OPVP device, which results in changing the default only for this device and fixing the CVE.
# Downside of the fix is if someone depends on unsafe settings of driver for OPVP device
# (via Postscript code in command -c, via Postscript code in input file), gs will start to fail.
Patch024: gs-cve-2024-33871.patch
# RHEL-61729 Ghostscript is generating PJL of a significantly larger size
# Patches: 0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch
# 0001-Bug-701568-followup-Fix-RLE-compressor.patch
# 0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch
Patch025: 0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch
Patch026: 0001-Bug-701568-followup-Fix-RLE-compressor.patch
Patch027: 0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch
# Downstream patches -- these should be always included when doing rebase:
@ -470,15 +453,6 @@ done
# =============================================================================
%changelog
* Mon Oct 14 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-15
- fix printing PCL XL on some printers
* Thu Oct 10 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-14
- RHEL-61729 Ghostscript is generating PJL of a significantly larger size
* Wed Jun 12 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-13
- CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
* Tue Sep 19 2023 Richard Lescak <rlescak@redhat.com> - 9.27-12
- fix to prevent divison by zero in devices
- Resolves: rhbz#2235009