Compare commits
No commits in common. "c9s" and "c8" have entirely different histories.
1
.ghostscript.metadata
Normal file
1
.ghostscript.metadata
Normal file
@ -0,0 +1 @@
|
||||
f926d2cfb418a7c5d92dce0a9843fa01ee62fe2c SOURCES/ghostscript-9.27.tar.xz
|
62
.gitignore
vendored
62
.gitignore
vendored
@ -1,61 +1 @@
|
||||
acro5-cmaps-2001.tar.gz
|
||||
adobe-cmaps-200202.tar.gz
|
||||
eplaser-3.1.4-705.tgz
|
||||
epson740.tgz
|
||||
gdevmd2k-0.2a.tar.gz
|
||||
ghostscript-7.07.tar.bz2
|
||||
gs550j1.tar.gz
|
||||
gs6.51-cjk-M2-R3.tar.gz
|
||||
gs704-j-vlib.zip
|
||||
lexmarkgs990908.tar.gz
|
||||
lxm3200-tweaked-20030501.tar.gz
|
||||
pcl3-3.3.tar.gz
|
||||
espgs-8.15rc3-source.tar.bz2
|
||||
adobe-cmaps-200204.tar.gz
|
||||
espgs-8.15rc4-source.tar.bz2
|
||||
espgs-8.15.1-source.tar.bz2
|
||||
adobe-cmaps-200406.tar.gz
|
||||
espgs-8.15.2-source.tar.bz2
|
||||
espgs-8.15.3-source.tar.bz2
|
||||
espgs-8.15.4-source.tar.bz2
|
||||
ghostscript-8.60-r8117.tar.bz2
|
||||
ghostscript-8.60.tar.bz2
|
||||
ghostscript-8.61.tar.bz2
|
||||
ghostscript-8.62.tar.bz2
|
||||
ghostscript-8.63.tar.bz2
|
||||
ghostscript-8.64.tar.bz2
|
||||
ghostscript-8.70.tar.xz
|
||||
ghostscript-8.71.tar.xz
|
||||
/ghostscript-9.00.tar.xz
|
||||
/ghostscript-9.01.tar.bz2
|
||||
/ghostscript-9.02.tar.bz2
|
||||
/ghostscript-9.04.tar.bz2
|
||||
/ghostscript-9.05.tar.bz2
|
||||
/ghostscript-9.06.tar.bz2
|
||||
/ghostscript-9.06-cleaned.tar.bz2
|
||||
/ghostscript-9.07.tar.bz2
|
||||
/ghostscript-9.07-cleaned.tar.bz2
|
||||
/ghostscript-9.08rc1.tar.gz
|
||||
/ghostscript-9.08.tar.bz2
|
||||
/ghostscript-9.09rc1.tar.gz
|
||||
/ghostscript-9.09.tar.bz2
|
||||
/ghostscript-9.10.tar.bz2
|
||||
/ghostscript-9.10-cleaned.tar.bz2
|
||||
/ghostscript-9.12-cleaned.tar.bz2
|
||||
/ghostscript-9.14-cleaned.tar.bz2
|
||||
/ghostscript-9.14-cleaned-1.tar.bz2
|
||||
/ghostscript-9.15-cleaned.tar.bz2
|
||||
/ghostscript-9.15-cleaned-1.tar.bz2
|
||||
/ghostscript-9.16-cleaned-1.tar.bz2
|
||||
/ghostscript-9.20.tar.xz
|
||||
/ghostscript-9.22.tar.xz
|
||||
/ghostscript-9.23.tar.xz
|
||||
/ghostscript-9.24.tar.xz
|
||||
/ghostscript-9.25.tar.xz
|
||||
/ghostscript-9.26.tar.xz
|
||||
/ghostscript-9.27.tar.xz
|
||||
/ghostscript-9.50.tar.xz
|
||||
/ghostscript-9.52.tar.xz
|
||||
/ghostscript-9.53.1.tar.xz
|
||||
/ghostscript-9.53.3.tar.xz
|
||||
/ghostscript-9.54.0.tar.xz
|
||||
SOURCES/ghostscript-9.27.tar.xz
|
||||
|
@ -1,79 +0,0 @@
|
||||
From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
|
||||
From: Ken Sharp <Ken.Sharp@artifex.com>
|
||||
Date: Thu, 21 Mar 2024 09:01:15 +0000
|
||||
Subject: [PATCH] Uniprint device - prevent string configuration changes when
|
||||
SAFER
|
||||
|
||||
Bug #707662
|
||||
|
||||
We cannot sanitise the string arguments used by the Uniprint device
|
||||
because they can potentially include anything.
|
||||
|
||||
This commit ensures that these strings are locked and cannot be
|
||||
changed by PostScript once SAFER is activated. Full configuration from
|
||||
the command line is still possible (see the *.upp files in lib).
|
||||
|
||||
This addresses CVE-2024-29510
|
||||
---
|
||||
devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 31 insertions(+)
|
||||
|
||||
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
|
||||
index c9389e7bc..016a9260a 100644
|
||||
--- a/devices/gdevupd.c
|
||||
+++ b/devices/gdevupd.c
|
||||
@@ -1891,6 +1891,16 @@ out on this copies.
|
||||
if(!upd_strings[i]) continue;
|
||||
UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
|
||||
if(0 == code) {
|
||||
+ if (gs_is_path_control_active(udev->memory)) {
|
||||
+ if (strings[i].size != value.size)
|
||||
+ error = gs_error_invalidaccess;
|
||||
+ else {
|
||||
+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
|
||||
+ error = gs_error_invalidaccess;
|
||||
+ }
|
||||
+ if (error < 0)
|
||||
+ goto exit;
|
||||
+ }
|
||||
if(0 <= error) error |= UPD_PUT_STRINGS;
|
||||
UPD_MM_DEL_PARAM(udev->memory, strings[i]);
|
||||
if(!value.size) {
|
||||
@@ -1908,6 +1918,26 @@ out on this copies.
|
||||
if(!upd_string_a[i]) continue;
|
||||
UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
|
||||
if(0 == code) {
|
||||
+ if (gs_is_path_control_active(udev->memory)) {
|
||||
+ if (string_a[i].size != value.size)
|
||||
+ error = gs_error_invalidaccess;
|
||||
+ else {
|
||||
+ int loop;
|
||||
+ for (loop = 0;loop < string_a[i].size;loop++) {
|
||||
+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
|
||||
+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
|
||||
+
|
||||
+ if (tmp1->size != tmp2->size)
|
||||
+ error = gs_error_invalidaccess;
|
||||
+ else {
|
||||
+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
|
||||
+ error = gs_error_invalidaccess;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ if (error < 0)
|
||||
+ goto exit;
|
||||
+ }
|
||||
if(0 <= error) error |= UPD_PUT_STRING_A;
|
||||
UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
|
||||
if(!value.size) {
|
||||
@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may
|
||||
if(0 > code) error = code;
|
||||
}
|
||||
|
||||
+exit:
|
||||
if(0 < error) { /* Actually something loaded without error */
|
||||
|
||||
if(!(upd = udev->upd)) {
|
||||
--
|
||||
2.45.2
|
||||
|
@ -0,0 +1,64 @@
|
||||
From 68c7275d4a580dca6c0ed3798f3717eea3513403 Mon Sep 17 00:00:00 2001
|
||||
From: Robin Watts <Robin.Watts@artifex.com>
|
||||
Date: Thu, 12 Sep 2019 09:35:01 +0100
|
||||
Subject: [PATCH] Bug 701568: Fix gdevpx.c RLE stream handling.
|
||||
|
||||
The current code in pclxl_write_image_data_RLE passes
|
||||
lines of data to the RLE compression routine. It tells
|
||||
each invocation of that routine that this is the "last"
|
||||
block of data, when clearly it is not.
|
||||
|
||||
Accordingly, the compression routine inserts the "EOD" byte
|
||||
into the stream, and returns EOFC.
|
||||
|
||||
Independently of the return value used, having multiple EOD
|
||||
bytes in the data is clearly wrong. Update the caller to only
|
||||
pass "last" in for the last block.
|
||||
|
||||
The code still returns EOFC at the end of the data, so update
|
||||
this final call to accept (indeed, expect) that return value
|
||||
there.
|
||||
---
|
||||
devices/vector/gdevpx.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/devices/vector/gdevpx.c b/devices/vector/gdevpx.c
|
||||
index 825e6b4c5..5d2d0edf5 100644
|
||||
--- a/devices/vector/gdevpx.c
|
||||
+++ b/devices/vector/gdevpx.c
|
||||
@@ -714,6 +714,7 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base,
|
||||
uint num_bytes = ROUND_UP(width_bytes, 4) * height;
|
||||
bool compress = num_bytes >= 8;
|
||||
int i;
|
||||
+ int code;
|
||||
|
||||
/* cannot handle data_bit not multiple of 8, but we don't invoke this routine that way */
|
||||
int offset = data_bit >> 3;
|
||||
@@ -752,19 +753,20 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base,
|
||||
r.ptr = data + i * raster - 1;
|
||||
r.limit = r.ptr + width_bytes;
|
||||
if ((*s_RLE_template.process)
|
||||
- ((stream_state *) & rlstate, &r, &w, true) != 0 ||
|
||||
+ ((stream_state *) & rlstate, &r, &w, false) != 0 ||
|
||||
r.ptr != r.limit)
|
||||
goto ncfree;
|
||||
r.ptr = (const byte *)"\000\000\000\000\000";
|
||||
r.limit = r.ptr + (-(int)width_bytes & 3);
|
||||
if ((*s_RLE_template.process)
|
||||
- ((stream_state *) & rlstate, &r, &w, true) != 0 ||
|
||||
+ ((stream_state *) & rlstate, &r, &w, false) != 0 ||
|
||||
r.ptr != r.limit)
|
||||
goto ncfree;
|
||||
}
|
||||
r.ptr = r.limit;
|
||||
- if ((*s_RLE_template.process)
|
||||
- ((stream_state *) & rlstate, &r, &w, true) != 0)
|
||||
+ code = (*s_RLE_template.process)
|
||||
+ ((stream_state *) & rlstate, &r, &w, true);
|
||||
+ if (code != EOFC && code != 0)
|
||||
goto ncfree;
|
||||
{
|
||||
uint count = w.ptr + 1 - buf;
|
||||
--
|
||||
2.46.2
|
||||
|
118
SOURCES/0001-Bug-701568-followup-Fix-RLE-compressor.patch
Normal file
118
SOURCES/0001-Bug-701568-followup-Fix-RLE-compressor.patch
Normal file
@ -0,0 +1,118 @@
|
||||
From 3b2ad1f24d2e9705481f9feb6835aa3e851726ac Mon Sep 17 00:00:00 2001
|
||||
From: Robin Watts <Robin.Watts@artifex.com>
|
||||
Date: Thu, 12 Sep 2019 17:09:50 +0100
|
||||
Subject: [PATCH] Bug 701568 followup: Fix RLE compressor.
|
||||
|
||||
The previous fix to the RLE compressor reveals an additional
|
||||
existing issue to do with us not checking whether we have
|
||||
space in the buffer to write the EOD byte.
|
||||
|
||||
Fixed here.
|
||||
---
|
||||
base/srle.c | 78 ++++++++++++++++++++++++++++++-----------------------
|
||||
1 file changed, 45 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/base/srle.c b/base/srle.c
|
||||
index 50de0d847..0c0186e04 100644
|
||||
--- a/base/srle.c
|
||||
+++ b/base/srle.c
|
||||
@@ -59,7 +59,13 @@ enum {
|
||||
state_gt_012,
|
||||
|
||||
/* -n bytes into a repeated run, n0 and n1 read. */
|
||||
- state_lt_01
|
||||
+ state_lt_01,
|
||||
+
|
||||
+ /* We have reached the end of data, but not written the marker. */
|
||||
+ state_eod_unmarked,
|
||||
+
|
||||
+ /* We have reached the end of data, and written the marker. */
|
||||
+ state_eod
|
||||
};
|
||||
|
||||
#ifdef DEBUG_RLE
|
||||
@@ -294,43 +300,49 @@ run_len_0_n0_read:
|
||||
}
|
||||
}
|
||||
}
|
||||
- }
|
||||
- /* n1 is never valid here */
|
||||
+ /* n1 is never valid here */
|
||||
|
||||
- if (last) {
|
||||
- if (run_len == 0) {
|
||||
- /* EOD */
|
||||
- if (wlimit - q < 1) {
|
||||
- ss->state = state_0;
|
||||
- goto no_output_room;
|
||||
- }
|
||||
- } else if (run_len > 0) {
|
||||
- /* Flush literal run + EOD */
|
||||
- if (wlimit - q < run_len+2) {
|
||||
- ss->state = state_0;
|
||||
- goto no_output_room;
|
||||
+ if (last) {
|
||||
+ if (run_len == 0) {
|
||||
+ /* EOD */
|
||||
+ if (wlimit - q < 1) {
|
||||
+ ss->state = state_0;
|
||||
+ goto no_output_room;
|
||||
+ }
|
||||
+ } else if (run_len > 0) {
|
||||
+ /* Flush literal run + EOD */
|
||||
+ if (wlimit - q < run_len+2) {
|
||||
+ ss->state = state_0;
|
||||
+ goto no_output_room;
|
||||
+ }
|
||||
+ *++q = run_len;
|
||||
+ memcpy(q+1, ss->literals, run_len);
|
||||
+ q += run_len;
|
||||
+ *++q = n0;
|
||||
+ } else if (run_len < 0) {
|
||||
+ /* Flush repeated run + EOD */
|
||||
+ if (wlimit - q < 3) {
|
||||
+ ss->state = state_0;
|
||||
+ goto no_output_room;
|
||||
+ }
|
||||
+ *++q = 257+run_len; /* Repeated run */
|
||||
+ *++q = n0;
|
||||
}
|
||||
- *++q = run_len;
|
||||
- memcpy(q+1, ss->literals, run_len);
|
||||
- q += run_len;
|
||||
- *++q = n0;
|
||||
- } else if (run_len < 0) {
|
||||
- /* Flush repeated run + EOD */
|
||||
- if (wlimit - q < 3) {
|
||||
- ss->state = state_0;
|
||||
+ case state_eod_unmarked:
|
||||
+ if (wlimit - q < 1) {
|
||||
+ ss->state = state_eod_unmarked;
|
||||
goto no_output_room;
|
||||
}
|
||||
- *++q = 257+run_len; /* Repeated run */
|
||||
- *++q = n0;
|
||||
+ *++q = 128; /* EOD */
|
||||
+ case state_eod:
|
||||
+ ss->run_len = 0;
|
||||
+ ss->state = state_0;
|
||||
+ pr->ptr = p;
|
||||
+ pw->ptr = q;
|
||||
+ ss->record_left = rlimit - p;
|
||||
+ debug_ate(pinit, p, qinit, q, EOFC);
|
||||
+ return EOFC;
|
||||
}
|
||||
- *++q = 128; /* EOD */
|
||||
- ss->run_len = 0;
|
||||
- ss->state = state_0;
|
||||
- pr->ptr = p;
|
||||
- pw->ptr = q;
|
||||
- ss->record_left = rlimit - p;
|
||||
- debug_ate(pinit, p, qinit, q, EOFC);
|
||||
- return EOFC;
|
||||
}
|
||||
|
||||
/* Normal exit */
|
||||
--
|
||||
2.46.2
|
||||
|
@ -0,0 +1,101 @@
|
||||
From b772aaf901a3cd37baf5c06eb141c689829bf673 Mon Sep 17 00:00:00 2001
|
||||
From: Robin Watts <Robin.Watts@artifex.com>
|
||||
Date: Tue, 26 Nov 2019 14:35:05 +0000
|
||||
Subject: [PATCH] Bug 701949: Add 'omitEOD' flag to RLE compressor and use for
|
||||
PXL.
|
||||
|
||||
It turns out that some printers (Samsung ML-2250 and Canon
|
||||
ImageRunner iRC2380i at least) object to the EOD byte appearing
|
||||
in RLE data in PXL streams.
|
||||
|
||||
Ken kindly checked the PXL spec for me, and found that: "The PXL
|
||||
spec does say a control code of -128 is ignored and not included
|
||||
in the decompressed data and the byte following a control byte
|
||||
of 128 (I assume they mean -128 here) is treated as the next
|
||||
control byte. And PCL only uses RLE data for images, so they do
|
||||
know how much data they expect."
|
||||
|
||||
Thus, the conclusion we reached is that PCL/PXL don't need
|
||||
(indeed, really does not want) the EOD byte.
|
||||
|
||||
The Postscript spec clearly defines the EOD byte though. Rather
|
||||
than break the streams for postscript, we introduce a flag
|
||||
'omitEOD' that can be set for the encoder when we want to produce
|
||||
a stream for use with PCL/PXL.
