packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!95 [sync] PR-91: fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-07-10 09:12:39 +00:00 committed by Gitee
commit be4db5736a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
7 changed files with 622 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch Normal file
View File

@ -0,0 +1,54 @@
From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 24 Jan 2024 18:25:12 +0000
Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related
params
Specifically, for CIDFont substitution.
---
pdf/ghostpdf.h | 1 +
pdf/pdf_font.c | 16 +++++++++++++---
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/pdf/ghostpdf.h b/pdf/ghostpdf.h
index 3cc1b8c..47c34ec 100644
--- a/pdf/ghostpdf.h
+++ b/pdf/ghostpdf.h
@@ -117,6 +117,7 @@ typedef enum pdf_warning_e {
W_PDF_INVALID_REAL,
W_PDF_DEVICEN_USES_ALL,
W_PDF_BAD_MEDIABOX,
+ W_PDF_BAD_CONFIG,
W_PDF_MAX_WARNING /* Must be last entry, add new warnings immediately before this and update pdf_warning_strings in ghostpdf.c */
} pdf_warning;
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index 7fa8a42..c536130 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -166,9 +166,19 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di
code = 0;
memcpy(fontfname, fsprefix, fsprefixlen);
- memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
- fontfname[fsprefixlen + defcidfallacklen] = '\0';
-
+ if (defcidfallacklen + 1 > gp_file_name_sizeof) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ return code;//goto exit;
+ }
+ code = 0;
+ memcpy(fontfname, fsprefix, fsprefixlen);
+ }
+ else {
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+ fontfname[fsprefixlen + defcidfallacklen] = '\0';
+ }
code = pdfi_open_resource_file(ctx, fontfname, strlen(fontfname), &s);
if (code >= 0) {
sfseek(s, 0, SEEK_END);
--
2.43.0

95
Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch Normal file
View File

@ -0,0 +1,95 @@
From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 24 Jan 2024 17:06:01 +0000
Subject: [PATCH 5/6] Bug 707510(5): Reject OCRLanguage changes after SAFER
enabled
In the devices that support OCR, OCRLanguage really ought never to be set from
PostScript, so reject attempts to change it if path_control_active is true.
---
devices/gdevocr.c | 15 ++++++++++-----
devices/gdevpdfocr.c | 15 ++++++++++-----
devices/vector/gdevpdfp.c | 15 ++++++++++-----
3 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/devices/gdevocr.c b/devices/gdevocr.c
index 88c759c..287b74b 100644
--- a/devices/gdevocr.c
+++ b/devices/gdevocr.c
@@ -187,11 +187,16 @@ ocr_put_params(gx_device *dev, gs_param_list *plist)
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- len = langstr.size;
- if (len >= sizeof(pdev->language))
- len = sizeof(pdev->language)-1;
- memcpy(pdev->language, langstr.data, len);
- pdev->language[len] = 0;
+ if (pdev->memory->gs_lib_ctx->core->path_control_active) {
+ return_error(gs_error_invalidaccess);
+ }
+ else {
+ len = langstr.size;
+ if (len >= sizeof(pdev->language))
+ len = sizeof(pdev->language)-1;
+ memcpy(pdev->language, langstr.data, len);
+ pdev->language[len] = 0;
+ }
break;
case 1:
break;
diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
index 8dd5a59..4c694e3 100644
--- a/devices/gdevpdfocr.c
+++ b/devices/gdevpdfocr.c
@@ -50,11 +50,16 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist)
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- len = langstr.size;
- if (len >= sizeof(pdf_dev->ocr.language))
- len = sizeof(pdf_dev->ocr.language)-1;
- memcpy(pdf_dev->ocr.language, langstr.data, len);
- pdf_dev->ocr.language[len] = 0;
+ if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) {
+ return_error(gs_error_invalidaccess);
+ }
+ else {
+ len = langstr.size;
+ if (len >= sizeof(pdf_dev->ocr.language))
+ len = sizeof(pdf_dev->ocr.language)-1;
+ memcpy(pdf_dev->ocr.language, langstr.data, len);
+ pdf_dev->ocr.language[len] = 0;
+ }
break;
case 1:
break;
diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
index 42fa1c5..23e9bc8 100644
--- a/devices/vector/gdevpdfp.c
+++ b/devices/vector/gdevpdfp.c
@@ -458,11 +458,16 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
gs_param_string langstr;
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- len = langstr.size;
- if (len >= sizeof(pdev->ocr_language))
- len = sizeof(pdev->ocr_language)-1;
- memcpy(pdev->ocr_language, langstr.data, len);
- pdev->ocr_language[len] = 0;
+ if (pdev->memory->gs_lib_ctx->core->path_control_active) {
+ return_error(gs_error_invalidaccess);
+ }
+ else {
+ len = langstr.size;
+ if (len >= sizeof(pdev->ocr_language))
+ len = sizeof(pdev->ocr_language)-1;
+ memcpy(pdev->ocr_language, langstr.data, len);
+ pdev->ocr_language[len] = 0;
+ }
break;
case 1:
break;
--
2.43.0

