Projects
Mega:24.09
ghostscript
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:ghostscript.spec
Changed
@@ -9,7 +9,7 @@ Name: ghostscript Version: 9.56.1 -Release: 5 +Release: 8 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -45,6 +45,25 @@ Patch107: fix-CVE-2024-33869.patch Patch108: fix-CVE-2024-33870.patch Patch109: fix-CVE-2024-33871.patch +# https://bugs.ghostscript.com/show_bug.cgi?id=707510 +# CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 +# CVE-2024-29509 +Patch110: Bug-707510-don-t-use-strlen-on-passwords.patch +# CVE-2024-29506 +Patch111: Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch +# CVE-2024-29507 +Patch112: Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch +# CVE-2024-29508 +Patch113: Bug-707510-review-printing-of-pointers.patch +# CVE-2024-29511 +Patch114: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch +Patch115: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch + +Patch116: Bug-707510-fix-LIBIDN-usage.patch + +# See bug thread for details +#This is the second part of the fix for CVE-2024-33869 +Patch117: fix-CVE-2024-33869-second.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -122,6 +141,15 @@ %patch107 -p1 %patch108 -p1 %patch109 -p1 +%patch110 -p1 +%patch111 -p1 +%patch112 -p1 +%patch113 -p1 +%patch114 -p1 +%patch115 -p1 +%patch116 -p1 +%patch117 -p1 + # Libraries that we already have packaged(see Build Requirements): rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib @@ -215,6 +243,24 @@ %{_bindir}/dvipdf %changelog +* Fri Jul 12 2024 zhangxianting <zhangxianting@uniontech.com> - 9.56.1-8 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: This is the second part of the fix for CVE-2024-29511 + +* Fri Jul 12 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 9.56.1-7 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: This is the second part of the fix for CVE-2024-33869 + +* Thu Jul 04 2024 zhangxianting <zhangxianting@uniontech.com> - 9.56.1-6 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 + * Fri May 10 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.56.1-5 - Type:CVE - ID:NA
View file
_service:tar_scm:Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
Added
@@ -0,0 +1,93 @@ +From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 24 Jan 2024 18:25:12 +0000 +Subject: PATCH 3/7 Bug 707510(3): Bounds checks when using CIDFont related + params +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514 + +Specifically, for CIDFont substitution. +--- + pdf/pdf_font.c | 45 +++++++++++++++++++++++++++++++++++++++------ + pdf/pdf_warnings.h | 2 +- + 2 files changed, 40 insertions(+), 7 deletions(-) + +diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c +index fa71605..89c13ab 100644 +--- a/pdf/pdf_font.c ++++ b/pdf/pdf_font.c +@@ -228,22 +228,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di + memcpy(fontfname, fsprefix, fsprefixlen); + } + else { +- memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size); +- fsprefixlen = ctx->args.cidsubstpath.size; ++ if (ctx->args.cidsubstpath.size + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname, fsprefix, fsprefixlen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size); ++ fsprefixlen = ctx->args.cidsubstpath.size; ++ } + } + + if (ctx->args.cidsubstfont.data == NULL) { + int len = 0; +- if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) { +- (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0) { ++ if (len + fsprefixlen + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSUBSTFONT environment variable too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ } + } + else { + memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); + } + } + else { +- memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size); +- defcidfallacklen = ctx->args.cidsubstfont.size; ++ if (ctx->args.cidsubstfont.size > gp_file_name_sizeof - 1) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstFont parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size); ++ defcidfallacklen = ctx->args.cidsubstfont.size; ++ } + } + fontfnamefsprefixlen + defcidfallacklen = '\0'; + +diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h +index 21b2403..bfbc3a7 100644 +--- a/pdf/pdf_warnings.h ++++ b/pdf/pdf_warnings.h +@@ -58,5 +58,5 @@ PARAM(W_PDF_CA_OUTOFRANGE, "CA or ca value not in range 0.0 to 1.0, cla + PARAM(W_PDF_INVALID_DEFAULTSPACE, "Invalid DefaultGray, DefaultRGB or DefaultCMYK space specified, ignored."), + PARAM(W_PDF_INVALID_DECRYPT_LEN, "Invalid /Length supplied in Encryption dictionary."), + PARAM(W_PDF_INVALID_FONT_BASEENC, "Ignoring invalid BaseEncoding name in font"), +- ++PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."), + #undef PARAM +-- +2.43.0 +