|
||||
---
|
||||
base/srle.c | 10 ++++++----
|
||||
base/srlx.h | 3 ++-
|
||||
devices/vector/gdevpx.c | 1 +
|
||||
psi/zfilter.c | 1 +
|
||||
4 files changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/base/srle.c b/base/srle.c
|
||||
index 0c0186e04..21b729f31 100644
|
||||
--- a/base/srle.c
|
||||
+++ b/base/srle.c
|
||||
@@ -329,11 +329,13 @@ run_len_0_n0_read:
|
||||
*++q = n0;
|
||||
}
|
||||
case state_eod_unmarked:
|
||||
- if (wlimit - q < 1) {
|
||||
- ss->state = state_eod_unmarked;
|
||||
- goto no_output_room;
|
||||
+ if (!ss->omitEOD) {
|
||||
+ if (wlimit - q < 1) {
|
||||
+ ss->state = state_eod_unmarked;
|
||||
+ goto no_output_room;
|
||||
+ }
|
||||
+ *++q = 128; /* EOD */
|
||||
}
|
||||
- *++q = 128; /* EOD */
|
||||
case state_eod:
|
||||
ss->run_len = 0;
|
||||
ss->state = state_0;
|
||||
diff --git a/base/srlx.h b/base/srlx.h
|
||||
index ebf172064..98309dbdb 100644
|
||||
--- a/base/srlx.h
|
||||
+++ b/base/srlx.h
|
||||
@@ -32,6 +32,7 @@ typedef struct stream_RLE_state_s {
|
||||
stream_RL_state_common;
|
||||
/* The following parameters are set by the client. */
|
||||
ulong record_size;
|
||||
+ bool omitEOD;
|
||||
/* The following change dynamically. */
|
||||
ulong record_left; /* bytes left in current record */
|
||||
byte n0;
|
||||
@@ -47,7 +48,7 @@ typedef struct stream_RLE_state_s {
|
||||
/* We define the initialization procedure here, so that clients */
|
||||
/* can avoid a procedure call. */
|
||||
#define s_RLE_set_defaults_inline(ss)\
|
||||
- ((ss)->EndOfData = true, (ss)->record_size = 0)
|
||||
+ ((ss)->EndOfData = true, (ss)->omitEOD = false, (ss)->record_size = 0)
|
||||
#define s_RLE_init_inline(ss)\
|
||||
((ss)->record_left =\
|
||||
((ss)->record_size == 0 ? ((ss)->record_size = max_uint) :\
|
||||
diff --git a/devices/vector/gdevpx.c b/devices/vector/gdevpx.c
|
||||
index 5d2d0edf5..a1fce1b7c 100644
|
||||
--- a/devices/vector/gdevpx.c
|
||||
+++ b/devices/vector/gdevpx.c
|
||||
@@ -741,6 +741,7 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base,
|
||||
goto nc;
|
||||
s_RLE_set_defaults_inline(&rlstate);
|
||||
rlstate.EndOfData = false;
|
||||
+ rlstate.omitEOD = true;
|
||||
s_RLE_init_inline(&rlstate);
|
||||
w.ptr = buf - 1;
|
||||
w.limit = w.ptr + num_bytes;
|
||||
diff --git a/psi/zfilter.c b/psi/zfilter.c
|
||||
index dfe3a1d5b..3ce7652c6 100644
|
||||
--- a/psi/zfilter.c
|
||||
+++ b/psi/zfilter.c
|
||||
@@ -109,6 +109,7 @@ zRLE(i_ctx_t *i_ctx_p)
|
||||
stream_RLE_state state;
|
||||
int code;
|
||||
|
||||
+ s_RLE_template.set_defaults((stream_state *)&state);
|
||||
check_op(2);
|
||||
code = rl_setup(op - 1, &state.EndOfData);
|
||||
if (code < 0)
|
||||
--
|
||||
2.47.0
|
||||
|
22
SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch
Normal file
22
SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch
Normal file
@ -0,0 +1,22 @@
|
||||
From 91c9c6d17d445781ee572c281b8b9d75d96f9df8 Mon Sep 17 00:00:00 2001
|
||||
From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
|
||||
Date: Fri, 7 Oct 2016 13:57:01 +0200
|
||||
Subject: [PATCH] Make sure 'dvipdf' is being run securely
|
||||
|
||||
---
|
||||
lib/dvipdf | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/dvipdf b/lib/dvipdf
|
||||
index 802aeab..c92dfb0 100755
|
||||
--- a/lib/dvipdf
|
||||
+++ b/lib/dvipdf
|
||||
@@ -43,4 +43,4 @@ fi
|
||||
|
||||
# We have to include the options twice because -I only takes effect if it
|
||||
# appears before other options.
|
||||
-exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
|
||||
+exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
|
||||
--
|
||||
2.14.3
|
||||
|
@ -20,7 +20,7 @@ index 7b14d9c71..6351fb77a 100644
|
||||
- if (data != *from || from == end) {
|
||||
+ if (from >= end || data != *from) {
|
||||
if (data >= 0xc0)
|
||||
gp_fputc(0xc1, file);
|
||||
putc(0xc1, file);
|
||||
} else {
|
||||
--
|
||||
2.41.0
|
28
SOURCES/ghostscript-9.27-CVE-2023-4042.patch
Normal file
28
SOURCES/ghostscript-9.27-CVE-2023-4042.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 2793769ff107d8d22dadd30c6e68cd781b569550 Mon Sep 17 00:00:00 2001
|
||||
From: Julian Smith <jules@op59.net>
|
||||
Date: Mon, 4 Nov 2019 12:30:33 +0000
|
||||
Subject: [PATCH] Bug 701819: fixed ordering in if expression to avoid
|
||||
out-of-bounds access.
|
||||
|
||||
Fixes:
|
||||
./sanbin/gs -dBATCH -dNOPAUSE -r965 -sOutputFile=tmp -sDEVICE=pcx16 ../bug-701819.pdf
|
||||
---
|
||||
devices/gdevpcx.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/devices/gdevpcx.c b/devices/gdevpcx.c
|
||||
index 1735851d2..91de4abb6 100644
|
||||
--- a/devices/gdevpcx.c
|
||||
+++ b/devices/gdevpcx.c
|
||||
@@ -442,7 +442,7 @@ pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file)
|
||||
byte data = *from;
|
||||
|
||||
from += step;
|
||||
- if (data != *from || from == end) {
|
||||
+ if (from >= end || data != *from) {
|
||||
if (data >= 0xc0)
|
||||
putc(0xc1, file);
|
||||
} else {
|
||||
--
|
||||
2.41.0
|
||||
|
@ -21,7 +21,7 @@ index 870a2e11c..fa050ed7a 100644
|
||||
--- a/Resource/Init/gs_cidfn.ps
|
||||
+++ b/Resource/Init/gs_cidfn.ps
|
||||
@@ -1,4 +1,4 @@
|
||||
-% Copyright (C) 2001-2021 Artifex Software, Inc.
|
||||
-% Copyright (C) 2001-2019 Artifex Software, Inc.
|
||||
+% Copyright (C) 2001-2022 Artifex Software, Inc.
|
||||
% All Rights Reserved.
|
||||
%
|
@ -1,17 +1,17 @@
|
||||
diff -x .git -Napur ghostscript-9.27.old/contrib/japanese/gdevespg.c ghostscript-9.27.new/contrib/japanese/gdevespg.c
|
||||
--- ghostscript-9.27.old/contrib/japanese/gdevespg.c 2019-04-04 00:43:14.000000000 -0700
|
||||
+++ ghostscript-9.27.new/contrib/japanese/gdevespg.c 2023-01-24 11:25:32.588189093 -0800
|
||||
@@ -273,6 +273,9 @@
|
||||
@@ -273,6 +273,9 @@ escpage_paper_set(gx_device_printer * pd
|
||||
int width, height, w, h, wp, hp, bLandscape;
|
||||
EpagPaperTable *pt;
|
||||
|
||||
+ /* Page size match tolerance in points */
|
||||
+ #define TOL 5
|
||||
+
|
||||
width = (int)pdev->MediaSize[0];
|
||||
height = (int)pdev->MediaSize[1];
|
||||
width = pdev->MediaSize[0];
|
||||
height = pdev->MediaSize[1];
|
||||
|
||||
@@ -291,7 +294,7 @@
|
||||
@@ -291,7 +294,7 @@ escpage_paper_set(gx_device_printer * pd
|
||||
}
|
||||
|
||||
for (pt = epagPaperTable; pt->escpage > 0; pt++)
|
||||
@ -19,4 +19,4 @@ diff -x .git -Napur ghostscript-9.27.old/contrib/japanese/gdevespg.c ghostscript
|
||||
+ if (abs(w - pt->width) <= TOL && abs(h - pt->height) <= TOL)
|
||||
break;
|
||||
|
||||
gp_fprintf(fp, "%c%d", GS, pt->escpage);
|
||||
fprintf(fp, "%c%d", GS, pt->escpage);
|
@ -0,0 +1,88 @@
|
||||
From f70ab2044429fe4b991801476ea3f4b4a5c0cdf4 Mon Sep 17 00:00:00 2001
|
||||
From: Julian Smith <jules@op59.net>
|
||||
Date: Wed, 6 Nov 2019 11:46:10 +0000
|
||||
Subject: [PATCH 1/2] Bug 701843: avoid divide by zero caused by custom
|
||||
resolution being too low.
|
||||
|
||||
Fixes:
|
||||
./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r8 -dNOCIE -dFitPage -sOutputFile=tmp -sDEVICE=eps9mid ../bug-701843.pdf
|
||||
---
|
||||
devices/gdevepsn.c | 19 +++++++++++++++----
|
||||
1 file changed, 15 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/devices/gdevepsn.c b/devices/gdevepsn.c
|
||||
index 49faaf3d7..3e5388322 100644
|
||||
--- a/devices/gdevepsn.c
|
||||
+++ b/devices/gdevepsn.c
|
||||
@@ -159,10 +159,10 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high,
|
||||
int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
|
||||
/* Note that in_size is a multiple of 8. */
|
||||
int in_size = line_size * (8 * in_y_mult);
|
||||
- byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)");
|
||||
- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)");
|
||||
- byte *in = buf1;
|
||||
- byte *out = buf2;
|
||||
+ byte *buf1;
|
||||
+ byte *buf2;
|
||||
+ byte *in;
|
||||
+ byte *out;
|
||||
int out_y_mult = (y_24pin ? 3 : 1);
|
||||
int x_dpi = (int)pdev->x_pixels_per_inch;
|
||||
char start_graphics =
|
||||
@@ -174,6 +174,17 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high,
|
||||
int bytes_per_space = dots_per_space * out_y_mult;
|
||||
int tab_min_pixels = x_dpi * MIN_TAB_10THS / 10;
|
||||
int skip = 0, lnum = 0, pass, ypass;
|
||||
+
|
||||
+ if (bytes_per_space == 0) {
|
||||
+ /* This avoids divide by zero later on, bug 701843. */
|
||||
+ return_error(gs_error_rangecheck);
|
||||
+ }
|
||||
+
|
||||
+ buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)");
|
||||
+ buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)");
|
||||
+ in = buf1;
|
||||
+ out = buf2;
|
||||
+
|
||||
|
||||
/* Check allocations */
|
||||
if ( buf1 == 0 || buf2 == 0 )
|
||||
|
||||
diff --git a/devices/gdevepsc.c b/devices/gdevepsc.c
|
||||
--- a/devices/gdevepsc.c
|
||||
+++ b/devices/gdevepsc.c
|
||||
@@ -174,13 +174,7 @@
|
||||
int y_mult = (y_24pin ? 3 : 1);
|
||||
int line_size = (pdev->width + 7) >> 3; /* always mono */
|
||||
int in_size = line_size * (8 * y_mult);
|
||||
- byte *in =
|
||||
- (byte *) gs_malloc(pdev->memory, in_size + 1, 1,
|
||||
- "epsc_print_page(in)");
|
||||
int out_size = ((pdev->width + 7) & -8) * y_mult;
|
||||
- byte *out =
|
||||
- (byte *) gs_malloc(pdev->memory, out_size + 1, 1,
|
||||
- "epsc_print_page(out)");
|
||||
int x_dpi = (int)pdev->x_pixels_per_inch;
|
||||
char start_graphics = (char)
|
||||
((y_24pin ? graphics_modes_24 : graphics_modes_9)[x_dpi / 60]);
|
||||
@@ -195,6 +189,20 @@
|
||||
int color_line_size, color_in_size;
|
||||
int spare_bits = (pdev->width % 8); /* left over bits to go to margin */
|
||||
int whole_bits = pdev->width - spare_bits;
|
||||
+ byte *out;
|
||||
+ byte *in;
|
||||
+
|
||||
+ if (bytes_per_space == 0) {
|
||||
+ /* This avoids divide by zero later on, bug 701843. */
|
||||
+ return_error(gs_error_rangecheck);
|
||||
+ }
|
||||
+
|
||||
+ in =
|
||||
+ (byte *) gs_malloc(pdev->memory, in_size + 1, 1,
|
||||
+ "epsc_print_page(in)");
|
||||
+ out =
|
||||
+ (byte *) gs_malloc(pdev->memory, out_size + 1, 1,
|
||||
+ "epsc_print_page(out)");
|
||||
|
||||
/* Check allocations */
|
||||
if (in == 0 || out == 0) {
|
63
SOURCES/ghostscript-9.27-fix-bbox.patch
Normal file
63
SOURCES/ghostscript-9.27-fix-bbox.patch
Normal file
@ -0,0 +1,63 @@
|
||||
diff -Napur ghostscript-9.27.old/base/fapi_ft.c ghostscript-9.27.new/base/fapi_ft.c
|
||||
--- ghostscript-9.27.old/base/fapi_ft.c 2019-04-04 00:43:14.000000000 -0700
|
||||
+++ ghostscript-9.27.new/base/fapi_ft.c 2023-03-07 16:41:56.217995052 -0800
|
||||
@@ -974,13 +974,19 @@ make_rotation(FT_Matrix * a_transform, c
|
||||
*/
|
||||
static void
|
||||
transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp,
|
||||
- FT_Fixed * a_x_scale, FT_Fixed * a_y_scale)
|
||||
+ FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM)
|
||||
{
|
||||
double scalex, scaley, fact = 1.0;
|
||||
double factx = 1.0, facty = 1.0;
|
||||
FT_Matrix ftscale_mat;
|
||||
FT_UInt xres;
|
||||
FT_UInt yres;
|
||||
+ /* We have to account for units_per_EM as we fiddle with the scaling
|
||||
+ * in order to avoid underflow (mostly in the TTF hinting code), but
|
||||
+ * we also want to clamp to a lower value (512, admittedly arrived at
|
||||
+ * via experimentation) in order to preserve the fidelity of the outlines.
|
||||
+ */
|
||||
+ double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0;
|
||||
|
||||
scalex = hypot((double)a_transform->xx, (double)a_transform->xy);
|
||||
scaley = hypot((double)a_transform->yx, (double)a_transform->yy);
|
||||
@@ -1067,10 +1073,25 @@ transform_decompose(FT_Matrix * a_transf
|
||||
scalex *= fact;
|
||||
}
|
||||
|
||||
- ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex);
|
||||
- ftscale_mat.xy = (FT_Fixed) 0;
|
||||
- ftscale_mat.yx = (FT_Fixed) 0;
|
||||
- ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley);
|
||||
+ /* see above */
|
||||
+ fact = 1.0;
|
||||
+ while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0)
|
||||
+ && (scalex > 0.0 && scaley > 0.0)) {
|
||||
+ if (scaley < yres) {
|
||||
+ xres >>= 1;
|
||||
+ yres >>= 1;
|
||||
+ fact *= 2.0;
|
||||
+ }
|
||||
+ else {
|
||||
+ scalex /= 1.25;
|
||||
+ scaley /= 1.25;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact);
|
||||
+ ftscale_mat.xy = 0;
|
||||
+ ftscale_mat.yx = 0;
|
||||
+ ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact);
|
||||
|
||||
FT_Matrix_Multiply(a_transform, &ftscale_mat);
|
||||
memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix));
|
||||
@@ -1315,7 +1336,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_serve
|
||||
* transform.
|
||||
*/
|
||||
transform_decompose(&face->ft_transform, &face->horz_res,
|
||||
- &face->vert_res, &face->width, &face->height);
|
||||
+ &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM);
|
||||
|
||||
ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height,
|
||||
face->horz_res, face->vert_res);
|
16
SOURCES/ghostscript-9.27-fix-use-of-HWMargins.patch
Normal file
16
SOURCES/ghostscript-9.27-fix-use-of-HWMargins.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff -Napur '--exclude=.git' ghostscript-9.27.old/devices/vector/opdfread.ps ghostscript-9.27.new/devices/vector/opdfread.ps
|
||||
--- ghostscript-9.27.old/devices/vector/opdfread.ps 2019-04-04 00:43:14.000000000 -0700
|
||||
+++ ghostscript-9.27.new/devices/vector/opdfread.ps 2022-06-14 17:44:27.963033829 -0700
|
||||
@@ -998,10 +998,10 @@ currentdict end readonly def
|
||||
} if % id obj node
|
||||
1 index exch /Context exch put % id obj
|
||||
dup /ImmediateExec true put
|
||||
- dup /IsPage true put
|
||||
- SetPageSize {dup /Context get //SetupPageView exec} if
|
||||
% This gets restored at the end of ExecuteStream if IsPage is true.
|
||||
/pagesave save def
|
||||
+ dup /IsPage true put
|
||||
+ SetPageSize {dup /Context get //SetupPageView exec} if
|
||||
} bind def
|
||||
|
||||
/FontFileDaemon % <id> <obj> <font_descriptor> FontFileDaemon <id> <obj>
|
43
SOURCES/ghostscript-cve-2019-10216.patch
Normal file
43
SOURCES/ghostscript-cve-2019-10216.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Liddell <chris.liddell@artifex.com>
|
||||
Date: Fri, 2 Aug 2019 15:18:26 +0100
|
||||
Subject: Bug 701394: protect use of .forceput with executeonly
|
||||
|
||||
|
||||
diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
|
||||
index 6c7735bc0c..a039ccee35 100644
|
||||
--- a/Resource/Init/gs_type1.ps
|
||||
+++ b/Resource/Init/gs_type1.ps
|
||||
@@ -118,25 +118,25 @@
|
||||
( to be the same as glyph: ) print 1 index //== exec } if
|
||||
3 index exch 3 index .forceput
|
||||
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
|
||||
- }
|
||||
+ }executeonly
|
||||
{pop} ifelse
|
||||
- } forall
|
||||
+ } executeonly forall
|
||||
pop pop
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
pop pop pop
|
||||
} ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
|
||||
pop pop
|
||||
} ifelse
|
||||
- } forall
|
||||
+ } executeonly forall
|
||||
3 1 roll pop pop
|
||||
- } if
|
||||
+ } executeonly if
|
||||
pop
|
||||
dup /.AGLprocessed~GS //true .forceput
|
||||
- } if
|
||||
+ } executeonly if
|
||||
|
||||
%% We need to excute the C .buildfont1 in a stopped context so that, if there
|
||||
%% are errors we can put the stack back sanely and exit. Otherwise callers won't
|
56
SOURCES/ghostscript-cve-2019-14811-14812-14813.patch
Normal file
56
SOURCES/ghostscript-cve-2019-14811-14812-14813.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
|
||||
From: Ken Sharp <ken.sharp@artifex.com>
|
||||
Date: Tue, 20 Aug 2019 10:10:28 +0100
|
||||
Subject: make .forceput inaccessible
|
||||
|
||||
Bug #701343, #701344, #701345
|
||||
|
||||
More defensive programming. We don't want people to access .forecput
|
||||
even though it is no longer sufficient to bypass SAFER. The exploit
|
||||
in #701343 didn't work anyway because of earlier work to stop the error
|
||||
handler being used, but nevertheless, prevent access to .forceput from
|
||||
.setuserparams2.
|
||||
|
||||
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
|
||||
index 4cc7f820f..0fd416465 100644
|
||||
--- a/Resource/Init/gs_lev2.ps
|
||||
+++ b/Resource/Init/gs_lev2.ps
|
||||
@@ -158,7 +158,7 @@ end
|
||||
{
|
||||
pop pop
|
||||
} ifelse
|
||||
- } forall
|
||||
+ } executeonly forall
|
||||
% A context switch might have occurred during the above loop,
|
||||
% causing the interpreter-level parameters to be reset.
|
||||
% Set them again to the new values. From here on, we are safe,
|
||||
@@ -229,9 +229,9 @@ end
|
||||
{ pop pop
|
||||
}
|
||||
ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
forall pop
|
||||
-} .bind odef
|
||||
+} .bind executeonly odef
|
||||
|
||||
% Initialize the passwords.