40
Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch Normal file
View File

@ -0,0 +1,40 @@
From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:55:49 +0000
Subject: [PATCH 2/6] Bug 707510 - don't allow PDF files with bad Filters to
overflow the debug buffer
Item #2 of the report.
Allocate a buffer to hold the filter name, instead of assuming it will
fit in a fixed buffer.
Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like
this.
---
pdf/pdf_file.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c
index 214d448..8a53dff 100644
--- a/pdf/pdf_file.c
+++ b/pdf/pdf_file.c
@@ -767,10 +767,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_
if (ctx->args.pdfdebug)
{
- char str[100];
+ char *str;
+ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug");
+ if (str == NULL)
+ return_error(gs_error_VMerror);
memcpy(str, (const char *)n->data, n->length);
str[n->length] = '\0';
dmprintf1(ctx->memory, "FILTER NAME:%s\n", str);
+ gs_free_object(ctx->memory, str, "temp string for debug");
}
if (pdfi_name_is(n, "RunLengthDecode")) {
--
2.43.0

40
Bug-707510-don-t-use-strlen-on-passwords.patch Normal file
View File

@ -0,0 +1,40 @@
From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:58:22 +0000
Subject: [PATCH 1/6] Bug 707510 - don't use strlen on passwords
Item #1 of the report. This looks like an oversight when first coding
the routine. We should use the PostScript string length, because
PostScript strings may not be NULL terminated (and as here may contain
internal NULL characters).
Fix the R6 handler which has the same problem too.
---
pdf/pdf_sec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c
index ff60805..2bb59e1 100644
--- a/pdf/pdf_sec.c
+++ b/pdf/pdf_sec.c
@@ -1250,7 +1250,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen,
if (code < 0) {
pdf_string *P = NULL, *P_UTF8 = NULL;
- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
+ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
if (code < 0) {
return code;
}
@@ -1300,7 +1300,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen,
if (code < 0) {
pdf_string *P = NULL, *P_UTF8 = NULL;
- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
+ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
if (code < 0)
return code;
memcpy(P->data, Password, PasswordLen);
--
2.43.0

43
Bug-707510-fix-LIBIDN-usage.patch Normal file
View File

@ -0,0 +1,43 @@
From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 12:16:56 +0000
Subject: [PATCH 6/6] Bug 707510 - fix LIBIDN usage
This wasn't a reported fault, but it bears fixing anyway.
In case of ignored errors, we need to return the input password.
And not free the buffer if we did that....
---
pdf/pdf_sec.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c
index 2bb59e1..8961bac 100644
--- a/pdf/pdf_sec.c
+++ b/pdf/pdf_sec.c
@@ -177,8 +177,11 @@ static int apply_sasl(pdf_context *ctx, char *Password, int Len, char **NewPassw
* Fortunately, the stringprep error codes are sorted to make
* this easy: the errors we want to ignore are the ones with
* codes less than 100. */
- if ((int)err < 100)
+ if ((int)err < 100) {
+ NewPassword = Password;
+ NewLen = Len;
return 0;
+ }
return_error(gs_error_ioerror);
}
@@ -296,7 +299,8 @@ error:
pdfi_countdown(Key);
gs_free_object(ctx->memory, Test, "R5 password test");
#ifdef HAVE_LIBIDN
- gs_free_object(ctx->memory, UTF8_Password, "free sasl result");
+ if (UTF8_Password != Password)
+ gs_free_object(ctx->memory, UTF8_Password, "free sasl result");
#endif
return code;
}
--
2.43.0

