powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1203 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: b9839bbae0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b9839bbae0'
${ noResults }
base/SOURCES/ghostscript-cve-2018-19134....

153 lines
5.8 KiB
Raw Blame History

From 693baf02152119af6e6afd30bb8ec76d14f84bbf Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Thu, 8 Nov 2018 14:43:32 +0000
Subject: [PATCH] PS interpreter - check the Implementation of a Pattern before
use
Bug #700141 "Type confusion in setpattern"
As the bug thread says, we were not checking that the Implementation
of a pattern dictionary was a structure type, leading to a crash when
we tried to treat it as one.
Here we make the st_pattern1_instance and st_pattern2_instance
structures public definitions and in zsetcolor we check the object
stored under the Implementation key in the supplied dictionary to see if
its a t_struct or t_astruct type, and if it is that its a
st_pattern1_instance or st_pattern2_instance structure.
If either check fails we throw a typecheck error.
We need to make the st_pattern1_instance and st_pattern2_instance
definitions public as they are defined in the graphics library and we
need to check in the interpreter.
---
base/gsptype1.c | 2 +-
base/gsptype2.c | 6 +++---
base/gsptype2.h | 4 ++--
base/gxcolor2.h | 4 ++--
psi/zcolor.c | 11 ++++++++---
5 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/base/gsptype1.c b/base/gsptype1.c
index 27fdd5a..e98dde1 100644
--- a/base/gsptype1.c
+++ b/base/gsptype1.c
@@ -50,7 +50,7 @@
/* GC descriptors */
private_st_pattern1_template();
-private_st_pattern1_instance();
+public_st_pattern1_instance();
/* GC procedures */
static ENUM_PTRS_BEGIN(pattern1_instance_enum_ptrs) {
diff --git a/base/gsptype2.c b/base/gsptype2.c
index 791e538..c53eb2e 100644
--- a/base/gsptype2.c
+++ b/base/gsptype2.c
@@ -33,7 +33,7 @@
/* GC descriptors */
private_st_pattern2_template();
-private_st_pattern2_instance();
+public_st_pattern2_instance();
/* GC procedures */
static ENUM_PTRS_BEGIN(pattern2_instance_enum_ptrs) {
@@ -206,10 +206,10 @@ gs_pattern2_set_color(const gs_client_color * pcc, gs_gstate * pgs)
pinst->saved->overprint_mode = pgs->overprint_mode;
pinst->saved->overprint = pgs->overprint;
-
+
num_comps = pgs->device->color_info.num_components;
for (k = 0; k < num_comps; k++) {
- pgs->color_component_map.color_map[k] =
+ pgs->color_component_map.color_map[k] =
pinst->saved->color_component_map.color_map[k];
}
code = pcs->type->set_overprint(pcs, pgs);
diff --git a/base/gsptype2.h b/base/gsptype2.h
index f0f26d1..4186201 100644
--- a/base/gsptype2.h
+++ b/base/gsptype2.h
@@ -57,8 +57,8 @@ typedef struct gs_pattern2_instance_s {
bool shfill;
} gs_pattern2_instance_t;
-#define private_st_pattern2_instance() /* in gsptype2.c */\
- gs_private_st_composite(st_pattern2_instance, gs_pattern2_instance_t,\
+#define public_st_pattern2_instance() /* in gsptype2.c */\
+ gs_public_st_composite(st_pattern2_instance, gs_pattern2_instance_t,\
"gs_pattern2_instance_t", pattern2_instance_enum_ptrs,\
pattern2_instance_reloc_ptrs)
diff --git a/base/gxcolor2.h b/base/gxcolor2.h
index 62ec05e..d5b1095 100644
--- a/base/gxcolor2.h
+++ b/base/gxcolor2.h
@@ -92,8 +92,8 @@ struct gs_pattern1_instance_s {
gx_bitmap_id id; /* key for cached bitmap (= id of mask) */
};
-#define private_st_pattern1_instance() /* in gsptype1.c */\
- gs_private_st_composite(st_pattern1_instance, gs_pattern1_instance_t,\
+#define public_st_pattern1_instance() /* in gsptype1.c */\
+ gs_public_st_composite(st_pattern1_instance, gs_pattern1_instance_t,\
"gs_pattern1_instance_t", pattern1_instance_enum_ptrs,\
pattern1_instance_reloc_ptrs)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index 7a00d4e..fe81e79 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -65,6 +65,8 @@ static const float default_0_1[] = {0, 1, 0, 1, 0, 1, 0, 1};
/* imported from gsht.c */
extern void gx_set_effective_transfer(gs_gstate *);
+extern_st(st_pattern1_instance);
+extern_st(st_pattern2_instance);
/* Essential forward declarations */
static int validate_spaces(i_ctx_t *i_ctx_p, ref *arr, int *depth);
@@ -289,6 +291,9 @@ zsetcolor(i_ctx_t * i_ctx_p)
code = array_get(imemory, pImpl, 0, &pPatInst);
if (code < 0)
return code;
+ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+ return_error(gs_error_typecheck);
+
cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
n_numeric_comps = ( pattern_instance_uses_base_space(cc.pattern)
? n_comps - 1
@@ -4421,7 +4426,7 @@ static int setindexedspace(i_ctx_t * i_ctx_p, ref *r, int *stage, int *cont, int
/* If we have a named color profile and the base space is DeviceN or
Separation use a different set of procedures to ensure the named
color remapping code is used */
- if (igs->icc_manager->device_named != NULL &&
+ if (igs->icc_manager->device_named != NULL &&
(base_type == gs_color_space_index_Separation ||
base_type == gs_color_space_index_DeviceN))
pcs = gs_cspace_alloc(imemory, &gs_color_space_type_Indexed_Named);
@@ -5573,7 +5578,7 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace)
return 0;
/* As a quick check see if current is same as new */
- if (ICCdict1.value.bytes == ICCdict2.value.bytes)
+ if (ICCdict1.value.bytes == ICCdict2.value.bytes)
return 1;
/* Need to check all the various parts */
@@ -5593,7 +5598,7 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace)
code2 = dict_find_string(&ICCdict2, "DataSource", &tempref2);
if (code2 <= 0)
return 0;
- if (r_size(tempref1) != r_size(tempref2))
+ if (r_size(tempref1) != r_size(tempref2))
return 0;
buff_size = r_size(tempref1);
--
2.17.2