View file
_service:tar_scm:Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch
Added
@@ -0,0 +1,215 @@ +From 638159c43dbb48425a187d244ec288d252d0ecf4 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 31 Jan 2024 14:08:18 +0000 +Subject: PATCH 6/7 Bug 707510(5)2: The original fix was overly aggressive +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=638159c43dbb48425a187d244ec288d252d0ecf4 + +The way the default OCRLanguage value was set was for the relevant get_params +methods to check if the value had been set, and if not return a default value. +This could result in the first time the put_params seeing that value being after +path control has been enabled, meaning it would throw an invalidaccess error. + +This changes how we set the default: they now uses an init_device method, so +the string is populated from the device's creation. This works correctly for +both the default value, and for values set on the command line. +--- + devices/gdevocr.c | 17 ++++++++++++++++- + devices/gdevpdfocr.c | 28 ++++++++++++++++++++++------ + devices/vector/gdevpdf.c | 15 +++++++++++++++ + devices/vector/gdevpdfp.c | 3 ++- + 4 files changed, 55 insertions(+), 8 deletions(-) + +diff --git a/devices/gdevocr.c b/devices/gdevocr.c +index 7f2c6ea3b..b874525de 100644 +--- a/devices/gdevocr.c ++++ b/devices/gdevocr.c +@@ -30,6 +30,7 @@ + #define X_DPI 72 + #define Y_DPI 72 + ++static dev_proc_initialize_device(ocr_initialize_device); + static dev_proc_print_page(ocr_print_page); + static dev_proc_print_page(hocr_print_page); + static dev_proc_get_params(ocr_get_params); +@@ -55,6 +56,7 @@ ocr_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_gray_bg(dev); + ++ set_dev_proc(dev, initialize_device, ocr_initialize_device); + set_dev_proc(dev, open_device, ocr_open); + set_dev_proc(dev, close_device, ocr_close); + set_dev_proc(dev, get_params, ocr_get_params); +@@ -79,6 +81,7 @@ hocr_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_gray_bg(dev); + ++ set_dev_proc(dev, initialize_device, ocr_initialize_device); + set_dev_proc(dev, open_device, ocr_open); + set_dev_proc(dev, close_device, hocr_close); + set_dev_proc(dev, get_params, ocr_get_params); +@@ -102,6 +105,17 @@ const gx_device_ocr gs_hocr_device = + #define HOCR_HEADER "<html>\n <body>\n" + #define HOCR_TRAILER " </body>\n</html>\n" + ++static int ++ocr_initialize_device(gx_device *dev) ++{ ++ gx_device_ocr *odev = (gx_device_ocr *)dev; ++ const char *default_ocr_lang = "eng"; ++ ++ odev->language0 = '\0'; ++ strcpy(odev->language, default_ocr_lang); ++ return 0; ++} ++ + static int + ocr_open(gx_device *pdev) + { +@@ -185,7 +199,8 @@ ocr_put_params(gx_device *dev, gs_param_list *plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ if (pdev->memory->gs_lib_ctx->core->path_control_active ++ && (strlen(pdev->language) != langstr.size || memcmp(pdev->language, langstr.data, langstr.size) != 0)) { + return_error(gs_error_invalidaccess); + } + else { +diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c +index 0d3c42d8b..f2bec1b49 100644 +--- a/devices/gdevpdfocr.c ++++ b/devices/gdevpdfocr.c +@@ -33,9 +33,9 @@ + #include "gdevpdfimg.h" + #include "tessocr.h" + +-int pdf_ocr_open(gx_device *pdev); +-int pdf_ocr_close(gx_device *pdev); +- ++static dev_proc_initialize_device(pdf_ocr_initialize_device); ++static dev_proc_open_device(pdf_ocr_open); ++static dev_proc_close_device(pdf_ocr_close); + + static int + pdfocr_put_some_params(gx_device * dev, gs_param_list * plist) +@@ -50,7 +50,8 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) { ++ if (pdf_dev->memory->gs_lib_ctx->core->path_control_active ++ && (strlen(pdf_dev->ocr.language) != langstr.size || memcmp(pdf_dev->ocr.language, langstr.data, langstr.size) != 0)) { + return_error(gs_error_invalidaccess); + } + else { +@@ -152,6 +153,8 @@ pdfocr8_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_gray(dev); + ++ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device); ++ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device); + set_dev_proc(dev, open_device, pdf_ocr_open); + set_dev_proc(dev, output_page, gdev_prn_output_page_seekable); + set_dev_proc(dev, close_device, pdf_ocr_close); +@@ -185,6 +188,7 @@ pdfocr24_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_rgb(dev); + ++ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device); + set_dev_proc(dev, open_device, pdf_ocr_open); + set_dev_proc(dev, output_page, gdev_prn_output_page_seekable); + set_dev_proc(dev, close_device, pdf_ocr_close); +@@ -216,6 +220,7 @@ pdfocr32_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_cmyk8(dev); + ++ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device); + set_dev_proc(dev, open_device, pdf_ocr_open); + set_dev_proc(dev, output_page, gdev_prn_output_page_seekable); + set_dev_proc(dev, close_device, pdf_ocr_close); +@@ -703,7 +708,18 @@ ocr_end_page(gx_device_pdf_image *dev) + return 0; + } + +-int ++static int ++pdf_ocr_initialize_device(gx_device *dev) ++{ ++ gx_device_pdf_image *ppdev = (gx_device_pdf_image *)dev; ++ const char *default_ocr_lang = "eng"; ++ ++ ppdev->ocr.language0 = '\0'; ++ strcpy(ppdev->ocr.language, default_ocr_lang); ++ return 0; ++} ++ ++static int + pdf_ocr_open(gx_device *pdev) + { + gx_device_pdf_image *ppdev; +@@ -726,7 +742,7 @@ pdf_ocr_open(gx_device *pdev) + return 0; + } + +-int ++static int + pdf_ocr_close(gx_device *pdev) + { + gx_device_pdf_image *pdf_dev; +diff --git a/devices/vector/gdevpdf.c b/devices/vector/gdevpdf.c +index 6e364d1c7..042e1b4e9 100644 +--- a/devices/vector/gdevpdf.c ++++ b/devices/vector/gdevpdf.c +@@ -215,6 +215,7 @@ device_pdfwrite_finalize(const gs_memory_t *cmem, void *vpdev) + } + + /* Driver procedures */ ++static dev_proc_initialize_device(pdfwrite_initialize_device); + static dev_proc_open_device(pdf_open); + static dev_proc_output_page(pdf_output_page); + static dev_proc_close_device(pdf_close); +@@ -232,6 +233,7 @@ static dev_proc_close_device(pdf_close); + static void + pdfwrite_initialize_device_procs(gx_device *dev) + { ++ set_dev_proc(dev, initialize_device, pdfwrite_initialize_device); + set_dev_proc(dev, open_device, pdf_open); + set_dev_proc(dev, get_initial_matrix, gx_upright_get_initial_matrix); + set_dev_proc(dev, output_page, pdf_output_page); +@@ -777,6 +779,19 @@ pdf_reset_text(gx_device_pdf * pdev) + pdf_reset_text_state(pdev->text); + } + ++static int ++pdfwrite_initialize_device(gx_device *dev) ++{ ++#if OCR_VERSION > 0 ++ gx_device_pdf *pdev = (gx_device_pdf *) dev; ++ const char *default_ocr_lang = "eng"; ++ pdev->ocr_language0 = '\0'; ++ strcpy(pdev->ocr_language, default_ocr_lang); ++#endif ++ return 0; ++} ++ ++ + /* Open the device. */ + static int + pdf_open(gx_device * dev) +diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
View file
_service:tar_scm:Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
Added
@@ -0,0 +1,96 @@ +From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 24 Jan 2024 17:06:01 +0000 +Subject: PATCH 5/7 Bug 707510(5): Reject OCRLanguage changes after SAFER + enabled +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3d4cfdc1a44 + +In the devices that support OCR, OCRLanguage really ought never to be set from +PostScript, so reject attempts to change it if path_control_active is true. +--- + devices/gdevocr.c | 15 ++++++++++----- + devices/gdevpdfocr.c | 15 ++++++++++----- + devices/vector/gdevpdfp.c | 15 ++++++++++----- + 3 files changed, 30 insertions(+), 15 deletions(-) + +diff --git a/devices/gdevocr.c b/devices/gdevocr.c +index 88c759c..287b74b 100644 +--- a/devices/gdevocr.c ++++ b/devices/gdevocr.c +@@ -187,11 +187,16 @@ ocr_put_params(gx_device *dev, gs_param_list *plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdev->language)) +- len = sizeof(pdev->language)-1; +- memcpy(pdev->language, langstr.data, len); +- pdev->languagelen = 0; ++ if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdev->language)) ++ len = sizeof(pdev->language)-1; ++ memcpy(pdev->language, langstr.data, len); ++ pdev->languagelen = 0; ++ } + break; + case 1: + break; +diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c +index ff60c12..0f3478a 100644 +--- a/devices/gdevpdfocr.c ++++ b/devices/gdevpdfocr.c +@@ -50,11 +50,16 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdf_dev->ocr.language)) +- len = sizeof(pdf_dev->ocr.language)-1; +- memcpy(pdf_dev->ocr.language, langstr.data, len); +- pdf_dev->ocr.languagelen = 0; ++ if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdf_dev->ocr.language)) ++ len = sizeof(pdf_dev->ocr.language)-1; ++ memcpy(pdf_dev->ocr.language, langstr.data, len); ++ pdf_dev->ocr.languagelen = 0; ++ } + break; + case 1: + break; +diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c +index 42fa1c5..23e9bc8 100644 +--- a/devices/vector/gdevpdfp.c ++++ b/devices/vector/gdevpdfp.c +@@ -458,11 +458,16 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par + gs_param_string langstr; + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdev->ocr_language)) +- len = sizeof(pdev->ocr_language)-1; +- memcpy(pdev->ocr_language, langstr.data, len); +- pdev->ocr_languagelen = 0; ++ if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdev->ocr_language)) ++ len = sizeof(pdev->ocr_language)-1; ++ memcpy(pdev->ocr_language, langstr.data, len); ++ pdev->ocr_languagelen = 0; ++ } + break; + case 1: + break; +-- +2.43.0 +
View file
_service:tar_scm:Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
Added
@@ -0,0 +1,41 @@ +From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <Ken.Sharp@artifex.com> +Date: Thu, 25 Jan 2024 11:55:49 +0000 +Subject: PATCH 2/7 Bug 707510 - don't allow PDF files with bad Filters to + overflow the debug buffer +http://www.ghostscript.com/cgi-bin/findgit.cgi?77dc7f699beba606937b7ea23b50cf5974fa64b1 + +Item #2 of the report. + +Allocate a buffer to hold the filter name, instead of assuming it will +fit in a fixed buffer. + +Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like +this. +--- + pdf/pdf_file.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c +index 5698866..89298f0 100644 +--- a/pdf/pdf_file.c ++++ b/pdf/pdf_file.c +@@ -773,10 +773,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_ + + if (ctx->args.pdfdebug) + { +- char str100; ++ char *str; ++ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug"); ++ if (str == NULL) ++ return_error(gs_error_VMerror); + memcpy(str, (const char *)n->data, n->length); + strn->length = '\0'; + dmprintf1(ctx->memory, "FILTER NAME:%s\n", str); ++ gs_free_object(ctx->memory, str, "temp string for debug"); + } + + if (pdfi_name_is(n, "RunLengthDecode")) { +-- +2.43.0 +
View file
_service:tar_scm:Bug-707510-don-t-use-strlen-on-passwords.patch
Added
@@ -0,0 +1,41 @@ +From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001 +From: Ken Sharp <Ken.Sharp@artifex.com> +Date: Thu, 25 Jan 2024 11:58:22 +0000 +Subject: PATCH 1/7 Bug 707510 - don't use strlen on passwords +http://www.ghostscript.com/cgi-bin/findgit.cgi?917b3a71fb20748965254631199ad98210d6c2fb + +Item #1 of the report. This looks like an oversight when first coding +the routine. We should use the PostScript string length, because +PostScript strings may not be NULL terminated (and as here may contain +internal NULL characters). + +Fix the R6 handler which has the same problem too. +--- + pdf/pdf_sec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c +index fa7131f..841eb72 100644 +--- a/pdf/pdf_sec.c ++++ b/pdf/pdf_sec.c +@@ -1271,7 +1271,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen, + /* If the supplied Password fails as the user *and* owner password, maybe its in + * the locale, not UTF-8, try converting to UTF-8 + */ +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +@@ -1318,7 +1318,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen, + /* If the supplied Password fails as the user *and* owner password, maybe its in + * the locale, not UTF-8, try converting to UTF-8 + */ +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +-- +2.43.0 +
View file
_service:tar_scm:Bug-707510-fix-LIBIDN-usage.patch
Added