334
Bug-707510-review-printing-of-pointers.patch Normal file
View File

@ -0,0 +1,334 @@
From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:53:44 +0000
Subject: [PATCH 4/6] Bug 707510 - review printing of pointers
This is for item 4 of the report, which is addressed by the change in
gdevpdtb.c. That change uses a fixed name for fonts which have no name
instead of using the pointer to the address of the font.
The remaining changes are all due to reviewing the use of PRI_INTPTR.
In general we only use that for debugging purposes but there were a few
places which were printing pointers arbitrarily, even in a release build.
We really don't want to do that so I've modified the places which were
printing pointer unconditionally so that they only do so if DEBUG is
set at compile time, or a specific debug flag is set.
---
base/gsfont.c | 2 +-
base/gsicc_cache.c | 6 +++---
base/gsmalloc.c | 2 +-
base/gxclmem.c | 3 +--
base/gxcpath.c | 4 ++++
base/gxpath.c | 6 ++++++
base/szlibc.c | 2 ++
devices/gdevupd.c | 5 +++++
devices/vector/gdevpdtb.c | 2 +-
psi/ialloc.c | 2 +-
psi/igc.c | 4 ++--
psi/igcstr.c | 4 ++--
psi/iinit.c | 4 ++++
psi/imainarg.c | 3 ++-
psi/isave.c | 2 +-
psi/iutil.c | 4 ++++
16 files changed, 40 insertions(+), 15 deletions(-)
diff --git a/base/gsfont.c b/base/gsfont.c
index 3fcb8de..9e9863e 100644
--- a/base/gsfont.c
+++ b/base/gsfont.c
@@ -778,7 +778,7 @@ gs_purge_font(gs_font * pfont)
else if (pdir->scaled_fonts == pfont)
pdir->scaled_fonts = next;
else { /* Shouldn't happen! */
- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
+ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
}
/* Purge the font from the scaled font cache. */
diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c
index ba33206..63e0348 100644
--- a/base/gsicc_cache.c
+++ b/base/gsicc_cache.c
@@ -149,7 +149,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr)
while (link_cache->head != NULL) {
if (link_cache->head->ref_count != 0) {
- emprintf2(mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
+ if_debug2m(gs_debug_flag_icc, mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
(intptr_t)link_cache->head, link_cache->head->ref_count);
link_cache->head->ref_count = 0; /* force removal */
}
@@ -560,7 +560,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache,
/* that was building it failed to be able to complete building it */
/* this is probably a fatal error. MV ??? */
if (curr->valid == false) {
- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
+ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
}
gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */
}
@@ -587,7 +587,7 @@ gsicc_remove_link(gsicc_link_t *link, const gs_memory_t *memory)
/* NOTE: link->ref_count must be 0: assert ? */
gx_monitor_enter(icc_link_cache->lock);
if (link->ref_count != 0) {
- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
+ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
}
curr = icc_link_cache->head;
prev = NULL;
diff --git a/base/gsmalloc.c b/base/gsmalloc.c
index e5eae62..6e4c7f2 100644
--- a/base/gsmalloc.c
+++ b/base/gsmalloc.c
@@ -419,7 +419,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new
client_name_t cname)
{
if (gs_heap_object_type(mem, data) != &st_bytes)
- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n",
+ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n",
client_name_string(cname), (intptr_t)data);
return gs_heap_resize_object(mem, data, new_num, cname);
}
diff --git a/base/gxclmem.c b/base/gxclmem.c
index 832d120..bc6cdd9 100644
--- a/base/gxclmem.c
+++ b/base/gxclmem.c
@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete)
/* leaks if other users of the memfile don't 'fclose with delete=true */
if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) {
/* TODO: do the cleanup rather than just giving an error */
- emprintf1(f->memory,
- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
+ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
(intptr_t)f);
return_error(gs_error_invalidfileaccess);
} else {
diff --git a/base/gxcpath.c b/base/gxcpath.c
index 4cec26c..b8d22d7 100644
--- a/base/gxcpath.c
+++ b/base/gxcpath.c
@@ -172,8 +172,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath,
{
if (shared) {
if (shared->path.segments == &shared->path.local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*pcpath = *shared;
@@ -230,8 +232,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath,
if (shared) {
if ((shared->path.segments == &shared->path.local_segments) &&
!safely_nested) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
pcpath->path = shared->path;
diff --git a/base/gxpath.c b/base/gxpath.c
index 5bbcf5d..5e9e07a 100644
--- a/base/gxpath.c
+++ b/base/gxpath.c
