Toshaan Bharvani
6 months ago
8 changed files with 485 additions and 1 deletions
@ -0,0 +1,44 @@
@@ -0,0 +1,44 @@
|
||||
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 |
||||
From: Ken Sharp <ken.sharp@artifex.com> |
||||
Date: Fri, 24 Mar 2023 13:19:57 +0000 |
||||
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding |
||||
|
||||
Bug #706494 "Buffer Overflow in s_xBCPE_process" |
||||
|
||||
As described in detail in the bug report, if the write buffer is filled |
||||
to one byte less than full, and we then try to write an escaped |
||||
character, we overrun the buffer because we don't check before |
||||
writing two bytes to it. |
||||
|
||||
This just checks if we have two bytes before starting to write an |
||||
escaped character and exits if we don't (replacing the consumed byte |
||||
of the input). |
||||
|
||||
Up for further discussion; why do we even permit a BCP encoding filter |
||||
anyway ? I think we should remove this, at least when SAFER is true. |
||||
--- |
||||
base/sbcp.c | 10 +++++++++- |
||||
1 file changed, 9 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/base/sbcp.c b/base/sbcp.c |
||||
index 979ae0992..47fc233ec 100644 |
||||
--- a/base/sbcp.c |
||||
+++ b/base/sbcp.c |
||||
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, |
||||
byte ch = *++p; |
||||
|
||||
if (ch <= 31 && escaped[ch]) { |
||||
+ /* Make sure we have space to store two characters in the write buffer, |
||||
+ * if we don't then exit without consuming the input character, we'll process |
||||
+ * that on the next time round. |
||||
+ */ |
||||
+ if (pw->limit - q < 2) { |
||||
+ p--; |
||||
+ break; |
||||
+ } |
||||
if (p == rlimit) { |
||||
p--; |
||||
break; |
||||
-- |
||||
2.39.2 |
||||
|
||||
@ -0,0 +1,142 @@
@@ -0,0 +1,142 @@
|
||||
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001 |
||||
From: Chris Liddell <chris.liddell@artifex.com> |
||||
Date: Wed, 7 Jun 2023 10:23:06 +0100 |
||||
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission |
||||
validation |
||||
|
||||
For regular file names, we try to simplfy relative paths before we use them. |
||||
|
||||
Because the %pipe% device can, effectively, accept command line calls, we |
||||
shouldn't be simplifying that string, because the command line syntax can end |
||||
up confusing the path simplifying code. That can result in permitting a pipe |
||||
command which does not match what was originally permitted. |
||||
|
||||
Special case "%pipe" in the validation code so we always deal with the entire |
||||
string. |
||||
--- |
||||
base/gpmisc.c | 31 +++++++++++++++++++-------- |
||||
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- |
||||
2 files changed, 64 insertions(+), 23 deletions(-) |
||||
|
||||
diff --git a/base/gpmisc.c b/base/gpmisc.c |
||||
index 5f39ebba7..2fb87f769 100644 |
||||
--- a/base/gpmisc.c |
||||
+++ b/base/gpmisc.c |
||||
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem, |
||||
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { |
||||
prefix_len = 0; |
||||
} |
||||
- rlen = len+1; |
||||
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); |
||||
- if (bufferfull == NULL) |
||||
- return gs_error_VMerror; |
||||
- |
||||
- buffer = bufferfull + prefix_len; |
||||
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) |
||||
- return gs_error_invalidfileaccess; |
||||
- buffer[rlen] = 0; |
||||
|
||||
+ /* "%pipe%" do not follow the normal rules for path definitions, so we |
||||
+ don't "reduce" them to avoid unexpected results |
||||
+ */ |
||||
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { |
||||
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); |
||||
+ if (buffer == NULL) |
||||
+ return gs_error_VMerror; |
||||
+ memcpy(buffer, path, len); |
||||
+ buffer[len] = 0; |
||||
+ rlen = len; |
||||
+ } |
||||
+ else { |
||||
+ rlen = len+1; |
||||
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); |
||||
+ if (bufferfull == NULL) |
||||
+ return gs_error_VMerror; |
||||
+ |
||||
+ buffer = bufferfull + prefix_len; |
||||
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) |
||||
+ return gs_error_invalidfileaccess; |
||||