|
||||
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
|
||||
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
|
||||
index c158a8faf..422e66e1a 100644
|
||||
--- a/Resource/Init/gs_pdfwr.ps
|
||||
+++ b/Resource/Init/gs_pdfwr.ps
|
||||
@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
|
||||
systemdict /.pdf_hooked_DSC_Creator //true .forceput
|
||||
} executeonly if
|
||||
pop
|
||||
- } if
|
||||
+ } executeonly if
|
||||
} {
|
||||
pop
|
||||
} ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
pop
|
||||
} ifelse
|
189
SOURCES/ghostscript-cve-2019-14817.patch
Normal file
189
SOURCES/ghostscript-cve-2019-14817.patch
Normal file
@ -0,0 +1,189 @@
|
||||
diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
|
||||
index 1a218f4..cffde5c 100644
|
||||
--- a/Resource/Init/pdf_base.ps
|
||||
+++ b/Resource/Init/pdf_base.ps
|
||||
@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
|
||||
{
|
||||
dup ==only () = flush
|
||||
} ifelse % PDFSTEP
|
||||
- } if % PDFDEBUG
|
||||
+ } executeonly if % PDFDEBUG
|
||||
2 copy .knownget {
|
||||
exch pop exch pop exch pop exec
|
||||
} {
|
||||
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
|
||||
index e18a7c2..0a3924c 100644
|
||||
--- a/Resource/Init/pdf_draw.ps
|
||||
+++ b/Resource/Init/pdf_draw.ps
|
||||
@@ -501,8 +501,8 @@ end
|
||||
( Output may be incorrect.\n) pdfformaterror
|
||||
//pdfdict /.gs_warning_issued //true .forceput
|
||||
PDFSTOPONERROR { /gs /undefined signalerror } if
|
||||
- } if
|
||||
- }
|
||||
+ } executeonly if
|
||||
+ } executeonly
|
||||
ifelse
|
||||
} bind executeonly def
|
||||
|
||||
@@ -1142,7 +1142,7 @@ currentdict end readonly def
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
currentglobal //pdfdict gcheck .setglobal
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
@@ -1150,8 +1150,8 @@ currentdict end readonly def
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
end
|
||||
- } ifelse
|
||||
- } loop
|
||||
+ } executeonly ifelse
|
||||
+ } executeonly loop
|
||||
{
|
||||
(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
|
||||
//pdfdict /.Qqwarning_issued .knownget
|
||||
@@ -1165,14 +1165,14 @@ currentdict end readonly def
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
currentglobal //pdfdict gcheck .setglobal
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- } if
|
||||
+ } executeonly if
|
||||
pop
|
||||
|
||||
% restore pdfemptycount
|
||||
diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
|
||||
index 9fb85f6..357ba30 100644
|
||||
--- a/Resource/Init/pdf_font.ps
|
||||
+++ b/Resource/Init/pdf_font.ps
|
||||
@@ -677,7 +677,7 @@ currentdict end readonly def
|
||||
currentglobal 2 index dup gcheck setglobal
|
||||
/FontInfo 5 dict dup 5 1 roll .forceput
|
||||
setglobal
|
||||
- } if
|
||||
+ } executeonly if
|
||||
dup /GlyphNames2Unicode .knownget not {
|
||||
//true % No existing G2U, make one
|
||||
} {
|
||||
@@ -701,9 +701,9 @@ currentdict end readonly def
|
||||
} if
|
||||
PDFDEBUG {
|
||||
(.processToUnicode end) =
|
||||
- } if
|
||||
- } if
|
||||
- } stopped
|
||||
+ } executeonly if
|
||||
+ } executeonly if
|
||||
+ } executeonly stopped
|
||||
{
|
||||
.dstackdepth 1 countdictstack 1 sub
|
||||
{pop end} for
|
||||
@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
} executeonly if
|
||||
Q
|
||||
- } repeat
|
||||
+ } executeonly repeat
|
||||
Q
|
||||
- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
|
||||
+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
|
||||
PDFfile exch setfileposition
|
||||
- } ifelse
|
||||
- } {
|
||||
+ } executeonly ifelse
|
||||
+ } executeonly
|
||||
+ {
|
||||
% PDF Type 3 fonts don't use .notdef
|
||||
% d1 implementation adjusts the width as needed
|
||||
0 0 0 0 0 0
|
||||
pdfopdict /d1 get exec
|
||||
} ifelse
|
||||
end end
|
||||
- } bdef
|
||||
+ } executeonly bdef
|
||||
dup currentdict Encoding .processToUnicode
|
||||
currentdict end .completefont exch pop
|
||||
} bind executeonly odef
|
||||
@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef
|
||||
(Will continue, but content may be missing.) = flush
|
||||
} ifelse
|
||||
} if
|
||||
- } if
|
||||
+ } executeonly if
|
||||
/findresource cvx /undefined signalerror
|
||||
- } loop
|
||||
+ } executeonly loop
|
||||
} bind executeonly odef
|
||||
|
||||
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
|
||||
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
|
||||
index 5305ea6..a59e63c 100644
|
||||
--- a/Resource/Init/pdf_main.ps
|
||||
+++ b/Resource/Init/pdf_main.ps
|
||||
@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
currentglobal //pdfdict gcheck .setglobal
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- } if
|
||||
- } if
|
||||
+ } executeonly if
|
||||
+ } executeonly if
|
||||
pop
|
||||
count PDFexecstackcount sub { pop } repeat
|
||||
(after exec) VMDEBUG
|
||||
diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
|
||||
index 285e582..6c1f100 100644
|
||||
--- a/Resource/Init/pdf_ops.ps
|
||||
+++ b/Resource/Init/pdf_ops.ps
|
||||
@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
currentglobal //pdfdict gcheck .setglobal
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- } if
|
||||
+ } executeonly if
|
||||
} bind executeonly odef
|
||||
|
||||
% Save PDF gstate
|
||||
@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
|
||||
dup type /booleantype eq {
|
||||
.currentSMask type /dicttype eq {
|
||||
.currentSMask /Processed 2 index .forceput
|
||||
+ } executeonly
|
||||
+ {
|
||||
+ .setSMask
|
||||
+ }ifelse
|
||||
} executeonly
|
||||
{
|
||||
- .setSMask
|
||||
- }ifelse
|
||||
- }{
|
||||
.setSMask
|
||||
}ifelse
|
||||
|
18
SOURCES/ghostscript-cve-2020-16290.patch
Normal file
18
SOURCES/ghostscript-cve-2020-16290.patch
Normal file
@ -0,0 +1,18 @@
|
||||
diff --git a/devices/gdev3852.c b/devices/gdev3852.c
|
||||
index e21b403..2bee8ec 100644
|
||||
--- a/devices/gdev3852.c
|
||||
+++ b/devices/gdev3852.c
|
||||
@@ -76,6 +76,13 @@ jetp3852_print_page(gx_device_printer *pdev, FILE *prn_stream)
|
||||
{ int lnum;
|
||||
int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
|
||||
int num_blank_lines = 0;
|
||||
+
|
||||
+ if (line_size > DATA_SIZE) {
|
||||
+ emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
|
||||
+ line_size, DATA_SIZE);
|
||||
+ return_error(gs_error_rangecheck);
|
||||
+ }
|
||||
+
|
||||
for ( lnum = 0; lnum < pdev->height; lnum++ )
|
||||
{ byte *end_data = data + line_size;
|
||||
gdev_prn_copy_scan_lines(pdev, lnum,
|
257
SOURCES/ghostscript-cve-2020-16291.patch
Normal file
257
SOURCES/ghostscript-cve-2020-16291.patch
Normal file
@ -0,0 +1,257 @@
|
||||
diff --git a/contrib/gdevdj9.c b/contrib/gdevdj9.c
|
||||
index eec1c77..a4e8e9c 100644
|
||||
--- a/contrib/gdevdj9.c
|
||||
+++ b/contrib/gdevdj9.c
|
||||
@@ -575,26 +575,55 @@ static int cdj_set_bpp(gx_device *, int, int);
|
||||
static int
|
||||
hp_colour_open(gx_device * pdev)
|
||||
{
|
||||
- int retCode;
|
||||
+ int retCode = 0;
|
||||
+
|
||||
+ /* Change the margins if necessary. */
|
||||
+ static const float dj_a4[4] = {
|
||||
+ DESKJET_MARGINS_A4
|
||||
+ };
|
||||
+
|
||||
+ static const float dj_letter[4] = {
|
||||
+ DESKJET_MARGINS_LETTER
|
||||
+ };
|
||||
+ const float *m = (float *)0;
|
||||
|
||||
cdj970->PageCtr = 0;
|
||||
|
||||
+ /* quality setup */
|
||||
+ if (cdj970->quality == DRAFT) {
|
||||
+ gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0);
|
||||
+ cdj970->xscal = 0;
|
||||
+ cdj970->yscal = 0;
|
||||
+ cdj970->intensities = 2;
|
||||
+ } else if (cdj970->quality == NORMAL) {
|
||||
+ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
|
||||
+ cdj970->xscal = 1;
|
||||
+ cdj970->yscal = 1;
|
||||
+ /* intensities = 4 from initialization */
|
||||
+ } else { /* quality == PRESENTATION */
|
||||
+ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
|
||||
+ cdj970->xscal = 0;
|
||||
+ cdj970->yscal = 0;
|
||||
+ /* intensities = 4 from initialization */
|
||||
+ }
|
||||
+
|
||||
+ m = (gdev_pcl_paper_size((gx_device *) pdev) ==
|
||||
+ PAPER_SIZE_A4 ? dj_a4 : dj_letter);
|
||||
+
|
||||
+ gx_device_set_margins((gx_device *) pdev, m, true);
|
||||
+
|
||||
/* Set up colour params if put_params has not already done so */
|
||||
if (pdev->color_info.num_components == 0) {
|
||||
- int code = cdj_set_bpp(pdev, pdev->color_info.depth,
|
||||
+ retCode = cdj_set_bpp(pdev, pdev->color_info.depth,
|
||||
pdev->color_info.num_components);
|
||||
|
||||
- if (code < 0)
|
||||
- return code;
|
||||
+ if (retCode < 0)
|
||||
+ return retCode;
|
||||
}
|
||||
|
||||
retCode = gdev_prn_open(pdev);
|
||||
- if (retCode < 0)
|
||||
- return (retCode);
|
||||
- else {
|
||||
+ if (retCode >= 0) {
|
||||
retCode = gdev_prn_open_printer(pdev, true);
|
||||
- if (retCode < 0)
|
||||
- return (retCode);
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -648,26 +677,25 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
|
||||
int bpp = 0;
|
||||
int code = 0;
|
||||
|
||||
- code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code);
|
||||
- code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code);
|
||||
- code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code);
|
||||
- code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code);
|
||||
- code =
|
||||
- cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0,
|
||||
- code);
|
||||
- code =
|
||||
- cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code);
|
||||
- code =
|
||||
- cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code);
|
||||
- code =
|
||||
- cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code);
|
||||
- code =
|
||||
- cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code);
|
||||
- code =
|
||||
- cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0,
|
||||
- code);
|
||||
-
|
||||
- if (code < 0)
|
||||
+ if ((code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code)) < 0)
|
||||
+ return code;
|
||||
+ if ((code = cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0, code)) < 0)
|
||||
return code;
|
||||
|
||||
code = cdj_put_param_bpp(pdev, plist, bpp, bpp, 0);
|
||||
@@ -676,6 +704,12 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
|
||||
return code;
|
||||
|
||||
cdj970->quality = quality;
|
||||
+ if (cdj970->quality != quality) {
|
||||
+ if (pdev->is_open)
|
||||
+ gs_closedevice(pdev); /* quality can change resolution, force re-open */
|
||||
+ cdj970->quality = quality;
|
||||
+ }
|
||||
+
|
||||
cdj970->papertype = papertype;
|
||||
cdj970->duplex = duplex;
|
||||
cdj970->mastergamma = mastergamma;
|
||||
@@ -685,7 +719,7 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist)
|
||||
cdj970->gammavalk = gammavalk;
|
||||
cdj970->blackcorrect = blackcorrect;
|
||||
|
||||
- return 0;
|
||||
+ return code;
|
||||
}
|
||||
|
||||
/**********************************************************************************/
|
||||
@@ -784,47 +818,6 @@ cdj970_terminate_page(gx_device_printer * pdev, FILE * prn_stream)
|
||||
fputs("\033*rC\f\033&l-2H", prn_stream); /* End Graphics, Reset */
|
||||
}
|
||||
|
||||
-/* cdj970_one_time_initialisation:
|
||||
-----------------------------------------------------------------------------------*/
|
||||
-static void
|
||||
-cdj970_one_time_initialisation(gx_device_printer * pdev)
|
||||
-{
|
||||
- /* Change the margins if necessary. */
|
||||
- static const float dj_a4[4] = {
|
||||
- DESKJET_MARGINS_A4
|
||||
- };
|
||||
-
|
||||
- static const float dj_letter[4] = {
|
||||
- DESKJET_MARGINS_LETTER
|
||||
- };
|
||||
- const float *m = (float *)0;
|
||||
-
|
||||
- /* quality setup */
|
||||
- if (cdj970->quality == DRAFT) {
|
||||
- gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0);
|
||||
- cdj970->xscal = 0;
|
||||
- cdj970->yscal = 0;
|
||||
- cdj970->intensities = 2;
|
||||
- } else if (cdj970->quality == NORMAL) {
|
||||
- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
|
||||
- cdj970->xscal = 1;
|
||||
- cdj970->yscal = 1;
|
||||
- /* intensities = 4 from initialization */
|
||||
- } else { /* quality == PRESENTATION */
|
||||
- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0);
|
||||
- cdj970->xscal = 0;
|
||||
- cdj970->yscal = 0;
|
||||
- /* intensities = 4 from initialization */
|
||||
- }
|
||||
-
|
||||
- m = (gdev_pcl_paper_size((gx_device *) pdev) ==
|
||||
- PAPER_SIZE_A4 ? dj_a4 : dj_letter);
|
||||
-
|
||||
- gx_device_set_margins((gx_device *) pdev, m, true);
|
||||
-
|
||||
- cdj970_write_header((gx_device *) pdev, pdev->file);
|
||||
-}
|
||||
-
|
||||
/* cdj970_print_page: Here comes the hp970 output routine
|
||||
----------------------------------------------------------------------------------*/
|
||||
static int
|
||||
@@ -837,7 +830,7 @@ cdj970_print_page(gx_device_printer * pdev, FILE * prn_stream)
|
||||
Gamma gamma;
|
||||
|
||||
if (cdj970->PageCtr == 0 && cdj970->ptype == DJ970C) {
|
||||
- cdj970_one_time_initialisation(pdev);
|
||||
+ cdj970_write_header((gx_device *)pdev, prn_stream);
|
||||
}
|
||||
|
||||
/* make a local writable copy of the Gamma tables */
|
||||
@@ -2280,6 +2273,11 @@ cdj_set_bpp(gx_device * pdev, int bpp, int ccomps)
|
||||
ci->dither_colors = (bpp >= 8 ? 5 : bpp > 1 ? 2 : 0);
|
||||
}
|
||||
|
||||
+ if (ci->depth != ((bpp > 1) && (bpp < 8) ? 8 : bpp)) {
|
||||
+ if (pdev->is_open)
|
||||
+ gs_closedevice(pdev); /* depth changed, make sure we re-open */
|
||||
+ }
|
||||
+
|
||||
ci->depth = ((bpp > 1) && (bpp < 8) ? 8 : bpp);
|
||||
|
||||
return (0);
|
||||
@@ -2598,16 +2596,15 @@ cdj_put_param_bpp(gx_device * pdev,
|
||||
gs_param_list * plist,
|
||||
int new_bpp, int real_bpp, int ccomps)
|
||||
{
|
||||
- if (new_bpp == 0 && ccomps == 0)
|
||||
- return gdev_prn_put_params(pdev, plist);
|
||||
- else {
|
||||
- gx_device_color_info save_info;
|
||||
- int save_bpp;
|
||||
- int code;
|
||||
-
|
||||
- save_info = pdev->color_info;
|
||||
- save_bpp = save_info.depth;
|
||||
+ int code = 0;
|
||||
+ int save_bpp;
|
||||
+ gx_device_color_info save_info;
|
||||
+ save_info = pdev->color_info;
|
||||
+ save_bpp = save_info.depth;
|
||||
|
||||
+ if (new_bpp == 0 && ccomps == 0) {
|
||||
+ code = gdev_prn_put_params(pdev, plist);
|
||||
+ } else {
|
||||
if (save_bpp == 8 && save_ccomps == 3 && !cprn_device->cmyk)
|
||||
save_bpp = 3;
|
||||
|
||||
@@ -2631,12 +2628,22 @@ cdj_put_param_bpp(gx_device * pdev,
|
||||
if ((cdj970->color_info.depth != save_bpp
|
||||
|| (ccomps != 0 && ccomps != save_ccomps))
|
||||
&& pdev->is_open)
|
||||
- return (gs_closedevice(pdev));
|
||||
+ gs_closedevice(pdev);
|
||||
+ }
|
||||
+
|
||||
+ /* check for valid resolutions */
|
||||
+ if (pdev->HWResolution[0] != pdev->HWResolution[1] ||
|
||||
+ (pdev->HWResolution[0] != 300.0 && pdev->HWResolution[0] != 600.0) ) {
|
||||
+ param_signal_error(plist, "HWResolution", gs_error_rangecheck);
|
||||
+ emprintf1(pdev->memory, "\ncdj970: Invalid resolution: '%f'. Only 300 or 600 supported.\n\n",
|
||||
+ pdev->HWResolution[0]);
|
||||
+ cdj_set_bpp(pdev, save_bpp, save_ccomps);
|
||||
+ return gs_error_rangecheck;
|
||||
+ }
|
||||
+ return code;
|
||||
|
||||
- return (0);
|
||||
|
||||
#undef save_ccomps
|
||||
- }
|
||||
}
|
||||
|
||||
/* cdj970_write_header:
|
13
SOURCES/ghostscript-cve-2020-16293.patch
Normal file
13
SOURCES/ghostscript-cve-2020-16293.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/base/gxblend.c b/base/gxblend.c
|
||||
index 7c3d55b..55215d6 100644
|
||||
--- a/base/gxblend.c
|
||||
+++ b/base/gxblend.c
|
||||
@@ -2174,7 +2174,7 @@ pdf14_compose_group(pdf14_buf *tos, pdf14_buf *nos, pdf14_buf *maskbuf,
|
||||
overprint == 0) {
|
||||
/* Additive vs Subtractive makes no difference in normal blend mode with no spots */
|
||||
if (tos_isolated) {
|
||||
- if (has_mask || maskbuf) {/* 7% */
|
||||
+ if (has_mask && maskbuf) {/* 7% */
|
||||
/* AirPrint test case hits this */
|
||||
if (maskbuf && maskbuf->rect.p.x <= x0 && maskbuf->rect.p.y <= y0 &&
|
||||
maskbuf->rect.q.x >= x1 && maskbuf->rect.q.y >= y1)
|
13
SOURCES/ghostscript-cve-2020-16295.patch
Normal file
13
SOURCES/ghostscript-cve-2020-16295.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/devices/gdevclj.c b/devices/gdevclj.c
|
||||
index bed13bc..fe17ece 100644
|
||||
--- a/devices/gdevclj.c
|
||||
+++ b/devices/gdevclj.c
|
||||
@@ -254,7 +254,7 @@ clj_media_size(float mediasize[2], gs_param_list *plist)
|
||||
gs_param_int_array hwsize;
|
||||
int have_pagesize = 0;
|
||||
|
||||
- if ( (param_read_float_array(plist, "HWResolution", &fres) == 0) &&
|
||||
+ if ( param_read_float_array(plist, "HWResolution", &fres) != 0 ||
|
||||
!is_supported_resolution(fres.data) )
|
||||
return_error(gs_error_rangecheck);
|
||||
|
58
SOURCES/ghostscript-cve-2020-16299.patch
Normal file
58
SOURCES/ghostscript-cve-2020-16299.patch
Normal file
@ -0,0 +1,58 @@
|
||||
diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
|
||||
index 5c8b7fb..53da0ec 100644
|
||||
--- a/contrib/japanese/gdev10v.c
|
||||
+++ b/contrib/japanese/gdev10v.c
|
||||
@@ -73,8 +73,20 @@ gx_device_procs prn_bj10v_procs =
|
||||
prn_matrix_procs(gdev_prn_open, bj10v_get_initial_matrix,
|
||||
gdev_prn_output_page, gdev_prn_close);
|
||||
#endif
|
||||
+
|
||||
+static int
|
||||
+bj10v_open(gx_device * pdev)
|
||||
+{
|
||||
+ if (pdev->HWResolution[0] < 180 ||
|
||||
+ pdev->HWResolution[1] < 180)
|
||||
+ {
|
||||
+ emprintf(pdev->memory, "device requires a resolution of at least 180dpi\n");
|
||||
+ return_error(gs_error_rangecheck);
|
||||
+ }
|
||||
+ return gdev_prn_open(pdev);
|
||||
+}
|
||||
gx_device_procs prn_bj10v_procs =
|
||||
- prn_procs(gdev_prn_open, gdev_prn_output_page, gdev_prn_close);
|
||||
+ prn_procs(bj10v_open, gdev_prn_output_page, gdev_prn_close);
|
||||
|
||||
gx_device_printer gs_bj10v_device =
|
||||
prn_device(prn_bj10v_procs, "bj10v",
|
||||
diff --git a/contrib/japanese/gdevalps.c b/contrib/japanese/gdevalps.c
|
||||
index f29aeb1..d4de619 100644
|
||||
--- a/contrib/japanese/gdevalps.c
|
||||
+++ b/contrib/japanese/gdevalps.c
|
||||
@@ -155,13 +155,20 @@ static const char end_md[] = {
|
||||
static int
|
||||
md_open(gx_device *pdev)
|
||||
{
|
||||
- static const float md_margins[4] =
|
||||
- { MD_SIDE_MARGIN, MD_BOTTOM_MARGIN,
|
||||
- MD_SIDE_MARGIN, MD_TOP_MARGIN
|
||||
- };
|
||||
-
|
||||
- gx_device_set_margins(pdev, md_margins, true);
|
||||
- return gdev_prn_open(pdev);
|
||||
+ static const float md_margins[4] =
|
||||
+ {
|
||||
+ MD_SIDE_MARGIN, MD_BOTTOM_MARGIN,
|
||||
+ MD_SIDE_MARGIN, MD_TOP_MARGIN
|
||||
+ };
|
||||
+
|
||||
+ if (pdev->HWResolution[0] != 600)
|
||||
+ {
|
||||
+ emprintf(pdev->memory, "device must have an X resolution of 600dpi\n");
|
||||
+ return_error(gs_error_rangecheck);
|
||||
+ }
|
||||
+
|
||||
+ gx_device_set_margins(pdev, md_margins, true);
|
||||
+ return gdev_prn_open(pdev);
|
||||
}
|
||||
|
||||
/* MD5000 monochrome mode entrance. */
|
75
SOURCES/ghostscript-cve-2020-16301.patch
Normal file
75
SOURCES/ghostscript-cve-2020-16301.patch
Normal file
@ -0,0 +1,75 @@
|
||||
From f54414c8b15b2c27d1dcadd92cfe84f6d15f18dc Mon Sep 17 00:00:00 2001
|
||||
From: Julian Smith <jules@op59.net>
|
||||
Date: Thu, 31 Oct 2019 13:12:47 +0000
|
||||
Subject: [PATCH] Bug 701808: return error from okiibm_print_page1() if x_dpi
|
||||
too high.