@@ -0,0 +1,44 @@ +From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001 +From: Ken Sharp <Ken.Sharp@artifex.com> +Date: Thu, 25 Jan 2024 12:16:56 +0000 +Subject: PATCH 7/7 Bug 707510 - fix LIBIDN usage +http://www.ghostscript.com/cgi-bin/findgit.cgi?d99396635f3d6ac6a1168e1af21a669e5c8f695f + +This wasn't a reported fault, but it bears fixing anyway. + +In case of ignored errors, we need to return the input password. +And not free the buffer if we did that.... +--- + pdf/pdf_sec.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c +index 841eb72..270ed32 100644 +--- a/pdf/pdf_sec.c ++++ b/pdf/pdf_sec.c +@@ -182,8 +182,11 @@ static int apply_sasl(pdf_context *ctx, char *Password, int Len, char **NewPassw + * Fortunately, the stringprep error codes are sorted to make + * this easy: the errors we want to ignore are the ones with + * codes less than 100. */ +- if ((int)err < 100) ++ if ((int)err < 100) { ++ NewPassword = Password; ++ NewLen = Len; + return 0; ++ } + + return_error(gs_error_ioerror); + } +@@ -301,7 +304,8 @@ error: + pdfi_countdown(Key); + gs_free_object(ctx->memory, Test, "R5 password test"); + #ifdef HAVE_LIBIDN +- gs_free_object(ctx->memory, UTF8_Password, "free sasl result"); ++ if (UTF8_Password != Password) ++ gs_free_object(ctx->memory, UTF8_Password, "free sasl result"); + #endif + return code; + } +-- +2.43.0 +
View file
_service:tar_scm:Bug-707510-review-printing-of-pointers.patch
Added
@@ -0,0 +1,335 @@ +From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001 +From: Ken Sharp <Ken.Sharp@artifex.com> +Date: Thu, 25 Jan 2024 11:53:44 +0000 +Subject: PATCH 4/7 Bug 707510 - review printing of pointers +http://www.ghostscript.com/cgi-bin/findgit.cgi?ff1013a0ab485b66783b70145e342a82c670906a + +This is for item 4 of the report, which is addressed by the change in +gdevpdtb.c. That change uses a fixed name for fonts which have no name +instead of using the pointer to the address of the font. + +The remaining changes are all due to reviewing the use of PRI_INTPTR. +In general we only use that for debugging purposes but there were a few +places which were printing pointers arbitrarily, even in a release build. + +We really don't want to do that so I've modified the places which were +printing pointer unconditionally so that they only do so if DEBUG is +set at compile time, or a specific debug flag is set. +--- + base/gsfont.c | 2 +- + base/gsicc_cache.c | 6 +++--- + base/gsmalloc.c | 2 +- + base/gxclmem.c | 3 +-- + base/gxcpath.c | 4 ++++ + base/gxpath.c | 6 ++++++ + base/szlibc.c | 2 ++ + devices/gdevupd.c | 5 +++++ + devices/vector/gdevpdtb.c | 2 +- + psi/ialloc.c | 2 +- + psi/igc.c | 4 ++-- + psi/igcstr.c | 4 ++-- + psi/iinit.c | 4 ++++ + psi/imainarg.c | 3 ++- + psi/isave.c | 2 +- + psi/iutil.c | 4 ++++ + 16 files changed, 40 insertions(+), 15 deletions(-) + +diff --git a/base/gsfont.c b/base/gsfont.c +index 8e2015b..cc9af15 100644 +--- a/base/gsfont.c ++++ b/base/gsfont.c +@@ -791,7 +791,7 @@ gs_purge_font(gs_font * pfont) + else if (pdir->scaled_fonts == pfont) + pdir->scaled_fonts = next; + else { /* Shouldn't happen! */ +- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); ++ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); + } + + /* Purge the font from the scaled font cache. */ +diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c +index 13eb003..8dcdb71 100644 +--- a/base/gsicc_cache.c ++++ b/base/gsicc_cache.c +@@ -151,7 +151,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr) + + while (link_cache->head != NULL) { + if (link_cache->head->ref_count != 0) { +- emprintf2(mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", ++ if_debug2m(gs_debug_flag_icc, mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", + (intptr_t)link_cache->head, link_cache->head->ref_count); + link_cache->head->ref_count = 0; /* force removal */ + } +@@ -573,7 +573,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache, + /* that was building it failed to be able to complete building it. Try this only + a limited number of times before we bail. */ + if (curr->valid == false) { +- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ ++ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ + } + gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */ + } +@@ -600,7 +600,7 @@ gsicc_remove_link(gsicc_link_t *link, const gs_memory_t *memory) + /* NOTE: link->ref_count must be 0: assert ? */ + gx_monitor_enter(icc_link_cache->lock); + if (link->ref_count != 0) { +- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); ++ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); + } + curr = icc_link_cache->head; + prev = NULL; +diff --git a/base/gsmalloc.c b/base/gsmalloc.c +index 63c8b6b..3182b56 100644 +--- a/base/gsmalloc.c ++++ b/base/gsmalloc.c +@@ -420,7 +420,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new + client_name_t cname) + { + if (gs_heap_object_type(mem, data) != &st_bytes) +- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n", ++ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n", + client_name_string(cname), (intptr_t)data); + return gs_heap_resize_object(mem, data, new_num, cname); + } +diff --git a/base/gxclmem.c b/base/gxclmem.c +index 1905a43..933cb4e 100644 +--- a/base/gxclmem.c ++++ b/base/gxclmem.c +@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete) + /* leaks if other users of the memfile don't 'fclose with delete=true */ + if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) { + /* TODO: do the cleanup rather than just giving an error */ +- emprintf1(f->memory, +- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", ++ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", + (intptr_t)f); + return_error(gs_error_invalidfileaccess); + } else { +diff --git a/base/gxcpath.c b/base/gxcpath.c +index 437b065..a8a5504 100644 +--- a/base/gxcpath.c ++++ b/base/gxcpath.c +@@ -175,8 +175,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath, + { + if (shared) { + if (shared->path.segments == &shared->path.local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *pcpath = *shared; +@@ -233,8 +235,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath, + if (shared) { + if ((shared->path.segments == &shared->path.local_segments) && + !safely_nested) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + pcpath->path = shared->path; +diff --git a/base/gxpath.c b/base/gxpath.c +index e700729..0e9dba8 100644 +--- a/base/gxpath.c ++++ b/base/gxpath.c +@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared, + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem, + ppath->procs = &default_path_procs; + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + gs_free_object(mem, ppath, cname); + return 0; + } +@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared, + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +diff --git a/base/szlibc.c b/base/szlibc.c +index 0be3338..35a2fce 100644 +--- a/base/szlibc.c ++++ b/base/szlibc.c +@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data) + gs_free_object(mem, data, "s_zlib_free(data)"); + for (; ; block = block->next) { + if (block == 0) { ++#ifdef DEBUG + lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data); ++#endif + return; + } + if (block->data == data) +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index 7826507..12dfbc0 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1040,8 +1040,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out) + */ + if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) { + #if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS) ++#ifdef DEBUG + errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n", + (intptr_t)udev,(intptr_t) out); ++#else ++ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n", ++ (intptr_t)udev,(intptr_t) out); ++#endif
View file
_service:tar_scm:fix-CVE-2024-33869-second.patch
Added
@@ -0,0 +1,49 @@ +From 77c8d6426fe91a2df8f3a37934f030ecc396cacb Mon Sep 17 00:00:00 2001 +From: zhangxingrong <zhangxingrong@uniontech.com> +Date: Fri, 12 Jul 2024 15:09:12 +0800 +Subject: PATCH fix for CVE-2024-33869 + +Bug 707691 part 2 +See bug thread for details + +This is the second part of the fix for CVE-2024-33869 +url:https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4 +--- + base/gpmisc.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index cbc6139..186d9b7 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem, + rlen = len; + } + else { ++ char *test = (char *)path, *test1; ++ uint tlen = len, slen; ++ ++ /* Look for any pipe (%pipe% or '|' specifications between path separators ++ * Reject any path spec which has a %pipe% or '|' anywhere except at the start. ++ */ ++ while (tlen > 0) { ++ if (test0 == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ test1 = test; ++ slen = search_separator((const char **)&test, path + len, test1, 1); ++ if(slen == 0) ++ break; ++ test += slen; ++ tlen -= test - test1; ++ if (test >= path + len) ++ break; ++ } ++ + rlen = len+1; + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); + if (bufferfull == NULL) +-- +2.43.0 +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/ghostscript.git</param> - <param name="revision">master</param> + <param name="revision">openEuler-24.09</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2