+ buffer[rlen] = 0; |
||||
+ } |
||||
while (1) { |
||||
switch (mode[0]) |
||||
{ |
||||
diff --git a/base/gslibctx.c b/base/gslibctx.c |
||||
index eb566ed06..d2a1aa91d 100644 |
||||
--- a/base/gslibctx.c |
||||
+++ b/base/gslibctx.c |
||||
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co |
||||
return gs_error_rangecheck; |
||||
} |
||||
|
||||
- rlen = len+1; |
||||
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); |
||||
- if (buffer == NULL) |
||||
- return gs_error_VMerror; |
||||
+ /* "%pipe%" do not follow the normal rules for path definitions, so we |
||||
+ don't "reduce" them to avoid unexpected results |
||||
+ */ |
||||
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { |
||||
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); |
||||
+ if (buffer == NULL) |
||||
+ return gs_error_VMerror; |
||||
+ memcpy(buffer, path, len); |
||||
+ buffer[len] = 0; |
||||
+ rlen = len; |
||||
+ } |
||||
+ else { |
||||
+ rlen = len + 1; |
||||
|
||||
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) |
||||
- return gs_error_invalidfileaccess; |
||||
- buffer[rlen] = 0; |
||||
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); |
||||
+ if (buffer == NULL) |
||||
+ return gs_error_VMerror; |
||||
+ |
||||
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) |
||||
+ return gs_error_invalidfileaccess; |
||||
+ buffer[rlen] = 0; |
||||
+ } |
||||
|
||||
n = control->num; |
||||
for (i = 0; i < n; i++) |
||||
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, |
||||
return gs_error_rangecheck; |
||||
} |
||||
|
||||
- rlen = len+1; |
||||
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); |
||||
- if (buffer == NULL) |
||||
- return gs_error_VMerror; |
||||
+ /* "%pipe%" do not follow the normal rules for path definitions, so we |
||||
+ don't "reduce" them to avoid unexpected results |
||||
+ */ |
||||
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { |
||||
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); |
||||
+ if (buffer == NULL) |
||||
+ return gs_error_VMerror; |
||||
+ memcpy(buffer, path, len); |
||||
+ buffer[len] = 0; |
||||
+ rlen = len; |
||||
+ } |
||||
+ else { |
||||
+ rlen = len+1; |
||||
|
||||
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) |
||||
- return gs_error_invalidfileaccess; |
||||
- buffer[rlen] = 0; |
||||
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); |
||||
+ if (buffer == NULL) |
||||
+ return gs_error_VMerror; |
||||
+ |
||||
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) |
||||
+ return gs_error_invalidfileaccess; |
||||
+ buffer[rlen] = 0; |
||||
+ } |
||||
|
||||
n = control->num; |
||||
for (i = 0; i < n; i++) { |
||||
-- |
||||
2.41.0 |
||||
|
||||
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 |
||||
From: Chris Liddell <chris.liddell@artifex.com> |
||||
Date: Mon, 17 Jul 2023 14:06:37 +0100 |
||||
Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from |
||||
devices/gdevpcx.c |
||||
|
||||
Bounds check the buffer, before dereferencing the pointer. |
||||
--- |
||||
base/gdevdevn.c | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/base/gdevdevn.c b/base/gdevdevn.c |
||||
index 7b14d9c71..6351fb77a 100644 |
||||
--- a/base/gdevdevn.c |
||||
+++ b/base/gdevdevn.c |
||||
@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file |
||||
byte data = *from; |
||||
|
||||
from += step; |
||||
- if (data != *from || from == end) { |
||||
+ if (from >= end || data != *from) { |
||||
if (data >= 0xc0) |
||||
gp_fputc(0xc1, file); |
||||
} else { |
||||
-- |
||||
2.41.0 |
||||
|
||||
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
--- a/devices/gdevijs.c |
||||
+++ b/devices/gdevijs.c |
||||
@@ -934,6 +934,9 @@ |
||||
static const char rgb[] = "DeviceRGB"; |
||||
gx_device_ijs *ijsdev = (gx_device_ijs *)dev; |
||||
|
||||
+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active) |
||||
+ return_error(gs_error_invalidaccess); |
||||
+ |
||||
code = gx_default_finish_copydevice(dev, from_dev); |
||||
if(code < 0) |
||||
return code; |
||||
@@ -1363,7 +1366,7 @@ |
||||
if (code >= 0) |
||||
code = gsijs_read_string(plist, "IjsServer", |
||||
ijsdev->IjsServer, sizeof(ijsdev->IjsServer), |