|
||||
|
||||
Avoids asan error in:
|
||||
./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r599 -sOutputFile=tmp -sDEVICE=okiibm ../bug-701808.pdf
|
||||
---
|
||||
devices/gdevokii.c | 46 ++++++++++++++++++++++++++++++++--------------
|
||||
1 file changed, 32 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/devices/gdevokii.c b/devices/gdevokii.c
|
||||
index d8929a22c..97a1c3b88 100644
|
||||
--- a/devices/gdevokii.c
|
||||
+++ b/devices/gdevokii.c
|
||||
@@ -96,23 +96,41 @@ okiibm_print_page1(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high
|
||||
-1, 0 /*60*/, 1 /*120*/, -1, 3 /*240*/
|
||||
};
|
||||
|
||||
- int in_y_mult = (y_9pin_high ? 2 : 1);
|
||||
- int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
|
||||
- /* Note that in_size is a multiple of 8. */
|
||||
- int in_size = line_size * (8 * in_y_mult);
|
||||
- byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)");
|
||||
- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)");
|
||||
- byte *in = buf1;
|
||||
- byte *out = buf2;
|
||||
- int out_y_mult = 1;
|
||||
- int x_dpi = pdev->x_pixels_per_inch;
|
||||
- char start_graphics = graphics_modes_9[x_dpi / 60];
|
||||
- int first_pass = (start_graphics == 3 ? 1 : 0);
|
||||
- int last_pass = first_pass * 2;
|
||||
- int y_passes = (y_9pin_high ? 2 : 1);
|
||||
+ int in_y_mult;
|
||||
+ int line_size;
|
||||
+ int in_size;
|
||||
+ byte *buf1;
|
||||
+ byte *buf2;
|
||||
+ byte *in;
|
||||
+ byte *out;
|
||||
+ int out_y_mult;
|
||||
+ int x_dpi;
|
||||
+ char start_graphics;
|
||||
+ int first_pass;
|
||||
+ int last_pass;
|
||||
+ int y_passes;
|
||||
int skip = 0, lnum = 0, pass, ypass;
|
||||
int y_step = 0;
|
||||
|
||||
+ x_dpi = pdev->x_pixels_per_inch;
|
||||
+ if (x_dpi / 60 >= sizeof(graphics_modes_9)/sizeof(graphics_modes_9[0])) {
|
||||
+ return_error(gs_error_rangecheck);
|
||||
+ }
|
||||
+ in_y_mult = (y_9pin_high ? 2 : 1);
|
||||
+ line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
|
||||
+ /* Note that in_size is a multiple of 8. */
|
||||
+ in_size = line_size * (8 * in_y_mult);
|
||||
+ buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)");
|
||||
+ buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)");
|
||||
+ in = buf1;
|
||||
+ out = buf2;
|
||||
+ out_y_mult = 1;
|
||||
+ start_graphics = graphics_modes_9[x_dpi / 60];
|
||||
+ first_pass = (start_graphics == 3 ? 1 : 0);
|
||||
+ last_pass = first_pass * 2;
|
||||
+ y_passes = (y_9pin_high ? 2 : 1);
|
||||
+ y_step = 0;
|
||||
+
|
||||
/* Check allocations */
|
||||
if ( buf1 == 0 || buf2 == 0 )
|
||||
{ if ( buf1 )
|
||||
--
|
||||
2.35.3
|
||||
|
228
SOURCES/ghostscript-cve-2020-16302.patch
Normal file
228
SOURCES/ghostscript-cve-2020-16302.patch
Normal file
@ -0,0 +1,228 @@
|
||||
diff --git a/devices/gdev3852.c b/devices/gdev3852.c
|
||||
index 2bee8ec..9d99068 100644
|
||||
--- a/devices/gdev3852.c
|
||||
+++ b/devices/gdev3852.c
|
||||
@@ -62,116 +62,117 @@ jetp3852_print_page(gx_device_printer *pdev, FILE *prn_stream)
|
||||
#define DATA_SIZE (LINE_SIZE * 8)
|
||||
|
||||
unsigned int cnt_2prn;
|
||||
- unsigned int count,tempcnt;
|
||||
- unsigned char vtp,cntc1,cntc2;
|
||||
- int line_size_color_plane;
|
||||
-
|
||||
- byte data[DATA_SIZE];
|
||||
- byte plane_data[LINE_SIZE * 3];
|
||||
-
|
||||
- /* Set initial condition for printer */
|
||||
- fputs("\033@",prn_stream);
|
||||
-
|
||||
- /* Send each scan line in turn */
|
||||
- { int lnum;
|
||||
- int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
|
||||
- int num_blank_lines = 0;
|
||||
-
|
||||
- if (line_size > DATA_SIZE) {
|
||||
- emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
|
||||
- line_size, DATA_SIZE);
|
||||
- return_error(gs_error_rangecheck);
|
||||
- }
|
||||
-
|
||||
- for ( lnum = 0; lnum < pdev->height; lnum++ )
|
||||
- { byte *end_data = data + line_size;
|
||||
- gdev_prn_copy_scan_lines(pdev, lnum,
|
||||
- (byte *)data, line_size);
|
||||
- /* Remove trailing 0s. */
|
||||
- while ( end_data > data && end_data[-1] == 0 )
|
||||
- end_data--;
|
||||
- if ( end_data == data )
|
||||
- { /* Blank line */
|
||||
- num_blank_lines++;
|
||||
- }
|
||||
- else
|
||||
- { int i;
|
||||
- byte *odp;
|
||||
- byte *row;
|
||||
-
|
||||
- /* Pad with 0s to fill out the last */
|
||||
- /* block of 8 bytes. */
|
||||
- memset(end_data, 0, 7);
|
||||
-
|
||||
- /* Transpose the data to get pixel planes. */
|
||||
- for ( i = 0, odp = plane_data; i < DATA_SIZE;
|
||||
- i += 8, odp++
|
||||
- )
|
||||
- { /* The following is for 16-bit machines */
|
||||
+ unsigned int count,tempcnt;
|
||||
+ unsigned char vtp,cntc1,cntc2;
|
||||
+ int line_size_color_plane;
|
||||
+
|
||||
+ byte data[DATA_SIZE];
|
||||
+ byte plane_data[LINE_SIZE * 3];
|
||||
+
|
||||
+ /* Initialise data to zeros, otherwise later on, uninitialised bytes in
|
||||
+ dp[] can be greater than 7, which breaks spr8[dp[]]. */
|
||||
+ memset(data, 0x00, DATA_SIZE);
|
||||
+
|
||||
+
|
||||
+ /* Set initial condition for printer */
|
||||
+ fputs("\033@",prn_stream);
|
||||
+
|
||||
+ /* Send each scan line in turn */
|
||||
+ { int lnum;
|
||||
+ int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev);
|
||||
+ int num_blank_lines = 0;
|
||||
+
|
||||
+ if (line_size > DATA_SIZE) {
|
||||
+ emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n",
|
||||
+ line_size, DATA_SIZE);
|
||||
+ return_error(gs_error_rangecheck);
|
||||
+ }
|
||||
+
|
||||
+ for ( lnum = 0; lnum < pdev->height; lnum++ )
|
||||
+ { byte *end_data = data + line_size;
|
||||
+ gdev_prn_copy_scan_lines(pdev, lnum,
|
||||
+ (byte *)data, line_size);
|
||||
+ /* Remove trailing 0s. */
|
||||
+ while ( end_data > data && end_data[-1] == 0 )
|
||||
+ end_data--;
|
||||
+ if ( end_data == data )
|
||||
+ { /* Blank line */
|
||||
+ num_blank_lines++;
|
||||
+ }
|
||||
+ else
|
||||
+ { int i;
|
||||
+ byte *odp;
|
||||
+ byte *row;
|
||||
+
|
||||
+ /* Transpose the data to get pixel planes. */
|
||||
+ for ( i = 0, odp = plane_data; i < DATA_SIZE;
|
||||
+ i += 8, odp++
|
||||
+ )
|
||||
+ { /* The following is for 16-bit machines */
|
||||
#define spread3(c)\
|
||||
{ 0, c, c*0x100, c*0x101, c*0x10000L, c*0x10001L, c*0x10100L, c*0x10101L }
|
||||
- static ulong spr40[8] = spread3(0x40);
|
||||
- static ulong spr8[8] = spread3(8);
|
||||
- static ulong spr2[8] = spread3(2);
|
||||
- register byte *dp = data + i;
|
||||
- register ulong pword =
|
||||
- (spr40[dp[0]] << 1) +
|
||||
- (spr40[dp[1]]) +
|
||||
- (spr40[dp[2]] >> 1) +
|
||||
- (spr8[dp[3]] << 1) +
|
||||
- (spr8[dp[4]]) +
|
||||
- (spr8[dp[5]] >> 1) +
|
||||
- (spr2[dp[6]]) +
|
||||
- (spr2[dp[7]] >> 1);
|
||||
- odp[0] = (byte)(pword >> 16);
|
||||
- odp[LINE_SIZE] = (byte)(pword >> 8);
|
||||
- odp[LINE_SIZE*2] = (byte)(pword);
|
||||
- }
|
||||
- /* Skip blank lines if any */
|
||||
- if ( num_blank_lines > 0 )
|
||||
- {
|
||||
- /* Do "dot skips" */
|
||||
- while(num_blank_lines > 255)
|
||||
- {
|
||||
- fputs("\033e\377",prn_stream);
|
||||
- num_blank_lines -= 255;
|
||||
- }
|
||||
- vtp = num_blank_lines;
|
||||
- fprintf(prn_stream,"\033e%c",vtp);
|
||||
- num_blank_lines = 0;
|
||||
- }
|
||||
-
|
||||
- /* Transfer raster graphics in the order R, G, B. */
|
||||
- /* Apparently it is stored in B, G, R */
|
||||
- /* Calculate the amount of data to send by what */
|
||||
- /* Ghostscript tells us the scan line_size in (bytes) */
|
||||
-
|
||||
- count = line_size / 3;
|
||||
- line_size_color_plane = count / 3;
|
||||
- cnt_2prn = line_size_color_plane * 3 + 5;
|
||||
- tempcnt = cnt_2prn;
|
||||
- cntc1 = (tempcnt & 0xFF00) >> 8;
|
||||
- cntc2 = (tempcnt & 0x00FF);
|
||||
- fprintf(prn_stream, "\033[O%c%c\200\037",cntc2,cntc1);
|
||||
- fputc('\000',prn_stream);
|
||||
+ static ulong spr40[8] = spread3(0x40);
|
||||
+ static ulong spr8[8] = spread3(8);
|
||||
+ static ulong spr2[8] = spread3(2);
|
||||
+ register byte *dp = data + i;
|
||||
+ register ulong pword =
|
||||
+ (spr40[dp[0]] << 1) +
|
||||
+ (spr40[dp[1]]) +
|
||||
+ (spr40[dp[2]] >> 1) +
|
||||
+ (spr8[dp[3]] << 1) +
|
||||
+ (spr8[dp[4]]) +
|
||||
+ (spr8[dp[5]] >> 1) +
|
||||
+ (spr2[dp[6]]) +
|
||||
+ (spr2[dp[7]] >> 1);
|
||||
+ odp[0] = (byte)(pword >> 16);
|
||||
+ odp[LINE_SIZE] = (byte)(pword >> 8);
|
||||
+ odp[LINE_SIZE*2] = (byte)(pword);
|
||||
+ }
|
||||
+ /* Skip blank lines if any */
|
||||
+ if ( num_blank_lines > 0 )
|
||||
+ {
|
||||
+ /* Do "dot skips" */
|
||||
+ while(num_blank_lines > 255)
|
||||
+ {
|
||||
+ fputs("\033e\377",prn_stream);
|
||||
+ num_blank_lines -= 255;
|
||||
+ }
|
||||
+ vtp = num_blank_lines;
|
||||
+ fprintf(prn_stream,"\033e%c",vtp);
|
||||
+ num_blank_lines = 0;
|
||||
+ }
|
||||
+
|
||||
+ /* Transfer raster graphics in the order R, G, B. */
|
||||
+ /* Apparently it is stored in B, G, R */
|
||||
+ /* Calculate the amount of data to send by what */
|
||||
+ /* Ghostscript tells us the scan line_size in (bytes) */
|
||||
+
|
||||
+ count = line_size / 3;
|
||||
+ line_size_color_plane = count / 3;
|
||||
+ cnt_2prn = line_size_color_plane * 3 + 5;
|
||||
+ tempcnt = cnt_2prn;
|
||||
+ cntc1 = (tempcnt & 0xFF00) >> 8;
|
||||
+ cntc2 = (tempcnt & 0x00FF);
|
||||
+ fprintf(prn_stream, "\033[O%c%c\200\037",cntc2,cntc1);
|
||||
+ fputc('\000',prn_stream);
|
||||
fputs("\124\124",prn_stream);
|
||||
|
||||
- for ( row = plane_data + LINE_SIZE * 2, i = 0;
|
||||
- i < 3; row -= LINE_SIZE, i++ )
|
||||
- { int jj;
|
||||
- byte ctemp;
|
||||
- odp = row;
|
||||
- /* Complement bytes */
|
||||
- for (jj=0; jj< line_size_color_plane; jj++)
|
||||
- { ctemp = *odp;
|
||||
- *odp++ = ~ctemp;
|
||||
- }
|
||||
- fwrite(row, sizeof(byte),
|
||||
- line_size_color_plane, prn_stream);
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
+ for ( row = plane_data + LINE_SIZE * 2, i = 0;
|
||||
+ i < 3; row -= LINE_SIZE, i++ )
|
||||
+ { int jj;
|
||||
+ byte ctemp;
|
||||
+ odp = row;
|
||||
+ /* Complement bytes */
|
||||
+ for (jj=0; jj< line_size_color_plane; jj++)
|
||||
+ { ctemp = *odp;
|
||||
+ *odp++ = ~ctemp;
|
||||
+ }
|
||||
+ fwrite(row, sizeof(byte),
|
||||
+ line_size_color_plane, prn_stream);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
/* eject page */
|
||||
fputs("\014", prn_stream);
|
77
SOURCES/ghostscript-cve-2020-16304.patch
Normal file
77
SOURCES/ghostscript-cve-2020-16304.patch
Normal file
@ -0,0 +1,77 @@
|
||||
diff --git a/base/gxicolor.c b/base/gxicolor.c
|
||||
index 34cfaa4..585bd81 100644
|
||||
--- a/base/gxicolor.c
|
||||
+++ b/base/gxicolor.c
|
||||
@@ -644,16 +644,16 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
|
||||
*(devc_contone_gray+1) = *psrc_temp;
|
||||
}
|
||||
} else {
|
||||
- /* Mono case, forward */
|
||||
- psrc_temp = psrc_cm;
|
||||
- for (k=0; k<src_size; k++) {
|
||||
- dda_next(dda_ht);
|
||||
- xn = fixed2int_var_rounded(dda_current(dda_ht));
|
||||
- while (xr < xn) {
|
||||
- *devc_contone_gray++ = *psrc_temp;
|
||||
- xr++;
|
||||
- } /* at loop exit xn will be >= xr */
|
||||
- psrc_temp++;
|
||||
+ /* Mono case, forward */
|
||||
+ psrc_temp = psrc_cm;
|
||||
+ for (k=0; k<src_size; k++) {
|
||||
+ dda_next(dda_ht);
|
||||
+ xn = fixed2int_var_rounded(dda_current(dda_ht));
|
||||
+ while (xr < xn) {
|
||||
+ *devc_contone_gray++ = *psrc_temp;
|
||||
+ xr++;
|
||||
+ } /* at loop exit xn will be >= xr */
|
||||
+ psrc_temp++;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -668,7 +668,7 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
|
||||
xr--;
|
||||
} /* at loop exit xn will be >= xr */
|
||||
psrc_temp++;
|
||||
- }
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
/* Monochrome landscape */
|
||||
@@ -811,10 +811,9 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
|
||||
dda_next(dda_ht);
|
||||
xn = fixed2int_var_rounded(dda_current(dda_ht));
|
||||
while (xr > xn) {
|
||||
- for (j = 0; j < spp_out; j++) {
|
||||
+ for (j = 0; j < spp_out; j++)
|
||||
*(devc_contone[j] + position) = (psrc_plane[j])[i];
|
||||
- position -= LAND_BITS;
|
||||
- }
|
||||
+ position -= LAND_BITS;
|
||||
xr--;
|
||||
} /* at loop exit xn will be <= xr */
|
||||
i++;
|
||||
@@ -825,9 +824,8 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
|
||||
and 2x scaling which we will run into in 300 and
|
||||
600dpi devices and content */
|
||||
/* Apply initial offset */
|
||||
- for (k = 0; k < spp_out; k++) {
|
||||
+ for (k = 0; k < spp_out; k++)
|
||||
devc_contone[k] = devc_contone[k] + position;
|
||||
- }
|
||||
