ghostscript/ghostscript-bz1380416.patch
David Kaspar [Dee'Kej] e40ca66c63 ghostscript-bz1380416.patch added
Security fix for BZ #1380416.
2016-10-04 10:40:24 +02:00

81 lines
3.1 KiB
Diff

From dea6ef9be04e25df06a02cbefa45811f640d3298 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Sat, 5 Mar 2016 14:56:03 -0800
Subject: [PATCH] Bug 694724: Have filenameforall and getenv honor SAFER
---
Resource/Init/gs_init.ps | 2 ++
psi/zfile.c | 36 ++++++++++++++++++++----------------
2 files changed, 22 insertions(+), 16 deletions(-)
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 13f11cb..722b78d 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2030,6 +2030,7 @@ readonly def
/.locksafe {
.locksafe_userparams
+ systemdict /getenv {pop //false} put
% setpagedevice has the side effect of clearing the page, but
% we will just document that. Using setpagedevice keeps the device
% properties and pagedevice .LockSafetyParams in agreement even
@@ -2048,6 +2049,7 @@ readonly def
%%
/.locksafeglobal {
.locksafe_userparams
+ systemdict /getenv {pop //false} put
% setpagedevice has the side effect of clearing the page, but
% we will just document that. Using setpagedevice keeps the device
% properties and pagedevice .LockSafetyParams in agreement even
diff --git a/psi/zfile.c b/psi/zfile.c
index 93fd78c..e323899 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p)
if (len < devlen)
return_error(e_rangecheck); /* not even room for device len */
- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
- len - devlen);
- if (code == ~(uint) 0) { /* all done */
- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
- return o_pop_estack;
- } else if (code > len) /* overran string */
- return_error(e_rangecheck);
- else {
- push(1);
- ref_assign(op, pscratch);
- r_set_size(op, code + devlen);
- push_op_estack(file_continue); /* come again */
- *++esp = pscratch[2]; /* proc */
- return o_push_estack;
- }
+
+ do {
+ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
+ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
+ len - devlen);
+ if (code == ~(uint) 0) { /* all done */
+ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
+ return o_pop_estack;
+ } else if (code > len) /* overran string */
+ return_error(gs_error_rangecheck);
+ else if (iodev != iodev_default(imemory)
+ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
+ push(1);
+ ref_assign(op, pscratch);
+ r_set_size(op, code + devlen);
+ push_op_estack(file_continue); /* come again */
+ *++esp = pscratch[2]; /* proc */
+ return o_push_estack;
+ }
+ } while(1);
}
/* Cleanup procedure for enumerating files */
static int
--
2.7.4