||||
- dev->LockSafetyParams, is_open); |
||||
+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); |
||||
|
||||
if (code >= 0) |
||||
code = gsijs_read_string_malloc(plist, "DeviceManufacturer", |
||||
@ -0,0 +1,88 @@
@@ -0,0 +1,88 @@
|
||||
From 0b74b65ecc0f36d40b8d04a7fa1fa8b5f9d2b3ff Mon Sep 17 00:00:00 2001 |
||||
From: Chris Liddell <chris.liddell@artifex.com> |
||||
Date: Thu, 13 Oct 2022 14:55:28 +0100 |
||||
Subject: [PATCH] Deal with different VM modes during CIDFont loading |
||||
|
||||
To help differentiate between a substituted CIDFont and an embedded one, a |
||||
change was made to store the file path in the CIDFont dictionary. That change |
||||
failed to account for the possibility that the file object and the CIDFont |
||||
dictionary may not be in compatible VM modes. |
||||
|
||||
This adds code to ensure that the string holding the path is in a suitable VM |
||||
mode to be stored into the dictionary. |
||||
|
||||
Reported by Richard Lescak <rlescak@redhat.com> |
||||
--- |
||||
Resource/Init/gs_cidfn.ps | 23 +++++++++++++++++++---- |
||||
1 file changed, 19 insertions(+), 4 deletions(-) |
||||
|
||||
diff --git a/Resource/Init/gs_cidfn.ps b/Resource/Init/gs_cidfn.ps |
||||
index 870a2e11c..fa050ed7a 100644 |
||||
--- a/Resource/Init/gs_cidfn.ps |
||||
+++ b/Resource/Init/gs_cidfn.ps |
||||
@@ -1,4 +1,4 @@ |
||||
-% Copyright (C) 2001-2021 Artifex Software, Inc. |
||||
+% Copyright (C) 2001-2022 Artifex Software, Inc. |
||||
% All Rights Reserved. |
||||
% |
||||
% This software is provided AS-IS with no warranty, either express or |
||||
@@ -36,6 +36,17 @@ |
||||
|
||||
30 dict begin |
||||
|
||||
+/.gcompatstringcopy % <string> <global> .gcompatstringcopy <string> |
||||
+{ |
||||
+ dup 2 index gcheck eq |
||||
+ { pop } |
||||
+ { |
||||
+ currentglobal 3 1 roll setglobal |
||||
+ dup length string copy |
||||
+ exch setglobal |
||||
+ } ifelse |
||||
+} bind def |
||||
+ |
||||
% The key in .cidfonttypes is the CIDFontType value; |
||||
% the value is a procedure that takes a font name and the CIDFont dictionary |
||||
% and replaces the latter with a real font. |
||||
@@ -58,7 +69,7 @@ dup 0 { |
||||
end |
||||
} if |
||||
1 index exch .buildfont9 |
||||
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse |
||||
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse |
||||
exch pop |
||||
} put % Don't bind it here, because gs_fapi.ps redefines .buildfont9 |
||||
|
||||
@@ -138,10 +149,11 @@ dup 0 { |
||||
|
||||
% ------ CIDFontType 1 (FontType 10) ------ % |
||||
|
||||
+ |
||||
dup 1 { |
||||
10 //.checkfonttype exec pop |
||||
1 index exch .buildfont10 |
||||
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse |
||||
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse |
||||
exch pop |
||||
} put % Don't bind it here because gs_fapi.ps redefines .buildfont10 |
||||
|
||||
@@ -150,12 +162,15 @@ dup 1 { |
||||
dup 2 { |
||||
11 //.checkfonttype exec pop |
||||
1 index exch .buildfont11 |
||||
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse |
||||
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse |
||||
exch pop |
||||
} put % Don't bind it here because gs_fapi.ps redefines .buildfont11 |
||||
|
||||
+currentdict /.gcompatstringcopy .undef |
||||
+ |
||||
pop % .cidfonttypes |
||||
|
||||
+ |
||||
% ---------------- Reading CIDFontType 0 files ---------------- % |
||||
|
||||
/StartData { % <(Binary)|(Hex)> <datalength> StartData - |
||||
-- |
||||
2.37.3 |
||||
|
||||
@ -0,0 +1,22 @@
@@ -0,0 +1,22 @@
|
||||
diff -x .git -Napur ghostscript-9.27.old/contrib/japanese/gdevespg.c ghostscript-9.27.new/contrib/japanese/gdevespg.c |
||||
--- ghostscript-9.27.old/contrib/japanese/gdevespg.c 2019-04-04 00:43:14.000000000 -0700 |
||||
+++ ghostscript-9.27.new/contrib/japanese/gdevespg.c 2023-01-24 11:25:32.588189093 -0800 |
||||
@@ -273,6 +273,9 @@ |
||||
int width, height, w, h, wp, hp, bLandscape; |
||||
EpagPaperTable *pt; |
||||
|
||||
+ /* Page size match tolerance in points */ |
||||
+ #define TOL 5 |
||||
+ |
||||
width = (int)pdev->MediaSize[0]; |
||||
height = (int)pdev->MediaSize[1]; |
||||
|
||||
@@ -291,7 +294,7 @@ |