if (src_size == dest_height) {
|
||||
for (k = 0; k < data_length; k++) {
|
||||
/* Is it better to unwind this? We know it is 4 */
|
||||
@@ -853,10 +851,9 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat
|
||||
dda_next(dda_ht);
|
||||
xn = fixed2int_var_rounded(dda_current(dda_ht));
|
||||
while (xr > xn) {
|
||||
- for (j = 0; j < spp_out; j++) {
|
||||
+ for (j = 0; j < spp_out; j++)
|
||||
*(devc_contone[j] + position) = (psrc_plane[j])[i];
|
||||
- position -= LAND_BITS;
|
||||
- }
|
||||
+ position -= LAND_BITS;
|
||||
xr--;
|
||||
} /* at loop exit xn will be <= xr */
|
||||
i++;
|
20
SOURCES/ghostscript-cve-2020-16306.patch
Normal file
20
SOURCES/ghostscript-cve-2020-16306.patch
Normal file
@ -0,0 +1,20 @@
|
||||
diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
|
||||
index 6a50a4a..471fcb5 100644
|
||||
--- a/devices/gdevtsep.c
|
||||
+++ b/devices/gdevtsep.c
|
||||
@@ -2332,6 +2332,7 @@ tiffsep_print_page(gx_device_printer * pdev, FILE * file)
|
||||
"\nUse of the %%d format is required to output more than one page to tiffsep.\n"
|
||||
"See doc/Devices.htm#TIFF for details.\n\n");
|
||||
code = gs_note_error(gs_error_ioerror);
|
||||
+ goto done;
|
||||
}
|
||||
/* Write the page directory for the CMYK equivalent file. */
|
||||
if (!tfdev->comp_file) {
|
||||
@@ -2685,6 +2686,7 @@ tiffsep1_print_page(gx_device_printer * pdev, FILE * file)
|
||||
"\nUse of the %%d format is required to output more than one page to tiffsep1.\n"
|
||||
"See doc/Devices.htm#TIFF for details.\n\n");
|
||||
code = gs_note_error(gs_error_ioerror);
|
||||
+ goto done;
|
||||
}
|
||||
/* If the output file is on disk and the name contains a page #, */
|
||||
/* then delete the previous file. */
|
205
SOURCES/ghostscript-cve-2020-16307.patch
Normal file
205
SOURCES/ghostscript-cve-2020-16307.patch
Normal file
@ -0,0 +1,205 @@
|
||||
diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
|
||||
index b958027..7f02608 100644
|
||||
--- a/devices/vector/gdevtxtw.c
|
||||
+++ b/devices/vector/gdevtxtw.c
|
||||
@@ -1693,97 +1693,100 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph,
|
||||
|
||||
length = font->procs.decode_glyph((gs_font *)font, glyph, ch, NULL, 0);
|
||||
if (length == 0) {
|
||||
- code = font->procs.glyph_name(font, glyph, &gnstr);
|
||||
- if (code >= 0 && gnstr.size == 7) {
|
||||
- if (!memcmp(gnstr.data, "uni", 3)) {
|
||||
- static const char *hexdigits = "0123456789ABCDEF";
|
||||
- char *d0 = strchr(hexdigits, gnstr.data[3]);
|
||||
- char *d1 = strchr(hexdigits, gnstr.data[4]);
|
||||
- char *d2 = strchr(hexdigits, gnstr.data[5]);
|
||||
- char *d3 = strchr(hexdigits, gnstr.data[6]);
|
||||
-
|
||||
- if (d0 != NULL && d1 != NULL && d2 != NULL && d3 != NULL) {
|
||||
- *Buffer++ = ((d0 - hexdigits) << 12) + ((d1 - hexdigits) << 8) + ((d2 - hexdigits) << 4) + (d3 - hexdigits);
|
||||
- return 1;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- if (length == 0) {
|
||||
- single_glyph_list_t *sentry = (single_glyph_list_t *)&SingleGlyphList;
|
||||
- double_glyph_list_t *dentry = (double_glyph_list_t *)&DoubleGlyphList;
|
||||
- treble_glyph_list_t *tentry = (treble_glyph_list_t *)&TrebleGlyphList;
|
||||
- quad_glyph_list_t *qentry = (quad_glyph_list_t *)&QuadGlyphList;
|
||||
-
|
||||
- /* Search glyph to single Unicode value table */
|
||||
- while (sentry->Glyph != 0) {
|
||||
- if (sentry->Glyph[0] < gnstr.data[0]) {
|
||||
- sentry++;
|
||||
- continue;
|
||||
- }
|
||||
- if (sentry->Glyph[0] > gnstr.data[0]){
|
||||
- break;
|
||||
- }
|
||||
- if (strlen(sentry->Glyph) == gnstr.size) {
|
||||
- if(memcmp(gnstr.data, sentry->Glyph, gnstr.size) == 0) {
|
||||
- *Buffer = sentry->Unicode;
|
||||
+ if (glyph != GS_NO_GLYPH) {
|
||||
+ code = font->procs.glyph_name(font, glyph, &gnstr);
|
||||
+ if (code >= 0 && gnstr.size == 7) {
|
||||
+ if (!memcmp(gnstr.data, "uni", 3)) {
|
||||
+ static const char *hexdigits = "0123456789ABCDEF";
|
||||
+ char *d0 = strchr(hexdigits, gnstr.data[3]);
|
||||
+ char *d1 = strchr(hexdigits, gnstr.data[4]);
|
||||
+ char *d2 = strchr(hexdigits, gnstr.data[5]);
|
||||
+ char *d3 = strchr(hexdigits, gnstr.data[6]);
|
||||
+
|
||||
+ if (d0 != NULL && d1 != NULL && d2 != NULL && d3 != NULL) {
|
||||
+ *Buffer++ = ((d0 - hexdigits) << 12) + ((d1 - hexdigits) << 8) + ((d2 - hexdigits) << 4) + (d3 - hexdigits);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
- sentry++;
|
||||
}
|
||||
|
||||
- /* Search glyph to double Unicode value table */
|
||||
- while (dentry->Glyph != 0) {
|
||||
- if (dentry->Glyph[0] < gnstr.data[0]) {
|
||||
- dentry++;
|
||||
- continue;
|
||||
- }
|
||||
- if (dentry->Glyph[0] > gnstr.data[0]){
|
||||
- break;
|
||||
- }
|
||||
- if (strlen(dentry->Glyph) == gnstr.size) {
|
||||
- if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
|
||||
- memcpy(Buffer, dentry->Unicode, 2);
|
||||
- return 2;
|
||||
+ if (length == 0) {
|
||||
+ single_glyph_list_t *sentry = (single_glyph_list_t *)&SingleGlyphList;
|
||||
+ double_glyph_list_t *dentry = (double_glyph_list_t *)&DoubleGlyphList;
|
||||
+ treble_glyph_list_t *tentry = (treble_glyph_list_t *)&TrebleGlyphList;
|
||||
+ quad_glyph_list_t *qentry = (quad_glyph_list_t *)&QuadGlyphList;
|
||||
+
|
||||
+ /* Search glyph to single Unicode value table */
|
||||
+ while (sentry->Glyph != 0) {
|
||||
+ if (sentry->Glyph[0] < gnstr.data[0]) {
|
||||
+ sentry++;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (sentry->Glyph[0] > gnstr.data[0]){
|
||||
+ break;
|
||||
+ }
|
||||
+ if (strlen(sentry->Glyph) == gnstr.size) {
|
||||
+ if(memcmp(gnstr.data, sentry->Glyph, gnstr.size) == 0) {
|
||||
+ *Buffer = sentry->Unicode;
|
||||
+ return 1;
|
||||
+ }
|
||||
}
|
||||
+ sentry++;
|
||||
}
|
||||
- dentry++;
|
||||
- }
|
||||
|
||||
- /* Search glyph to triple Unicode value table */
|
||||
- while (tentry->Glyph != 0) {
|
||||
- if (tentry->Glyph[0] < gnstr.data[0]) {
|
||||
- tentry++;
|
||||
- continue;
|
||||
- }
|
||||
- if (tentry->Glyph[0] > gnstr.data[0]){
|
||||
- break;
|
||||
- }
|
||||
- if (strlen(tentry->Glyph) == gnstr.size) {
|
||||
- if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
|
||||
- memcpy(Buffer, tentry->Unicode, 3);
|
||||
- return 3;
|
||||
+ /* Search glyph to double Unicode value table */
|
||||
+ while (dentry->Glyph != 0) {
|
||||
+ if (dentry->Glyph[0] < gnstr.data[0]) {
|
||||
+ dentry++;
|
||||
+ continue;
|
||||
}
|
||||
+ if (dentry->Glyph[0] > gnstr.data[0]){
|
||||
+ break;
|
||||
+ }
|
||||
+ if (strlen(dentry->Glyph) == gnstr.size) {
|
||||
+ if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
|
||||
+ memcpy(Buffer, dentry->Unicode, 2);
|
||||
+ return 2;
|
||||
+ }
|
||||
+ }
|
||||
+ dentry++;
|
||||
}
|
||||
- tentry++;
|
||||
- }
|
||||
|
||||
- /* Search glyph to quadruple Unicode value table */
|
||||
- while (qentry->Glyph != 0) {
|
||||
- if (qentry->Glyph[0] < gnstr.data[0]) {
|
||||
- qentry++;
|
||||
- continue;
|
||||
- }
|
||||
- if (qentry->Glyph[0] > gnstr.data[0]){
|
||||
- break;
|
||||
+ /* Search glyph to triple Unicode value table */
|
||||
+ while (tentry->Glyph != 0) {
|
||||
+ if (tentry->Glyph[0] < gnstr.data[0]) {
|
||||
+ tentry++;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (tentry->Glyph[0] > gnstr.data[0]){
|
||||
+ break;
|
||||
+ }
|
||||
+ if (strlen(tentry->Glyph) == gnstr.size) {
|
||||
+ if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
|
||||
+ memcpy(Buffer, tentry->Unicode, 3);
|
||||
+ return 3;
|
||||
+ }
|
||||
+ }
|
||||
+ tentry++;
|
||||
}
|
||||
- if (strlen(qentry->Glyph) == gnstr.size) {
|
||||
- if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
|
||||
- memcpy(Buffer, qentry->Unicode, 4);
|
||||
- return 4;
|
||||
+
|
||||
+ /* Search glyph to quadruple Unicode value table */
|
||||
+ while (qentry->Glyph != 0) {
|
||||
+ if (qentry->Glyph[0] < gnstr.data[0]) {
|
||||
+ qentry++;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (qentry->Glyph[0] > gnstr.data[0]){
|
||||
+ break;
|
||||
}
|
||||
+ if (strlen(qentry->Glyph) == gnstr.size) {
|
||||
+ if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
|
||||
+ memcpy(Buffer, qentry->Unicode, 4);
|
||||
+ return 4;
|
||||
+ }
|
||||
+ }
|
||||
+ qentry++;
|
||||
}
|
||||
- qentry++;
|
||||
}
|
||||
}
|
||||
*Buffer = fallback;
|
||||
@@ -1890,8 +1893,8 @@ txtwrite_process_cmap_text(gs_text_enum_t *pte)
|
||||
pte->returned.total_width.x += dpt.x;
|
||||
pte->returned.total_width.y += dpt.y;
|
||||
|
||||
- penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, chr, &penum->TextBuffer[penum->TextBufferIndex]);
|
||||
penum->Widths[penum->TextBufferIndex] += dpt.x;
|
||||
+ penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, chr, &penum->TextBuffer[penum->TextBufferIndex]);
|
||||
break;
|
||||
case 2: /* end of string */
|
||||
return 0;
|
||||
diff --git a/psi/zbfont.c b/psi/zbfont.c
|
||||
index 262fea9..abc03aa 100644
|
||||
--- a/psi/zbfont.c
|
||||
+++ b/psi/zbfont.c
|
||||
@@ -272,7 +272,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
|
||||
* can't be a default value for FontInfo.GlyphNames2Unicode .
|
||||
*/
|
||||
}
|
||||
- if (glyph <= GS_MIN_CID_GLYPH) {
|
||||
+ if (glyph <= GS_MIN_CID_GLYPH && glyph != GS_NO_GLYPH) {
|
||||
UnicodeDecoding = zfont_get_to_unicode_map(font->dir);
|
||||
if (UnicodeDecoding != NULL && r_type(UnicodeDecoding) == t_dictionary)
|
||||
return gs_font_map_glyph_by_dict(font->memory, UnicodeDecoding, glyph, u, length);
|
57
SOURCES/ghostscript-cve-2020-16310.patch
Normal file
57
SOURCES/ghostscript-cve-2020-16310.patch
Normal file
@ -0,0 +1,57 @@
|
||||
diff --git a/devices/gdevdm24.c b/devices/gdevdm24.c
|
||||
index 4736f4f..2f610cd 100644
|
||||
--- a/devices/gdevdm24.c
|
||||
+++ b/devices/gdevdm24.c
|
||||
@@ -51,21 +51,39 @@ static void dot24_improve_bitmap (byte *, int);
|
||||
static int
|
||||
dot24_print_page (gx_device_printer *pdev, FILE *prn_stream, char *init_string, int init_len)
|
||||
{
|
||||
- int xres = (int)pdev->x_pixels_per_inch;
|
||||
- int yres = (int)pdev->y_pixels_per_inch;
|
||||
- int x_high = (xres == 360);
|
||||
- int y_high = (yres == 360);
|
||||
- int bits_per_column = (y_high ? 48 : 24);
|
||||
- uint line_size = gdev_prn_raster (pdev);
|
||||
- uint in_size = line_size * bits_per_column;
|
||||
- byte *in = (byte *) gs_malloc (pdev->memory, in_size, 1, "dot24_print_page (in)");
|
||||
- uint out_size = ((pdev->width + 7) & -8) * 3;
|
||||
- byte *out = (byte *) gs_malloc (pdev->memory, out_size, 1, "dot24_print_page (out)");
|
||||
- int y_passes = (y_high ? 2 : 1);
|
||||
- int dots_per_space = xres / 10; /* pica space = 1/10" */
|
||||
- int bytes_per_space = dots_per_space * 3;
|
||||
+ int xres;
|
||||
+ int yres;
|
||||
+ int x_high;
|
||||
+ int y_high;
|
||||
+ int bits_per_column;
|
||||
+ uint line_size;
|
||||
+ uint in_size;
|
||||
+ byte *in;
|
||||
+ uint out_size;
|
||||
+ byte *out;
|
||||
+ int y_passes;
|
||||
+ int dots_per_space;
|
||||
+ int bytes_per_space;
|
||||
int skip = 0, lnum = 0, ypass;
|
||||
|
||||
+ xres = (int)pdev->x_pixels_per_inch;
|
||||
+ yres = (int)pdev->y_pixels_per_inch;
|
||||
+ x_high = (xres == 360);
|
||||
+ y_high = (yres == 360);
|
||||
+ dots_per_space = xres / 10; /* pica space = 1/10" */
|
||||
+ bytes_per_space = dots_per_space * 3;
|
||||
+ if (bytes_per_space == 0) {
|
||||
+ /* We divide by bytes_per_space later on. */
|
||||
+ return_error(gs_error_rangecheck);
|
||||
+ }
|
||||
+ bits_per_column = (y_high ? 48 : 24);
|
||||
+ line_size = gdev_prn_raster (pdev);
|
||||
+ in_size = line_size * bits_per_column;
|
||||
+ in = (byte *) gs_malloc (pdev->memory, in_size, 1, "dot24_print_page (in)");
|
||||
+ out_size = ((pdev->width + 7) & -8) * 3;
|
||||
+ out = (byte *) gs_malloc (pdev->memory, out_size, 1, "dot24_print_page (out)");
|
||||
+ y_passes = (y_high ? 2 : 1);
|
||||
+
|
||||
/* Check allocations */
|
||||
if (in == 0 || out == 0)
|
||||
{
|
154
SOURCES/gs-cve-2024-33871.patch
Normal file
154
SOURCES/gs-cve-2024-33871.patch
Normal file
@ -0,0 +1,154 @@
|
||||
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
|
||||
index 55a785e..be77534 100644
|
||||
--- a/Resource/Init/gs_init.ps
|
||||
+++ b/Resource/Init/gs_init.ps
|
||||
@@ -2607,4 +2607,6 @@ WRITESYSTEMDICT {
|
||||
% be 'true' in some cases.
|
||||
userdict /AGM_preserve_spots //false put
|
||||
|
||||
+.opvpactivatepathcontrol
|
||||
+
|
||||
% The interpreter will run the initial procedure (start).
