ghostscript/ghostscript-vsnprintf.patch
Tim Waugh 59db7de965 - Fix debugging output from gdevcups (CVE-2009-4270, bug #540760).
- Harden ghostscript's debugging output functions (bug #540760).
2009-12-24 11:31:29 +00:00

65 lines
2.4 KiB
Diff

diff -up ghostscript-8.70/base/gsmisc.c.vsnprintf ghostscript-8.70/base/gsmisc.c
--- ghostscript-8.70/base/gsmisc.c.vsnprintf 2008-01-07 18:43:02.000000000 +0000
+++ ghostscript-8.70/base/gsmisc.c 2009-11-24 17:16:38.575250571 +0000
@@ -69,10 +69,10 @@ int outprintf(const gs_memory_t *mem, co
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
outwrite(mem, buf, count);
- if (count >= PRINTF_BUF_LENGTH) {
- count = sprintf(buf,
+ if (count == -1 || count >= sizeof (buf)) {
+ count = snprintf(buf, sizeof (buf),
"PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
PRINTF_BUF_LENGTH);
outwrite(mem, buf, count);
@@ -89,10 +89,10 @@ int errprintf(const char *fmt, ...)
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
errwrite(buf, count);
- if (count >= PRINTF_BUF_LENGTH) {
- count = sprintf(buf,
+ if (count == -1 || count >= sizeof (buf)) {
+ count = snprintf(buf, sizeof (buf),
"PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
PRINTF_BUF_LENGTH);
errwrite(buf, count);
@@ -236,7 +236,7 @@ int gs_throw_imp(const char *func, const
va_list ap;
va_start(ap, fmt);
- vsprintf(msg, fmt, ap);
+ vsnprintf(msg, sizeof (msg), fmt, ap);
msg[sizeof(msg) - 1] = 0;
va_end(ap);
diff -up ghostscript-8.70/base/gxttfb.c.vsnprintf ghostscript-8.70/base/gxttfb.c
--- ghostscript-8.70/base/gxttfb.c.vsnprintf 2009-07-09 06:59:44.000000000 +0100
+++ ghostscript-8.70/base/gxttfb.c 2009-11-24 17:16:38.577250996 +0000
@@ -246,7 +246,7 @@ static int DebugPrint(ttfFont *ttf, cons
if (gs_debug_c('Y')) {
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
/* NB: moved debug output from stdout to stderr
*/
errwrite(buf, count);
diff -up ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf ghostscript-8.70/base/rinkj/rinkj-byte-stream.c
--- ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf 2008-04-04 02:02:16.000000000 +0100
+++ ghostscript-8.70/base/rinkj/rinkj-byte-stream.c 2009-11-24 17:16:38.577250996 +0000
@@ -43,7 +43,7 @@ rinkj_byte_stream_printf (RinkjByteStrea
va_list ap;
va_start (ap, fmt);
- len = vsprintf (str, fmt, ap);
+ len = vsnprintf (str, sizeof (str), fmt, ap);
va_end (ap);
return rinkj_byte_stream_write (bs, str, len);
}