ghostscript/ghostscript-CVE-2010-1628.patch
2010-07-16 12:51:22 +00:00

125 lines
4.5 KiB
Diff

diff -up ghostscript-8.70/psi/ialloc.c.CVE-2010-1628 ghostscript-8.70/psi/ialloc.c
--- ghostscript-8.70/psi/ialloc.c.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100
+++ ghostscript-8.70/psi/ialloc.c 2010-07-16 12:15:45.230948203 +0100
@@ -185,7 +185,14 @@ gs_alloc_ref_array(gs_ref_memory_t * mem
*/
chunk_t *pcc = mem->pcc;
ref *end;
+ alloc_change_t *cp = 0;
+ int code = 0;
+ if ((gs_memory_t *)mem != mem->stable_memory) {
+ code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &cp);
+ if (code < 0)
+ return code;
+ }
obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1,
ref, &st_refs, cname);
if (obj == 0)
@@ -210,14 +217,10 @@ gs_alloc_ref_array(gs_ref_memory_t * mem
chunk_locate_ptr(obj, &cl);
cl.cp->has_refs = true;
}
- if ((gs_memory_t *)mem != mem->stable_memory) {
- ref_packed **ppr = 0;
- int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr);
- if (code < 0)
- return code;
- if (ppr)
- *ppr = (ref_packed *)obj;
- }
+ if (cp) {
+ mem->changes = cp;
+ cp->where = (ref_packed *)obj;
+ }
}
make_array(parr, attrs | mem->space, num_refs, obj);
return 0;
diff -up ghostscript-8.70/psi/idosave.h.CVE-2010-1628 ghostscript-8.70/psi/idosave.h
--- ghostscript-8.70/psi/idosave.h.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100
+++ ghostscript-8.70/psi/idosave.h 2010-07-16 12:15:45.238073609 +0100
@@ -18,6 +18,22 @@
# define idosave_INCLUDED
/*
+ * Structure for saved change chain for save/restore. Because of the
+ * garbage collector, we need to distinguish the cases where the change
+ * is in a static object, a dynamic ref, or a dynamic struct.
+ */
+typedef struct alloc_change_s alloc_change_t;
+struct alloc_change_s {
+ alloc_change_t *next;
+ ref_packed *where;
+ ref contents;
+#define AC_OFFSET_STATIC (-2) /* static object */
+#define AC_OFFSET_REF (-1) /* dynamic ref */
+#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
+ short offset; /* if >= 0, offset within struct */
+};
+
+/*
* Save a change that must be undone by restore. We have to pass the
* pointer to the containing object to alloc_save_change for two reasons:
*
@@ -29,6 +45,7 @@
* relocate the pointer to it from the change record during garbage
* collection.
*/
+
int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont,
ref_packed *ptr, client_name_t cname);
int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont,
@@ -36,6 +53,6 @@ int alloc_save_change_in(gs_ref_memory_t
/* Remove an AC_OFFSET_ALLOCATED element. */
void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname);
/* Allocate a structure for recording an allocation event. */
-int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr);
+int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp);
#endif /* idosave_INCLUDED */
diff -up ghostscript-8.70/psi/isave.c.CVE-2010-1628 ghostscript-8.70/psi/isave.c
--- ghostscript-8.70/psi/isave.c.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100
+++ ghostscript-8.70/psi/isave.c 2010-07-16 12:15:45.245073557 +0100
@@ -156,22 +156,6 @@ print_save(const char *str, uint spacen,
/* A link to igcref.c . */
ptr_proc_reloc(igc_reloc_ref_ptr_nocheck, ref_packed);
-/*
- * Structure for saved change chain for save/restore. Because of the
- * garbage collector, we need to distinguish the cases where the change
- * is in a static object, a dynamic ref, or a dynamic struct.
- */
-typedef struct alloc_change_s alloc_change_t;
-struct alloc_change_s {
- alloc_change_t *next;
- ref_packed *where;
- ref contents;
-#define AC_OFFSET_STATIC (-2) /* static object */
-#define AC_OFFSET_REF (-1) /* dynamic ref */
-#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
- short offset; /* if >= 0, offset within struct */
-};
-
static
CLEAR_MARKS_PROC(change_clear_marks)
{
@@ -519,7 +503,7 @@ alloc_save_change(gs_dual_memory_t * dme
/* Allocate a structure for recording an allocation event. */
int
-alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr)
+alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp)
{
register alloc_change_t *cp;
@@ -533,8 +517,7 @@ alloc_save_change_alloc(gs_ref_memory_t
cp->where = 0;
cp->offset = AC_OFFSET_ALLOCATED;
make_null(&cp->contents);
- mem->changes = cp;
- *ppr = &cp->where;
+ *pcp = cp;
return 1;
}