|
||||
diff --git a/base/gslibctx.c b/base/gslibctx.c
|
||||
index 1ed6093..14fb57c 100644
|
||||
--- a/base/gslibctx.c
|
||||
+++ b/base/gslibctx.c
|
||||
@@ -435,3 +435,27 @@ gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, co
|
||||
}
|
||||
return code;
|
||||
}
|
||||
+
|
||||
+void
|
||||
+opvp_activate_path_control(gs_memory_t *mem, int enable)
|
||||
+{
|
||||
+ gs_lib_ctx_core_t *core;
|
||||
+
|
||||
+ if (mem == NULL || mem->gs_lib_ctx == NULL ||
|
||||
+ (core = mem->gs_lib_ctx->core) == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ core->opvp_path_control_active = enable;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+opvp_is_path_control_active(const gs_memory_t *mem)
|
||||
+{
|
||||
+ gs_lib_ctx_core_t *core;
|
||||
+
|
||||
+ if (mem == NULL || mem->gs_lib_ctx == NULL ||
|
||||
+ (core = mem->gs_lib_ctx->core) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ return core->opvp_path_control_active;
|
||||
+}
|
||||
diff --git a/base/gslibctx.h b/base/gslibctx.h
|
||||
index 1481cb5..e4b3924 100644
|
||||
--- a/base/gslibctx.h
|
||||
+++ b/base/gslibctx.h
|
||||
@@ -61,6 +61,8 @@ typedef struct {
|
||||
bool CPSI_mode;
|
||||
int scanconverter;
|
||||
int act_on_uel;
|
||||
+
|
||||
+ int opvp_path_control_active;
|
||||
} gs_lib_ctx_core_t;
|
||||
|
||||
typedef struct gs_lib_ctx_s
|
||||
@@ -167,4 +169,10 @@ int sjpxd_create(gs_memory_t *mem);
|
||||
|
||||
void sjpxd_destroy(gs_memory_t *mem);
|
||||
|
||||
+void
|
||||
+opvp_activate_path_control(gs_memory_t *mem, int enable);
|
||||
+
|
||||
+int
|
||||
+opvp_is_path_control_active(const gs_memory_t *mem);
|
||||
+
|
||||
#endif /* GSLIBCTX_H */
|
||||
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
|
||||
index 9a6b45b..9693673 100644
|
||||
--- a/contrib/opvp/gdevopvp.c
|
||||
+++ b/contrib/opvp/gdevopvp.c
|
||||
@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int,
|
||||
static int _get_params(gs_param_list *);
|
||||
static int opvp_get_params(gx_device *, gs_param_list *);
|
||||
static int oprp_get_params(gx_device *, gs_param_list *);
|
||||
-static int _put_params(gs_param_list *);
|
||||
+static int _put_params(gx_device *, gs_param_list *);
|
||||
static int opvp_put_params(gx_device *, gs_param_list *);
|
||||
static int oprp_put_params(gx_device *, gs_param_list *);
|
||||
static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
|
||||
@@ -3039,7 +3039,7 @@ _get_params(gs_param_list *plist)
|
||||
/* vector driver name */
|
||||
pname = "Driver";
|
||||
vdps.data = (byte *)vectorDriver;
|
||||
- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
|
||||
+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
|
||||
vdps.persistent = false;
|
||||
code = param_write_string(plist, pname, &vdps);
|
||||
if (code) ecode = code;
|
||||
@@ -3176,7 +3176,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
|
||||
* put params
|
||||
*/
|
||||
static int
|
||||
-_put_params(gs_param_list *plist)
|
||||
+_put_params(gx_device *dev, gs_param_list *plist)
|
||||
{
|
||||
int code;
|
||||
int ecode = 0;
|
||||
@@ -3198,6 +3198,12 @@ _put_params(gs_param_list *plist)
|
||||
code = param_read_string(plist, pname, &vdps);
|
||||
switch (code) {
|
||||
case 0:
|
||||
+ if (opvp_is_path_control_active(dev->memory)
|
||||
+ && (!vectorDriver || strlen(vectorDriver) != vdps.size
|
||||
+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
|
||||
+ param_signal_error(plist, pname, gs_error_invalidaccess);
|
||||
+ return_error(gs_error_invalidaccess);
|
||||
+ }
|
||||
buff = realloc(buff, vdps.size + 1);
|
||||
memcpy(buff, vdps.data, vdps.size);
|
||||
buff[vdps.size] = 0;
|
||||
@@ -3399,7 +3405,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
|
||||
int code;
|
||||
|
||||
/* put params */
|
||||
- code = _put_params(plist);
|
||||
+ code = _put_params(dev, plist);
|
||||
if (code) return code;
|
||||
|
||||
/* put default params */
|
||||
@@ -3415,7 +3421,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
|
||||
int code;
|
||||
|
||||
/* put params */
|
||||
- code = _put_params(plist);
|
||||
+ code = _put_params(dev, plist);
|
||||
if (code) return code;
|
||||
|
||||
/* put default params */
|
||||
diff --git a/psi/zfile.c b/psi/zfile.c
|
||||
index 271a1a0..05b8203 100644
|
||||
--- a/psi/zfile.c
|
||||
+++ b/psi/zfile.c
|
||||
@@ -875,6 +875,12 @@ static int zgetfilename(i_ctx_t *i_ctx_p)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int zopvpactivatepathcontrol(i_ctx_t *i_ctx_p)
|
||||
+{
|
||||
+ opvp_activate_path_control(imemory, 1);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/* ------ Initialization procedure ------ */
|
||||
|
||||
const op_def zfile_op_defs[] =
|
||||
@@ -893,6 +899,7 @@ const op_def zfile_op_defs[] =
|
||||
{"0%file_continue", file_continue},
|
||||
{"0%execfile_finish", execfile_finish},
|
||||
{"1.getfilename", zgetfilename},
|
||||
+ {"0.opvpactivatepathcontrol", zopvpactivatepathcontrol},
|
||||
op_def_end(0)
|
||||
};
|
||||
|
@ -27,22 +27,17 @@
|
||||
# tarballs, and their release tags/branches do not use the dot in version
|
||||
# tag. This makes obtaining the current version harder, and might prevent
|
||||
# automatic builds of new releases...
|
||||
%global version_short %%(echo "%{version}" | tr -d '.')
|
||||
%global version_short %(echo "%{version}" | tr -d '.')
|
||||
|
||||
# Obtain the location of Google Droid fonts directory:
|
||||
%global google_droid_fontpath %%(dirname $(fc-list : file | grep "DroidSansFallback"))
|
||||
|
||||
# Desired jbig2dec header files and library version
|
||||
# Apparantly, ghostscript complains even about newer versions
|
||||
# Please update if needed.
|
||||
%global jbig2dec_version 0.19
|
||||
|
||||
# =============================================================================
|
||||
|
||||
Name: ghostscript
|
||||
Summary: Interpreter for PostScript language & PDF
|
||||
Version: 9.54.0
|
||||
Release: 17%{?dist}
|
||||
Version: 9.27
|
||||
Release: 15%{?dist}
|
||||
|
||||
License: AGPLv3+
|
||||
|
||||
@ -50,12 +45,7 @@ URL: https://ghostscript.com/
|
||||
Source: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz
|
||||
|
||||
Requires: libgs%{?_isa} = %{version}-%{release}
|
||||
Requires: jbig2dec-libs = %{jbig2dec_version}
|
||||
Requires: %{name}-tools-fonts%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}-tools-printing%{?_isa} = %{version}-%{release}
|
||||
|
||||
Provides: ghostscript-core = %{version}-%{release}
|
||||
Obsoletes: ghostscript-core < 9.53.3-6
|
||||
Requires: jbig2dec-libs >= 0.16
|
||||
|
||||
# Auxiliary build requirements:
|
||||
BuildRequires: automake
|
||||
@ -73,10 +63,9 @@ BuildRequires: cups-devel
|
||||
BuildRequires: dbus-devel
|
||||
BuildRequires: fontconfig-devel
|
||||
BuildRequires: freetype-devel
|
||||
BuildRequires: jbig2dec-devel = %{jbig2dec_version}
|
||||
BuildRequires: jbig2dec-libs = %{jbig2dec_version}
|
||||
BuildRequires: jbig2dec-devel
|
||||
BuildRequires: lcms2-devel
|
||||
BuildRequires: libidn2-devel
|
||||
BuildRequires: libidn-devel
|
||||
BuildRequires: libijs-devel
|
||||
BuildRequires: libjpeg-turbo-devel
|
||||
BuildRequires: libpng-devel
|
||||
@ -88,7 +77,6 @@ BuildRequires: zlib-devel
|
||||
# Enabling the GUI possibilities of Ghostscript:
|
||||
BuildRequires: gtk3-devel
|
||||
BuildRequires: libXt-devel
|
||||
BuildRequires: make
|
||||
|
||||
# =============================================================================
|
||||
|
||||
@ -100,30 +88,55 @@ BuildRequires: make
|
||||
# Upstream patches -- official upstream patches released by upstream since the
|
||||
# ---------------- last rebase that are necessary for any reason:
|
||||
#Patch000: example000.patch
|
||||
Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch
|
||||
Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch
|
||||
#2032789 - coverity warnings fixes
|
||||
Patch003: ghostscript-9.54.0-covscan-fixes.patch
|
||||
#2049767 - CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
|
||||
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
|
||||
Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
|
||||
Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
|
||||
Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
|
||||
Patch008: ghostscript-9.54.0-CVE-2023-28879.patch
|
||||
Patch009: ghostscript-9.54.0-CVE-2023-36664.patch
|
||||
Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
|
||||
Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
|
||||
# RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
|
||||
Patch012: gs-cve-2024-33871.patch
|
||||
# RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
||||
Patch013: gs-CVE-2024-33870.patch
|
||||
# RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
|
||||
Patch014: gs-CVE-2024-33869.patch
|
||||
# RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
|
||||
Patch015: 0001-Uniprint-device-prevent-string-configuration-changes.patch
|
||||
Patch001: ghostscript-cve-2019-10216.patch
|
||||
Patch002: ghostscript-cve-2019-14811-14812-14813.patch
|
||||
Patch003: ghostscript-cve-2019-14817.patch
|
||||
# fixed in 9.51
|
||||
Patch004: ghostscript-cve-2020-16290.patch
|
||||
Patch005: ghostscript-cve-2020-16291.patch
|
||||
Patch006: ghostscript-cve-2020-16293.patch
|
||||
Patch007: ghostscript-cve-2020-16295.patch
|
||||
Patch008: ghostscript-cve-2020-16299.patch
|
||||
Patch009: ghostscript-cve-2020-16302.patch
|
||||
Patch010: ghostscript-cve-2020-16304.patch
|
||||
Patch011: ghostscript-cve-2020-16306.patch
|
||||
Patch012: ghostscript-cve-2020-16307.patch
|
||||
Patch013: ghostscript-cve-2020-16310.patch
|
||||
Patch014: ghostscript-cve-2020-16301.patch
|
||||
# 2097448 - printed text drifts to the right
|
||||
Patch015: ghostscript-9.27-fix-use-of-HWMargins.patch
|
||||
Patch016: ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch
|
||||
Patch017: ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch
|
||||
Patch018: ghostscript-9.27-fix-bbox.patch
|
||||
Patch019: ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
|
||||
Patch020: ghostscript-9.27-CVE-2023-28879.patch
|
||||
Patch021: ghostscript-9.27-CVE-2023-38559.patch
|
||||
Patch022: ghostscript-9.27-CVE-2023-4042.patch
|
||||
Patch023: ghostscript-9.27-avoid-divide-by-zero-in-devices.patch
|
||||
# RHEL-38837 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
|
||||
# the patch is based on upstream code from 9.50, where a new -dSAFER implementation was introduced and
|
||||
# -dSAFER was made default for any gs calls. To do not backport the whole new -dSAFER implementation,
|
||||
# to do not collide with any future backports related with -dSAFER and to do not change the current default
|
||||
# for ghostscript in RHEL 8, only part of the new -dSAFER implementation was backported,
|
||||
# and the several functions, variables and macros prefix was changed to 'opvp' and used only
|
||||
# for OPVP device, which results in changing the default only for this device and fixing the CVE.
|
||||
# Downside of the fix is if someone depends on unsafe settings of driver for OPVP device
|
||||
# (via Postscript code in command -c, via Postscript code in input file), gs will start to fail.
|
||||
Patch024: gs-cve-2024-33871.patch
|
||||
# RHEL-61729 Ghostscript is generating PJL of a significantly larger size
|
||||
# Patches: 0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch
|
||||
# 0001-Bug-701568-followup-Fix-RLE-compressor.patch
|
||||
# 0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch
|
||||
Patch025: 0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch
|
||||
Patch026: 0001-Bug-701568-followup-Fix-RLE-compressor.patch
|
||||
Patch027: 0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch
|
||||
|
||||
|
||||
# Downstream patches -- these should be always included when doing rebase:
|
||||
# ------------------
|
||||
Patch100: ghostscript-9.23-100-run-dvipdf-securely.patch
|
||||
|
||||
|
||||
# Downstream patches for RHEL -- patches that we keep only in RHEL for various
|
||||
# --------------------------- reasons, but are not enabled in Fedora:
|
||||
%if %{defined rhel} || %{defined centos}
|
||||
@ -255,7 +268,10 @@ This package provides detailed documentation files for Ghostscript software.
|
||||
%autosetup -N -S git
|
||||
|
||||
# Libraries that we already have packaged in Fedora (see Build Requirements):
|
||||
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* leptonica libpng openjpeg tesseract tiff windows zlib
|
||||
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
|
||||
|
||||
# Yeah, not actually needed in Fedora (^_^):
|
||||
rm -rf windows
|
||||
|
||||
# Add the remaining source code to the initial commit, patch the source code:
|
||||
git add --all --force .
|
||||
@ -286,7 +302,7 @@ git commit --all --amend --no-edit > /dev/null
|
||||
# for China's GB18030 official certification:
|
||||
%if %{defined rhel} || %{defined centos}
|
||||
%configure --enable-dynamic --disable-compile-inits --without-versioned-path \
|
||||
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/"
|
||||
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/:%{_datadir}/fonts"
|
||||
%else
|
||||
%configure --enable-dynamic --disable-compile-inits --without-versioned-path \
|
||||
--with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}"
|
||||
@ -333,7 +349,7 @@ ln -s %{_mandir}/man1/gs.1 %{buildroot}%{_mandir}/man1/ghostscript.1
|
||||
# process for Ghostscript startup, and they advise using the symlinks where
|
||||
# possible. The fontconfig (Ghostscript's search path) should be used preferably
|
||||
# as a fallback only.
|
||||
ln -fs %{google_droid_fontpath}/DroidSansFallbackFull.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf
|
||||
ln -fs %{google_droid_fontpath}/DroidSansFallback.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf
|
||||
|
||||
for font in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/Font/*); do
|
||||
ln -fs %{urw_base35_fontpath}/${font}.t1 %{buildroot}%{_datadir}/%{name}/Resource/Font/${font}
|
||||
@ -454,183 +470,127 @@ done
|
||||
# =============================================================================
|
||||
|
||||
%changelog
|
||||
* Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
|
||||
- RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
||||
- RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
|
||||
- RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
|
||||
* Mon Oct 14 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-15
|
||||
- fix printing PCL XL on some printers
|
||||
|
||||
* Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
|
||||
- RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
|
||||
* Thu Oct 10 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-14
|
||||
- RHEL-61729 Ghostscript is generating PJL of a significantly larger size
|
||||
|
||||
* Fri Oct 27 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-14
|
||||
- fix for CVE-2023-43115
|
||||
- Resolves: RHEL-10185
|
||||
* Wed Jun 12 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-13
|
||||
- CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
|
||||
|
||||
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-13
|
||||
* Tue Sep 19 2023 Richard Lescak <rlescak@redhat.com> - 9.27-12
|
||||
- fix to prevent divison by zero in devices
|
||||
- Resolves: rhbz#2235009
|
||||
|
||||
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-11
|
||||
- fix for CVE-2023-4042
|
||||
- Resolves: rhbz#2228153
|
||||
|
||||
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-10
|
||||
- fix for CVE-2023-38559
|
||||
- Resolves: rhbz#2224372
|
||||
- Resolves: rhbz#2224371
|
||||
|
||||
* Tue Aug 01 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-12
|
||||
- fix for CVE-2023-36664
|
||||
- Resolves: rhbz#2217810
|
||||
|
||||
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
|
||||
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.27-9
|
||||
- fix for CVE-2023-28879
|
||||
- Resolves: rhbz#2188300
|
||||
- Resolves: rhbz#2188297
|
||||
|
||||
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
|
||||
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.27-8
|
||||
- fix embedding of CIDFonts
|
||||
- Resolves: rhbz#2179023
|
||||
- Resolves: rhbz#2169890
|
||||
|
||||
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-9
|
||||
* Wed Mar 15 2023 Richard Lescak <rlescak@redhat.com> - 9.27-7
|
||||
- fix bbox device calculating bounding box incorrectly
|
||||
- Resolves: rhbz#2176327
|
||||
|
||||
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.27-6
|
||||
- set the page size for A4 correctly in ESC/Page driver
|
||||
- Resolves: rhbz#2164613
|
||||
- Resolves: rhbz#2164603
|
||||
|
||||
* Fri Dec 09 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-8
|
||||
- fix loading of CIDFonts (#2138795)
|
||||
* Tue Nov 15 2022 Richard Lescak <rlescak@redhat.com> - 9.27-5
|
||||
- fix loading of CIDFonts
|
||||
- Resolves: rhbz#2118538
|
||||
|
||||
* Thu Feb 24 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-7
|
||||
- Fix patch for covscan issues (#2032789)
|
||||
* Mon Jul 25 2022 Richard Lescak <rlescak@redhat.com> - 9.27-4
|
||||
- changed requirement to jbig2dec-libs
|
||||
- Resolves: rhbz#2097515, rhbz#2097448
|
||||
|
||||
* Tue Feb 22 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-6
|
||||
- Added fix for vulnerability CVE-2021-45949 (#2049767)
|
||||
* Wed Jul 20 2022 Richard Lescak <rlescak@redhat.com> - 9.27-3
|
||||
- fixed drifting text to the right when printing
|
||||
- added Requirement for jbig2dec
|
||||
- added patch for CVE-2020-16301
|
||||
- Resolves: rhbz#2097515, rhbz#2097448
|
||||
|
||||
* Mon Feb 21 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
|
||||
- Added coverity fixes (#2032789)
|
||||
* Fri Jan 22 2021 Anna Khaitovich <akhaitov@redhat.com> - 9.27-2
|
||||
- tools-dvipdf: require /usr/bin/dvips not %{_bindir}/dvips
|
||||
- Resolves: rhbz#1918937
|
||||
|
||||
* Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-4
|
||||
- Added fix for CVE-2021-3781 (#2002625)
|
||||
* Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.27-1
|
||||
- Rebase to 9.27
|
||||
- Resolves: rhbz#1874523
|
||||
|
||||
* Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-3
|
||||
- Added fix for segfault bug (#1989084)
|
||||
* Tue Apr 07 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.25-7
|
||||
- 1813228 - ghostscript fontconfig support broken when gs used with -dSAFER/-dPARANOIDSAFER
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 9.54.0-2
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
* Thu Nov 07 2019 Zdenek Dohnal <zdohnal@redhat.com> - 9.25-6
|
||||
- 1769343 - CVE-2019-14869 - -dSAFER escape in .charkeys
|
||||
|
||||
* Mon Jul 26 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-1
|
||||
- Update to 9.54.0 (#1923969)
|
||||
* Thu Aug 22 2019 Martin Osvald <mosvald@redhat.com> - 9.25-5
|
||||
- Resolves: #1744011 - CVE-2019-14811 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445)
|
||||
- Resolves: #1744015 - CVE-2019-14812 ghostscript: Safer Mode Bypass by .forceput Exposure in setuserparams (701444)
|
||||
- Resolves: #1744006 - CVE-2019-14813 ghostscript: Safer Mode Bypass by .forceput Exposure in setsystemparams (701443)
|
||||
- Resolves: #1744231 - CVE-2019-14817 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450)
|
||||
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 9.53.3-6
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
* Mon Aug 05 2019 Martin Osvald <mosvald@redhat.com> - 9.25-4
|
||||
- Resolves: #1737337 - CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394)
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 9.53.3-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
* Thu Mar 28 2019 Martin Osvald <mosvald@redhat.com> - 9.25-3
|
||||
- Resolves: #1692798 - CVE-2019-3839 ghostscript: missing attack vector
|
||||
protections for CVE-2019-6116
|
||||
- Resolves: #1678170 - CVE-2019-3835 ghostscript: superexec operator
|
||||
is available (700585)
|
||||
- Resolves: #1691414 - CVE-2019-3838 ghostscript: forceput in DefineResource
|
||||
is still accessible (700576)
|
||||
- fix included for ghostscript: Regression: double comment chars
|
||||
'%%' in gs_init.ps leading to missing metadata
|
||||
- fix for pdf2dsc regression added to allow fix for CVE-2019-3839
|
||||
|
||||
* Tue Dec 22 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.53.3-4
|
||||
- Restore opvp for good (#1909950)
|
||||
* Wed Jan 23 2019 Martin Osvald <mosvald@redhat.com> - 9.25-2
|
||||
- Resolves: #1652937 - CVE-2018-19409 ghostscript: Improperly implemented