||||
} |
||||
|
||||
for (pt = epagPaperTable; pt->escpage > 0; pt++) |
||||
- if (pt->width == w && pt->height == h) |
||||
+ if (abs(w - pt->width) <= TOL && abs(h - pt->height) <= TOL) |
||||
break; |
||||
|
||||
gp_fprintf(fp, "%c%d", GS, pt->escpage); |
||||
@ -0,0 +1,106 @@
@@ -0,0 +1,106 @@
|
||||
From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001 |
||||
From: Chris Liddell <chris.liddell@artifex.com> |
||||
Date: Wed, 15 Mar 2023 15:38:29 +0000 |
||||
Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling |
||||
|
||||
The PS interpreter callback that handles converting a CID to a TTF GID did |
||||
not handle the case of substituted CIDFonts. |
||||
|
||||
It requires looking up the CID on the Decoding (to get a Unicode code point), |
||||
and then looking up the code point in the TTF cmap table to get the GID. |
||||
|
||||
The rendering code already handled it. |
||||
--- |
||||
psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++------------------- |
||||
1 file changed, 46 insertions(+), 27 deletions(-) |
||||
|
||||
diff --git a/psi/zfcid1.c b/psi/zfcid1.c |
||||
index fd502ff12..55de85d45 100644 |
||||
--- a/psi/zfcid1.c |
||||
+++ b/psi/zfcid1.c |
||||
@@ -77,37 +77,56 @@ |
||||
int gdbytes = pfont->cidata.common.GDBytes; |
||||
int gnum = 0; |
||||
const byte *data; |
||||
- int i, code; |
||||
+ int i, code = -1; |
||||
ref rcid; |
||||
ref *prgnum; |
||||
+ ref *p, *fdict = pfont_dict(pfont); |
||||
+ |
||||
+ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) { |
||||
+ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type; |
||||
+ uint c; |
||||
+ |
||||
+ code = dict_find_string(fdict, "Decoding", &Decoding); |
||||
+ if (code > 0) |
||||
+ code = dict_find_string(fdict, "TT_cmap", &TT_cmap); |
||||
+ if (code > 0) |
||||
+ code = dict_find_string(fdict, "SubstNWP", &SubstNWP); |
||||
+ if (code > 0) { |
||||
+ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type); |
||||
+ if (code >= 0) |
||||
+ gnum = c; |
||||
+ } |
||||
+ } |
||||
|
||||
- switch (r_type(pcidmap)) { |
||||
- case t_string: |
||||
- if (cid >= r_size(pcidmap) / gdbytes) |
||||
- return_error(gs_error_rangecheck); |
||||
- data = pcidmap->value.const_bytes + cid * gdbytes; |
||||
- break; |
||||
- case t_integer: |
||||
- return cid + pcidmap->value.intval; |
||||
- case t_dictionary: |
||||
- make_int(&rcid, cid); |
||||
- code = dict_find(pcidmap, &rcid, &prgnum); |
||||
- if (code <= 0) |
||||
- return (code < 0 ? code : gs_note_error(gs_error_undefined)); |
||||
- if (!r_has_type(prgnum, t_integer)) |
||||
- return_error(gs_error_typecheck); |
||||
- return prgnum->value.intval; |
||||
- default: /* array type */ |
||||
- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes, |
||||
- gdbytes, NULL, NULL, &data); |
||||
+ if (code < 0) { |
||||
+ switch (r_type(pcidmap)) { |
||||
+ case t_string: |
||||
+ if (cid >= r_size(pcidmap) / gdbytes) |
||||
+ return_error(gs_error_rangecheck); |
||||
+ data = pcidmap->value.const_bytes + cid * gdbytes; |
||||
+ break; |
||||
+ case t_integer: |
||||
+ return cid + pcidmap->value.intval; |
||||
+ case t_dictionary: |
||||
+ make_int(&rcid, cid); |
||||
+ code = dict_find(pcidmap, &rcid, &prgnum); |
||||
+ if (code <= 0) |
||||
+ return (code < 0 ? code : gs_note_error(gs_error_undefined)); |
||||
+ if (!r_has_type(prgnum, t_integer)) |
||||
+ return_error(gs_error_typecheck); |
||||
+ return prgnum->value.intval; |
||||
+ default: /* array type */ |
||||
+ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes, |
||||
+ gdbytes, NULL, NULL, &data); |
||||
|
||||
- if (code < 0) |
||||
- return code; |
||||
- if ( code > 0 ) |
||||
- return_error(gs_error_invalidfont); |
||||
+ if (code < 0) |
||||
+ return code; |
||||
+ if ( code > 0 ) |
||||
+ return_error(gs_error_invalidfont); |
||||
+ } |
||||
+ for (i = 0; i < gdbytes; ++i) |
||||
+ gnum = (gnum << 8) + data[i]; |
||||
} |
||||
- for (i = 0; i < gdbytes; ++i) |
||||
- gnum = (gnum << 8) + data[i]; |
||||
if (gnum >= pfont->data.trueNumGlyphs) |
||||
return_error(gs_error_invalidfont); |
||||
return gnum; |
||||
-- |
||||
2.39.2 |
||||
|
||||
Loading…
Reference in new issue