|
||||
security check in zsetdevice function in psi/zdevice.c
|
||||
- Resolves: #1642586 - CVE-2018-18073 ghostscript: saved execution stacks
|
||||
can leak operator arrays
|
||||
- Resolves: #1642580 - CVE-2018-17961 ghostscript: saved execution stacks
|
||||
can leak operator arrays (incomplete fix for CVE-2018-17183)
|
||||
- Resolves: #1642941 - CVE-2018-18284 ghostscript: 1Policy operator
|
||||
allows a sandbox protection bypass
|
||||
- Resolves: #1656336 - CVE-2018-19134 ghostscript: Type confusion in
|
||||
setpattern (700141)
|
||||
- Resolves: #1660571 - CVE-2018-19475 ghostscript: access bypass in
|
||||
psi/zdevice2.c (700153)
|
||||
- Resolves: #1660830 - CVE-2018-19476 ghostscript: access bypass in
|
||||
psi/zicc.c
|
||||
- Resolves: #1661280 - CVE-2018-19477 ghostscript: access bypass in
|
||||
psi/zfjbig2.c (700168)
|
||||
- Resolves: #1668891 - CVE-2019-6116 ghostscript: subroutines within
|
||||
pseudo-operators must themselves be pseudo-operators (700317)
|
||||
|
||||
* Tue Nov 24 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.53.3-3
|
||||
- Restore opvp device (#1899885)
|
||||
* Mon Sep 24 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.25-1
|
||||
- rebase to latest upstream version to fix issues discovered in previous CVE fixes (bug #1631701 and #1626997)
|
||||
|
||||
* Wed Nov 04 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.53.3-2
|
||||
- Drop use of FT_CALLBACK_DEF() def
|
||||
|
||||
* Thu Oct 08 2020 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 9.53.1-3
|
||||
- Update to 9.53.3 (#1882743)
|
||||
|
||||
* Tue Sep 22 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.53.1-2
|
||||
- Bump jbig2dec version
|
||||
|
||||
* Thu Sep 10 2020 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 9.53.0-1
|
||||
- Update to 9.53.1 (#1877781)
|
||||
|
||||
* Mon Jul 27 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-8
|
||||
- Use libidn2 instead of libidn (fixes #1860890)
|
||||
|
||||
* Thu Jul 02 2020 Michael J Gruber <mjg@fedoraproject.org> - 9.52-7
|
||||
- really require the exact jbig2dec version
|
||||
|
||||
* Sat Jun 27 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 9.52-6
|
||||
- standard packages should not require -devel packages
|
||||
|
||||
* Wed Jun 24 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-5
|
||||
- Require the exact jbig2dec version in both build and runtime dependencies
|
||||
|
||||
* Thu May 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-4
|
||||
- Define %%{jbig2dec_version} global macro
|
||||
|
||||
* Wed May 20 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-3
|
||||
- Require the exact jbig2dec version to avoid a mismatch between header files and library
|
||||
|
||||
* Mon May 18 2020 Anna Khaitovich <akhaitov@redhat.com> - 9.52-2
|
||||
- Require the exact jbig2dec-devel version
|
||||
|
||||
* Thu Apr 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.52-1
|
||||
- 9.52
|
||||
|
||||
* Wed Mar 11 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.50-1
|
||||
- 9.50
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.27-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Nov 14 2019 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-2
|
||||
- 1772486 - ghostscript: -dSAFER escape in .charkeys (701841)
|
||||
|
||||
* Fri Sep 06 2019 Martin Osvald <mosvald@redhat.com> - 9.27-1
|
||||
- rebase to latest upstream version 9.27
|
||||
- security fixes added for:
|
||||
- CVE-2019-14811 (bug #1747908)
|
||||
- CVE-2019-14812 (bug #1747907)
|
||||
- CVE-2019-14813 (bug #1747906)
|
||||
- CVE-2019-14817 (bug #1747909)
|
||||
|
||||
* Mon Aug 12 2019 Martin Osvald <mosvald@redhat.com> - 9.26-6
|
||||
- Fix for CVE-2019-10216 added
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9.26-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Mar 22 2019 Martin Osvald <mosvald@redhat.com> - 9.26-4
|
||||
- Fixes for CVE-2019-3835 and CVE-2019-3838 added
|
||||
|
||||
* Mon Mar 11 2019 Martin Osvald <mosvald@redhat.com> - 9.26-3
|
||||
- Fix for bug #1687144 added
|
||||
|
||||
* Fri Mar 08 2019 Martin Osvald <mosvald@redhat.com> - 9.26-2
|
||||
- Fix for CVE-2019-6116 added (bug #1668888)
|
||||
|
||||
* Thu Feb 07 2019 Martin Osvald <mosvald@redhat.com> - 9.26-1
|
||||
- rebase to latest upstream version 9.26
|
||||
- spec change to remove gsdoc.el due to upstream 8bc783cb586
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9.25-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Sep 17 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.25-1
|
||||
- rebase to latest upstream version to fix additional issues found in 9.24
|
||||
|
||||
* Fri Sep 14 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-3
|
||||
- ghostscript-9.24-002-icc-PermitReading.patch removed
|
||||
- ghostscript-9.24-002-fix-for-Canon-and-Kyocera-printers.patch added (bug #1626818)
|
||||
- ghostscript-9.24-003-CVE-2018-16802.patch added (bug #1627960)
|
||||
|
||||
* Fri Sep 07 2018 Tom Callaway <spot@fedoraproject.org> - 9.24-2
|
||||
- add upstream fix for reading in ICC profiles
|
||||
|
||||
* Wed Sep 05 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-1
|
||||
* Fri Sep 07 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.24-1
|
||||
- rebase to latest upstream version, which contains important CVE fixes
|
||||
- additional ZER0-DAY fixes added
|
||||
|
||||
* Wed Aug 29 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-7
|
||||
* Wed Aug 29 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-5
|
||||
- ghostscript-9.23-002-fixes-for-set-of-CVEs-reported-by-Google.patch added
|
||||
|
||||
* Mon Jul 30 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-6
|
||||
- ghostscript-9.23-001-create-GC-descriptors-for-JPEG-passthrough.patch added (bug #1589467)
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 9.23-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Tue May 15 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-4
|
||||
- One more rebuild for libidn ABI fix (BZ#'s 1573961 and 1566414)
|
||||
|
||||
* Mon May 14 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-3
|
||||
- %%conflicts_vers bumped to fix F27->F28 upgrade
|
||||
|
||||
* Thu May 10 2018 Stephen Gallagher <sgallagh@redhat.com> - 9.23-2.1
|
||||
- Rebuilding for libidn ABI fix (BZ#'s 1573961 and 1566414)
|
||||
|
||||
* Mon Apr 23 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.23-2
|
||||
- Fix for CVE-2018-10194 added (bug #1569821)
|
||||
|
@ -1,8 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
|
@ -1,142 +0,0 @@
|
||||
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
|
||||
From: Chris Liddell <chris.liddell@artifex.com>
|
||||
Date: Wed, 7 Jun 2023 10:23:06 +0100
|
||||
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
|
||||
validation
|
||||
|
||||
For regular file names, we try to simplfy relative paths before we use them.
|
||||
|
||||
Because the %pipe% device can, effectively, accept command line calls, we
|
||||
shouldn't be simplifying that string, because the command line syntax can end
|
||||
up confusing the path simplifying code. That can result in permitting a pipe
|
||||
command which does not match what was originally permitted.
|
||||
|
||||
Special case "%pipe" in the validation code so we always deal with the entire
|
||||
string.
|
||||
---
|
||||
base/gpmisc.c | 31 +++++++++++++++++++--------
|
||||
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
|
||||
2 files changed, 64 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/base/gpmisc.c b/base/gpmisc.c
|
||||
index 5f39ebba7..2fb87f769 100644
|
||||
--- a/base/gpmisc.c
|
||||
+++ b/base/gpmisc.c
|
||||
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
|
||||
prefix_len = 0;
|
||||
}
|
||||
- rlen = len+1;
|
||||
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
|
||||
- if (bufferfull == NULL)
|
||||
- return gs_error_VMerror;
|
||||
-
|
||||
- buffer = bufferfull + prefix_len;
|
||||
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||
- return gs_error_invalidfileaccess;
|
||||
- buffer[rlen] = 0;
|
||||
|
||||
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
|
||||
+ don't "reduce" them to avoid unexpected results
|
||||
+ */
|
||||
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
||||
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
|
||||
+ if (buffer == NULL)
|
||||
+ return gs_error_VMerror;
|
||||
+ memcpy(buffer, path, len);
|
||||
+ buffer[len] = 0;
|
||||
+ rlen = len;
|
||||
+ }
|
||||
+ else {
|
||||
+ rlen = len+1;
|
||||
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
|
||||
+ if (bufferfull == NULL)
|
||||
+ return gs_error_VMerror;
|
||||
+
|
||||
+ buffer = bufferfull + prefix_len;
|
||||
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||
+ return gs_error_invalidfileaccess;
|
||||
+ buffer[rlen] = 0;
|
||||
+ }
|
||||
while (1) {
|
||||
switch (mode[0])
|
||||
{
|
||||
diff --git a/base/gslibctx.c b/base/gslibctx.c
|
||||
index eb566ed06..d2a1aa91d 100644
|
||||
--- a/base/gslibctx.c
|
||||
+++ b/base/gslibctx.c
|
||||
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
|
||||
return gs_error_rangecheck;
|
||||
}
|
||||
|
||||
- rlen = len+1;
|
||||
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
|
||||
- if (buffer == NULL)
|
||||
- return gs_error_VMerror;
|
||||
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
|
||||
+ don't "reduce" them to avoid unexpected results
|
||||
+ */
|
||||
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
||||
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
|
||||
+ if (buffer == NULL)
|
||||
+ return gs_error_VMerror;
|
||||
+ memcpy(buffer, path, len);
|
||||
+ buffer[len] = 0;
|
||||
+ rlen = len;
|
||||
+ }
|
||||
+ else {
|
||||
+ rlen = len + 1;
|
||||
|
||||
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||
- return gs_error_invalidfileaccess;
|
||||
- buffer[rlen] = 0;
|
||||
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
|
||||
+ if (buffer == NULL)
|
||||
+ return gs_error_VMerror;
|
||||
+
|
||||
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||
+ return gs_error_invalidfileaccess;
|
||||
+ buffer[rlen] = 0;
|
||||
+ }
|
||||
|
||||
n = control->num;
|
||||
for (i = 0; i < n; i++)
|
||||
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
|
||||
return gs_error_rangecheck;
|
||||
}
|
||||
|
||||
- rlen = len+1;
|
||||
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
|
||||
- if (buffer == NULL)
|
||||
- return gs_error_VMerror;
|
||||
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
|
||||
+ don't "reduce" them to avoid unexpected results
|
||||
+ */
|
||||
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
||||
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
|
||||
+ if (buffer == NULL)
|
||||
+ return gs_error_VMerror;
|
||||
+ memcpy(buffer, path, len);
|
||||
+ buffer[len] = 0;
|
||||
+ rlen = len;
|
||||
+ }
|
||||
+ else {
|
||||
+ rlen = len+1;
|
||||
|
||||
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||
- return gs_error_invalidfileaccess;
|
||||
- buffer[rlen] = 0;
|
||||
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
|
||||
+ if (buffer == NULL)
|
||||
+ return gs_error_VMerror;
|
||||
+
|
||||
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||
+ return gs_error_invalidfileaccess;
|
||||
+ buffer[rlen] = 0;
|
||||
+ }
|
||||
|
||||
n = control->num;
|
||||
for (i = 0; i < n; i++) {
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,21 +0,0 @@
|
||||
--- a/devices/gdevijs.c
|
||||
+++ b/devices/gdevijs.c
|
||||
@@ -934,6 +934,9 @@
|
||||
static const char rgb[] = "DeviceRGB";
|
||||
gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
|
||||
|
||||
+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
|
||||
+ return_error(gs_error_invalidaccess);
|
||||
+
|
||||
code = gx_default_finish_copydevice(dev, from_dev);
|
||||
if(code < 0)
|
||||
return code;
|
||||
@@ -1363,7 +1366,7 @@
|
||||
if (code >= 0)
|
||||
code = gsijs_read_string(plist, "IjsServer",
|
||||
ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
|
||||
- dev->LockSafetyParams, is_open);
|
||||
+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
|
||||
|
||||
if (code >= 0)
|
||||
code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
|
@ -1,64 +0,0 @@
|
||||
From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Liddell <chris.liddell@artifex.com>
|
||||
Date: Tue, 1 Jun 2021 19:57:16 +0100
|
||||
Subject: [PATCH] Bug 703902: Fix op stack management in
|
||||
sampled_data_continue()
|
||||
|
||||
Replace pop() (which does no checking, and doesn't handle stack extension
|
||||
blocks) with ref_stack_pop() which does do all that.
|
||||
|
||||
We still use pop() in one case (it's faster), but we have to later use
|
||||
ref_stack_pop() before calling sampled_data_sample() which also accesses the
|
||||
op stack.
|
||||
|
||||
Fixes:
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
|
||||
---
|
||||
psi/zfsample.c | 16 ++++++++++------
|
||||
1 file changed, 10 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/psi/zfsample.c b/psi/zfsample.c
|
||||
index 0e8e4bc8d..00cd0cfdd 100644
|
||||
--- a/psi/zfsample.c
|
||||
+++ b/psi/zfsample.c
|
||||
@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
|
||||
for (j = 0; j < bps; j++)
|
||||
data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
|
||||
}
|
||||
- pop(num_out); /* Move op to base of result values */
|
||||
|
||||
- /* Check if we are done collecting data. */
|
||||
+ pop(num_out); /* Move op to base of result values */
|
||||
|
||||
+ /* From here on, we have to use ref_stack_pop() rather than pop()
|
||||
+ so that it handles stack extension blocks properly, before calling
|
||||
+ sampled_data_sample() which also uses the op stack.
|
||||
+ */
|
||||
+ /* Check if we are done collecting data. */
|
||||
if (increment_cube_indexes(params, penum->indexes)) {
|
||||
if (stack_depth_adjust == 0)
|
||||
- pop(O_STACK_PAD); /* Remove spare stack space */
|
||||
+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
|
||||
else
|
||||
- pop(stack_depth_adjust - num_out);
|
||||
+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
|
||||
/* Execute the closing procedure, if given */
|
||||
code = 0;
|
||||
if (esp_finish_proc != 0)
|
||||
@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
|
||||
if ((O_STACK_PAD - stack_depth_adjust) < 0) {
|
||||
stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
|
||||
check_op(stack_depth_adjust);
|
||||
- pop(stack_depth_adjust);
|
||||
+ ref_stack_pop(&o_stack, stack_depth_adjust);
|
||||
}
|
||||
else {
|
||||
check_ostack(O_STACK_PAD - stack_depth_adjust);
|
||||
- push(O_STACK_PAD - stack_depth_adjust);
|
||||
+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
|
||||
for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
|
||||
make_null(op - i);
|
||||
}
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,98 +0,0 @@
|
||||
diff -ur ghostscript-9.54.0/base/gdevvec.c ghostscript-9.54.0-patched/base/gdevvec.c
|
||||
--- ghostscript-9.54.0/base/gdevvec.c
|
||||
+++ ghostscript-9.54.0-patched/base/gdevvec.c
|
||||
@@ -643,7 +643,7 @@
|
||||
*/
|
||||
int
|
||||
gdev_vector_dopath_segment(gdev_vector_dopath_state_t *state, int pe_op,
|
||||
- gs_fixed_point vs[3])
|
||||
+ gs_fixed_point *vs)
|
||||
{
|
||||
gx_device_vector *vdev = state->vdev;
|
||||
const gs_matrix *const pmat = &state->scale_mat;
|
||||
diff -ur ghostscript-9.54.0/base/gdevvec.h ghostscript-9.54.0-patched/base/gdevvec.h
|
||||
--- ghostscript-9.54.0/base/gdevvec.h
|
||||
+++ ghostscript-9.54.0-patched/base/gdevvec.h
|
||||
@@ -306,7 +306,7 @@
|
||||
|
||||
/* Write a segment of a path using the default implementation. */
|
||||
int gdev_vector_dopath_segment(gdev_vector_dopath_state_t *state, int pe_op,
|
||||
- gs_fixed_point vs[3]);
|
||||
+ gs_fixed_point *vs);
|
||||
|
||||
typedef struct gdev_vector_path_seg_record_s {
|
||||
int op;
|
||||
diff -ur ghostscript-9.54.0/base/gxclpath.c ghostscript-9.54.0-patched/base/gxclpath.c
|
||||
--- ghostscript-9.54.0/base/gxclpath.c 2021-03-30 09:40:28.000000000 +0200
|
||||
+++ ghostscript-9.54.0-patched/base/gxclpath.c 2021-11-23 11:06:14.670137576 +0100
|
||||
@@ -715,10 +715,10 @@
|
||||
} else {
|
||||
code = set_cmd_put_op(&dp, cldev, pcls, cmd_opv_set_color_space,
|
||||
2 + sizeof(clist_icc_color_t));
|
||||
- memcpy(dp + 2, &(cldev->color_space.icc_info),
|
||||
- sizeof(clist_icc_color_t));
|
||||
if (code < 0)
|
||||
return code;
|
||||
+ memcpy(dp + 2, &(cldev->color_space.icc_info),
|
||||
+ sizeof(clist_icc_color_t));
|
||||
}
|
||||
dp[1] = cldev->color_space.byte1;
|
||||
pcls->known |= color_space_known;
|
||||
diff -ur ghostscript-9.54.0/extract/src/mem.c ghostscript-9.54.0-patched/extract/src/mem.c
|
||||
--- ghostscript-9.54.0/extract/src/mem.c 2021-03-30 09:40:28.000000000 +0200
|
||||
+++ ghostscript-9.54.0-patched/extract/src/mem.c 2021-11-23 11:11:37.293082828 +0100
|
||||
@@ -19,14 +19,24 @@
|
||||
int extract_vasprintf(extract_alloc_t* alloc, char** out, const char* format, va_list va)
|
||||
{
|
||||
int n;
|
||||
- int n2;
|
||||
+ int ret;
|
||||
va_list va2;
|
||||
va_copy(va2, va);
|
||||
n = vsnprintf(NULL, 0, format, va);
|
||||
- if (n < 0) return n;
|
||||
- if (extract_malloc(alloc, out, n + 1)) return -1;
|
||||
- n2 = vsnprintf(*out, n + 1, format, va2);
|
||||
+ if (n < 0)
|
||||
+ {
|
||||
+ ret = n;
|
||||
+ goto end;
|
||||
+ }
|
||||
+ if (extract_malloc(alloc, out, n + 1))
|
||||
+ {
|
||||
+ ret = -1;
|
||||
+ goto end;
|
||||
+ }
|
||||
+ vsnprintf(*out, n + 1, format, va2);
|
||||
+ ret = 0;
|
||||
+
|
||||
+ end:
|
||||
va_end(va2);
|
||||
- assert(n2 == n);
|
||||
- return n2;
|
||||
+ return ret;
|
||||
}
|
||||
diff -ur ghostscript-9.54.0/psi/icie.h ghostscript-9.54.0-patched/psi/icie.h
|
||||
--- ghostscript-9.54.0/psi/icie.h 2021-03-30 09:40:28.000000000 +0200
|
||||
+++ ghostscript-9.54.0-patched/psi/icie.h 2021-10-29 12:48:43.405814563 +0200
|
||||
@@ -53,7 +53,7 @@
|
||||
|
||||
/* Get 3 procedures from a dictionary. */
|
||||
int dict_proc3_param(const gs_memory_t *mem, const ref *pdref,
|
||||
- const char *kstr, ref proc3[3]);
|
||||
+ const char *kstr, ref *proc3);
|
||||
|
||||
/* Get WhitePoint and BlackPoint values. */
|
||||
int cie_points_param(const gs_memory_t *mem,
|
||||
diff -ur ghostscript-9.54.0/psi/zcie.c ghostscript-9.54.0-patched/psi/zcie.c
|
||||
--- ghostscript-9.54.0/psi/zcie.c 2021-03-30 09:40:28.000000000 +0200
|
||||
+++ ghostscript-9.54.0-patched/psi/zcie.c 2021-11-02 14:36:28.463448728 +0100
|
||||
@@ -144,7 +144,7 @@
|
||||
|
||||
/* Get 3 procedures from a dictionary. */
|
||||
int
|
||||
-dict_proc3_param(const gs_memory_t *mem, const ref *pdref, const char *kstr, ref proc3[3])
|
||||
+dict_proc3_param(const gs_memory_t *mem, const ref *pdref, const char *kstr, ref *proc3)
|
||||
{
|
||||
return dict_proc_array_param(mem, pdref, kstr, 3, proc3);
|
||||
}
|
@ -1,46 +0,0 @@
|
||||
diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
|
||||
index c6b95ed5b..f103d598b 100644
|
||||
--- a/devices/vector/gdevtxtw.c
|
||||
+++ b/devices/vector/gdevtxtw.c
|
||||
@@ -1982,16 +1982,26 @@ textw_text_release(gs_text_enum_t *pte, client_name_t cname)
|
||||
gx_device_txtwrite_t *const tdev = (gx_device_txtwrite_t *) pte->dev;
|
||||
|
||||
/* Free the working buffer where the Unicode was assembled from the enumerated text */
|
||||
- if (penum->TextBuffer)
|
||||
+ if (penum->TextBuffer) {
|
||||
gs_free(tdev->memory, penum->TextBuffer, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer");
|
||||
- if (penum->Widths)
|
||||
+ penum->TextBuffer = NULL;
|
||||
+ }
|
||||
+ if (penum->Widths) {
|
||||
gs_free(tdev->memory, penum->Widths, sizeof(float), pte->text.size, "txtwrite free temporary widths array");
|
||||
- if (penum->Advs)
|
||||
+ penum->Widths = NULL;
|
||||
+ }
|
||||
+ if (penum->Advs) {
|
||||
gs_free(tdev->memory, penum->Advs, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer");
|
||||
- if (penum->GlyphWidths)
|
||||
+ penum->Advs = NULL;
|
||||
+ }
|
||||
+ if (penum->GlyphWidths) {
|
||||
gs_free(tdev->memory, penum->GlyphWidths, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer");
|
||||
- if (penum->SpanDeltaX)
|
||||
+ penum->GlyphWidths = NULL;
|
||||
+ }
|
||||
+ if (penum->SpanDeltaX) {
|
||||
gs_free(tdev->memory, penum->SpanDeltaX, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer");
|
||||
+ penum->SpanDeltaX = NULL;
|
||||
+ }
|
||||
/* If this is copied away when we complete the text enumeration succesfully, then
|
||||
* we set the pointer to NULL, if we get here with it non-NULL , then there was
|
||||
* an error.
|
||||
@@ -2008,6 +2018,7 @@ textw_text_release(gs_text_enum_t *pte, client_name_t cname)
|
||||
if (penum->text_state->FontName)
|
||||
gs_free(tdev->memory, penum->text_state->FontName, 1, penum->TextBufferIndex, "txtwrite free temporary font name copy");
|
||||
gs_free(tdev->memory, penum->text_state, 1, sizeof(penum->text_state), "txtwrite free text state");
|
||||
+ penum->text_state = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.17.1
|
@ -1,208 +0,0 @@
|
||||
diff --git a/base/gdevpipe.c b/base/gdevpipe.c
|
||||
index 96d71f5d81..752a2f1d94 100644
|
||||
--- a/base/gdevpipe.c
|
||||
+++ b/base/gdevpipe.c
|
||||
@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
|
||||
#else
|
||||
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
|
||||
gs_fs_list_t *fs = ctx->core->fs;
|
||||
+ /* The pipe device can be reached in two ways, explicltly with %pipe%
|
||||
+ or implicitly with "|", so we have to check for both
|
||||
+ */
|
||||
+ char f[gp_file_name_sizeof];
|
||||
+ const char *pipestr = "|";
|
||||
+ const size_t pipestrlen = strlen(pipestr);
|
||||
+ int code1;
|
||||
+ const size_t preflen = strlen(iodev->dname);
|
||||
+ const size_t nlen = strlen(fname);
|
||||
+
|
||||
+ if (preflen + nlen >= gp_file_name_sizeof)
|
||||
+ return_error(gs_error_invalidaccess);
|
||||
+
|
||||
+ memcpy(f, iodev->dname, preflen);
|
||||
+ memcpy(f + preflen, fname, nlen + 1);
|
||||
+
|
||||
+ code1 = gp_validate_path(mem, f, access);
|
||||
+
|
||||
+ memcpy(f, pipestr, pipestrlen);
|
||||
+ memcpy(f + pipestrlen, fname, nlen + 1);
|
||||
|
||||
- if (gp_validate_path(mem, fname, access) != 0)
|
||||
+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
|
||||
return gs_error_invalidfileaccess;
|
||||
|
||||
/*
|
||||
diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
|
||||
index 2b964ed749..8d87ceadc0 100644
|
||||
--- a/base/gp_mshdl.c
|
||||
+++ b/base/gp_mshdl.c
|
||||
@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
|
||||
long hfile; /* Correct for Win32, may be wrong for Win64 */
|
||||
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
|
||||
gs_fs_list_t *fs = ctx->core->fs;
|
||||
+ char f[gp_file_name_sizeof];
|
||||
+ const size_t preflen = strlen(iodev->dname);
|
||||
+ const size_t nlen = strlen(fname);
|
||||
|
||||
- if (gp_validate_path(mem, fname, access) != 0)
|
||||
+ if (preflen + nlen >= gp_file_name_sizeof)
|
||||
+ return_error(gs_error_invalidaccess);
|
||||
+
|
||||
+ memcpy(f, iodev->dname, preflen);
|
||||
+ memcpy(f + preflen, fname, nlen + 1);
|
||||
+
|
||||
+ if (gp_validate_path(mem, f, access) != 0)
|
||||
return gs_error_invalidfileaccess;
|
||||
|
||||
/* First we try the open_handle method. */
|
||||
diff --git a/base/gp_msprn.c b/base/gp_msprn.c
|
||||
index ed48279685..746a974f78 100644
|
||||
--- a/base/gp_msprn.c
|
||||
+++ b/base/gp_msprn.c
|
||||
@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
|
||||
uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
|
||||
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
|
||||
gs_fs_list_t *fs = ctx->core->fs;
|
||||
+ const size_t preflen = strlen(iodev->dname);
|
||||
+ const size_t nlen = strlen(fname);
|
||||
|
||||
- if (gp_validate_path(mem, fname, access) != 0)
|
||||
+ if (preflen + nlen >= gp_file_name_sizeof)
|
||||
+ return_error(gs_error_invalidaccess);
|
||||
+
|
||||
+ memcpy(pname, iodev->dname, preflen);
|
||||
+ memcpy(pname + preflen, fname, nlen + 1);
|
||||
+
|
||||
+ if (gp_validate_path(mem, pname, access) != 0)
|
||||
return gs_error_invalidfileaccess;
|
||||
|
||||
/* First we try the open_printer method. */
|
||||
diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
|
||||
index f852c71fc8..ba54cde66f 100644
|
||||
--- a/base/gp_os2pr.c
|
||||
+++ b/base/gp_os2pr.c
|
||||
@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
|
||||
FILE ** pfile, char *rfname, uint rnamelen)
|
||||
{
|
||||
os2_printer_t *pr = (os2_printer_t *)iodev->state;
|
||||
- char driver_name[256];
|
||||
+ char driver_name[gp_file_name_sizeof];
|
||||
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
|
||||
gs_fs_list_t *fs = ctx->core->fs;
|
||||
+ const size_t preflen = strlen(iodev->dname);
|
||||
+ const int size_t = strlen(fname);
|
||||
+
|
||||
+ if (preflen + nlen >= gp_file_name_sizeof)
|
||||
+ return_error(gs_error_invalidaccess);
|
||||
+
|
||||
+ memcpy(driver_name, iodev->dname, preflen);
|
||||
+ memcpy(driver_name + preflen, fname, nlen + 1);
|
||||
+
|
||||
+ if (gp_validate_path(mem, driver_name, access) != 0)
|
||||
+ return gs_error_invalidfileaccess;
|
||||
|
||||
/* First we try the open_printer method. */
|
||||
/* Note that the loop condition here ensures we don't
|
||||
diff --git a/base/gslibctx.c b/base/gslibctx.c
|
||||
index 6dfed6cd5a..318039fad0 100644
|
||||
--- a/base/gslibctx.c
|
||||
+++ b/base/gslibctx.c
|
||||
@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
|
||||
int
|
||||
gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
|
||||
{
|
||||
- char *fp, f[gp_file_name_sizeof];
|
||||
- const int pipe = 124; /* ASCII code for '|' */
|
||||
- const int len = strlen(fname);
|
||||
- int i, code;
|
||||
+ char f[gp_file_name_sizeof];
|
||||
+ int code;
|
||||
|
||||
/* Be sure the string copy will fit */
|
||||
- if (len >= gp_file_name_sizeof)
|
||||
+ if (strlen(fname) >= gp_file_name_sizeof)
|
||||
return gs_error_rangecheck;
|
||||
strcpy(f, fname);
|
||||
- fp = f;
|
||||
/* Try to rewrite any %d (or similar) in the string */
|
||||
rewrite_percent_specifiers(f);
|
||||
- for (i = 0; i < len; i++) {
|
||||
- if (f[i] == pipe) {
|
||||
- fp = &f[i + 1];
|
||||
- /* Because we potentially have to check file permissions at two levels
|
||||
- for the output file (gx_device_open_output_file and the low level
|
||||
- fopen API, if we're using a pipe, we have to add both the full string,
|
||||
- (including the '|', and just the command to which we pipe - since at
|
||||
- the pipe_fopen(), the leading '|' has been stripped.
|
||||
- */
|
||||
- code = gs_add_control_path(mem, gs_permit_file_writing, f);
|
||||
- if (code < 0)
|
||||
- return code;
|
||||
- code = gs_add_control_path(mem, gs_permit_file_control, f);
|
||||
- if (code < 0)
|
||||
- return code;
|
||||
- break;
|
||||
- }
|
||||
- if (!IS_WHITESPACE(f[i]))
|
||||
- break;
|
||||
- }
|
||||
- code = gs_add_control_path(mem, gs_permit_file_control, fp);
|
||||
+
|
||||
+ code = gs_add_control_path(mem, gs_permit_file_control, f);
|
||||
if (code < 0)
|
||||
return code;
|
||||
- return gs_add_control_path(mem, gs_permit_file_writing, fp);
|
||||
+ return gs_add_control_path(mem, gs_permit_file_writing, f);
|
||||
}
|
||||
|
||||
int
|
||||
gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
|
||||
{
|
||||
- char *fp, f[gp_file_name_sizeof];
|
||||
- const int pipe = 124; /* ASCII code for '|' */
|
||||
- const int len = strlen(fname);
|
||||
- int i, code;
|
||||
+ char f[gp_file_name_sizeof];
|
||||
+ int code;
|
||||
|
||||
/* Be sure the string copy will fit */
|
||||
- if (len >= gp_file_name_sizeof)
|
||||
+ if (strlen(fname) >= gp_file_name_sizeof)
|
||||
return gs_error_rangecheck;
|
||||
strcpy(f, fname);
|
||||
- fp = f;
|
||||
/* Try to rewrite any %d (or similar) in the string */
|
||||
- for (i = 0; i < len; i++) {
|
||||
- if (f[i] == pipe) {
|
||||
- fp = &f[i + 1];
|
||||
- /* Because we potentially have to check file permissions at two levels
|
||||
- for the output file (gx_device_open_output_file and the low level
|
||||
- fopen API, if we're using a pipe, we have to add both the full string,
|
||||
- (including the '|', and just the command to which we pipe - since at
|
||||
- the pipe_fopen(), the leading '|' has been stripped.
|
||||
- */
|
||||
- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
|
||||
- if (code < 0)
|
||||
- return code;
|
||||
- code = gs_remove_control_path(mem, gs_permit_file_control, f);
|
||||
- if (code < 0)
|
||||
- return code;
|
||||
- break;
|
||||
- }
|
||||
- if (!IS_WHITESPACE(f[i]))
|
||||
- break;
|
||||
- }
|
||||
- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
|
||||
+ rewrite_percent_specifiers(f);
|
||||
+
|
||||
+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
|
||||
if (code < 0)
|
||||
return code;
|
||||
- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
|
||||
+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
|
||||
}
|
||||
|
||||
int
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,43 +0,0 @@
|
||||
diff --git a/base/gpmisc.c b/base/gpmisc.c
|
||||
index 2b43f89..186d9b7 100644
|
||||
--- a/base/gpmisc.c
|
||||
+++ b/base/gpmisc.c
|
||||
@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||
rlen = len;
|
||||
}
|
||||
else {
|
||||
+ char *test = (char *)path, *test1;
|
||||
+ uint tlen = len, slen;
|
||||
+
|
||||
+ /* Look for any pipe (%pipe% or '|' specifications between path separators
|
||||
+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
|
||||
+ */
|
||||
+ while (tlen > 0) {
|
||||
+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
|
||||
+ code = gs_note_error(gs_error_invalidfileaccess);
|
||||
+ goto exit;
|
||||
+ }
|
||||
+ test1 = test;
|
||||
+ slen = search_separator((const char **)&test, path + len, test1, 1);
|
||||
+ if(slen == 0)
|
||||
+ break;
|
||||
+ test += slen;
|
||||
+ tlen -= test - test1;
|
||||
+ if (test >= path + len)
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
rlen = len+1;
|
||||
bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
|
||||
if (bufferfull == NULL)
|
||||
@@ -1163,8 +1184,8 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||
|
||||
continue;
|
||||
}
|
||||
- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
|
||||
- buffer = bufferfull + cdirstrl + dirsepstrl;
|
||||
+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
|
||||
+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
|
||||
continue;
|
||||
}
|
||||
break;
|
@ -1,69 +0,0 @@
|
||||
diff --git a/base/gpmisc.c b/base/gpmisc.c
|
||||
index f9a9230..2b43f89 100644
|
||||
--- a/base/gpmisc.c
|
||||
+++ b/base/gpmisc.c
|
||||
@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||
const uint len,
|
||||
const char *mode)
|
||||
{
|
||||
- char *buffer, *bufferfull;
|
||||
+ char *buffer, *bufferfull = NULL;
|
||||
uint rlen;
|
||||
int code = 0;
|
||||
const char *cdirstr = gp_file_name_current();
|
||||
@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||
return gs_error_VMerror;
|
||||
|
||||
buffer = bufferfull + prefix_len;
|
||||
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||
- return gs_error_invalidfileaccess;
|
||||
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
|
||||
+ code = gs_note_error(gs_error_invalidfileaccess);
|
||||
+ goto exit;
|
||||
+ }
|
||||
buffer[rlen] = 0;
|
||||
}
|
||||
while (1) {
|
||||
@@ -1131,9 +1133,34 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||
code = gs_note_error(gs_error_invalidfileaccess);
|
||||
}
|
||||
if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
|
||||
+ uint newlen = rlen + cdirstrl + dirsepstrl;
|
||||
+ char *newbuffer;
|
||||
+ int code;
|
||||
+
|
||||
buffer = bufferfull;
|
||||
memcpy(buffer, cdirstr, cdirstrl);
|
||||
memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
|
||||
+
|
||||
+ /* We've prepended a './' or similar for the current working directory. We need
|
||||
+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
|
||||
+ * the (new) full path.
|
||||
+ */
|
||||
+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
|
||||
+ if (newbuffer == NULL) {
|
||||
+ code = gs_note_error(gs_error_VMerror);
|
||||
+ goto exit;
|
||||
+ }
|
||||
+
|
||||
+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
|
||||
+ newbuffer[newlen] = 0x00;
|
||||
+
|
||||
+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
|
||||
+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
|
||||
+ if (code != gp_combine_success) {
|
||||
+ code = gs_note_error(gs_error_invalidfileaccess);
|
||||
+ goto exit;
|
||||
+ }
|
||||
+
|
||||
continue;
|
||||
}
|
||||
else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
|
||||
@@ -1152,6 +1179,7 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||
gs_path_control_flag_is_scratch_file);
|
||||
}
|
||||
|
||||
+exit:
|
||||
gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
|
||||
#ifdef EACCES
|
||||
if (code == gs_error_invalidfileaccess)
|
@ -1,62 +0,0 @@
|
||||
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
|
||||
index 70475ad..013a497 100644
|
||||
--- a/contrib/opvp/gdevopvp.c
|
||||
+++ b/contrib/opvp/gdevopvp.c
|
||||
@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int,
|
||||
static int _get_params(gs_param_list *);
|
||||
static int opvp_get_params(gx_device *, gs_param_list *);
|
||||
static int oprp_get_params(gx_device *, gs_param_list *);
|
||||
-static int _put_params(gs_param_list *);
|
||||
+static int _put_params(gx_device *, gs_param_list *);
|
||||
static int opvp_put_params(gx_device *, gs_param_list *);
|
||||
static int oprp_put_params(gx_device *, gs_param_list *);
|
||||
static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
|
||||
@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist)
|
||||
/* vector driver name */
|
||||
pname = "Driver";
|
||||
vdps.data = (byte *)vectorDriver;
|
||||
- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
|
||||
+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
|
||||
vdps.persistent = false;
|
||||
code = param_write_string(plist, pname, &vdps);
|
||||
if (code) ecode = code;
|
||||
@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
|
||||
* put params
|
||||
*/
|
||||
static int
|
||||
-_put_params(gs_param_list *plist)
|
||||
+_put_params(gx_device *dev, gs_param_list *plist)
|
||||
{
|
||||
int code;
|
||||
int ecode = 0;
|
||||
@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist)
|
||||
code = param_read_string(plist, pname, &vdps);
|
||||
switch (code) {
|
||||
case 0:
|
||||
+ if (gs_is_path_control_active(dev->memory)
|
||||
+ && (!vectorDriver || strlen(vectorDriver) != vdps.size
|
||||
+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
|
||||
+ param_signal_error(plist, pname, gs_error_invalidaccess);
|
||||
+ return_error(gs_error_invalidaccess);
|
||||
+ }
|
||||
buff = realloc(buff, vdps.size + 1);
|
||||
memcpy(buff, vdps.data, vdps.size);
|
||||
buff[vdps.size] = 0;
|
||||
@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
|
||||
int code;
|
||||
|
||||
/* put params */
|
||||
- code = _put_params(plist);
|
||||
+ code = _put_params(dev, plist);
|
||||
if (code) return code;
|
||||
|
||||
/* put default params */
|
||||
@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
|
||||
int code;
|
||||
|
||||
/* put params */
|
||||
- code = _put_params(plist);
|
||||
+ code = _put_params(dev, plist);
|
||||
if (code) return code;
|
||||
|
||||
/* put default params */
|
Loading…
Reference in New Issue
Block a user