@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem,
ppath->procs = &default_path_procs;
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
gs_free_object(mem, ppath, cname);
return 0;
}
@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
diff --git a/base/szlibc.c b/base/szlibc.c
index 0be3338..35a2fce 100644
--- a/base/szlibc.c
+++ b/base/szlibc.c
@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data)
gs_free_object(mem, data, "s_zlib_free(data)");
for (; ; block = block->next) {
if (block == 0) {
+#ifdef DEBUG
lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data);
+#endif
return;
}
if (block->data == data)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index 7952165..60d5755 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1039,8 +1039,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out)
*/
if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) {
#if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS)
+#ifdef DEBUG
errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
(intptr_t)udev,(intptr_t) out);
+#else
+ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+ (intptr_t)udev,(intptr_t) out);
+#endif
#endif
return_error(gs_error_undefined);
}
diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c
index 42ef43e..075c6e7 100644
--- a/devices/vector/gdevpdtb.c
+++ b/devices/vector/gdevpdtb.c
@@ -371,7 +371,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, pdf_base_font_t **ppbfont,
font_name.size -= SUBSET_PREFIX_SIZE;
}
} else {
- gs_sprintf(fnbuf, ".F" PRI_INTPTR, (intptr_t)copied);
+ gs_sprintf(fnbuf, "Anonymous");
font_name.data = (byte *)fnbuf;
font_name.size = strlen(fnbuf);
}
diff --git a/psi/ialloc.c b/psi/ialloc.c
index d84ec00..85e36ac 100644
--- a/psi/ialloc.c
+++ b/psi/ialloc.c
@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, ref * parr, client_name_t cname)
size = num_refs * sizeof(ref);
break;
default:
- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
+ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
r_type(parr), num_refs, (intptr_t)obj);
return;
}
diff --git a/psi/igc.c b/psi/igc.c
index 420a013..9a8f504 100644
--- a/psi/igc.c
+++ b/psi/igc.c
@@ -1061,7 +1061,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_state_t * pstate)
if (cp == 0) { /* We were tracing outside collectible */
/* storage. This can't happen. */
- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
+ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
(intptr_t)cptr);
gs_abort(pstate->heap);
}
@@ -1290,7 +1290,7 @@ igc_reloc_struct_ptr(const void /*obj_header_t */ *obj, gc_state_t * gcst)
if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj <cp->ctop) {
if (back > (cp->ctop - cp->cbase) >> obj_back_shift) {
- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n",
+ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n",
back, (intptr_t)obj);
gs_abort(NULL);
}
diff --git a/psi/igcstr.c b/psi/igcstr.c
index 4c4baf3..3ea13ae 100644
--- a/psi/igcstr.c
+++ b/psi/igcstr.c
@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
return false;
#ifdef DEBUG
if (ptr - HDR_ID_OFFSET < cp->ctop) {
- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
(intptr_t)ptr - HDR_ID_OFFSET, size, (intptr_t)cp->ctop, (intptr_t)cp->climit);
return false;
} else if (ptr + size > cp->climit) { /*
@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
while (ptr - HDR_ID_OFFSET == scp->climit && scp->outer != 0)
scp = scp->outer;
if (ptr - HDR_ID_OFFSET + size > scp->climit) {
- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
(intptr_t)ptr - HDR_ID_OFFSET, size,
(intptr_t)scp->ctop, (intptr_t)scp->climit);
return false;
diff --git a/psi/iinit.c b/psi/iinit.c
index e347129..3371979 100644
--- a/psi/iinit.c
+++ b/psi/iinit.c
@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p)
if (def->proc != 0) {
code = def->proc(i_ctx_p);
if (code < 0) {
+#ifdef DEBUG
lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n",
(intptr_t)def->proc, code);
+#else
+ lprintf("op_init proc returned error !\n");
+#endif
return code;
}
}
diff --git a/psi/imainarg.c b/psi/imainarg.c
index f5fe1f3..0be2997 100644
--- a/psi/imainarg.c
+++ b/psi/imainarg.c
@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instance * minst, int argc, char *argv[])
if (gs_debug[':'] && !have_dumped_args) {
int i;
- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
+ if (gs_debug_c(gs_debug_flag_init_details))
+ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
(intptr_t)minst);
for (i=1; i<argc; i++)
dmprintf1(minst->heap, "%s ", argv[i]);
diff --git a/psi/isave.c b/psi/isave.c
index f0f3db0..d5f1448 100644
--- a/psi/isave.c
+++ b/psi/isave.c
@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *mem, const ref * pcont,
else if (r_is_struct(pcont))
cp->offset = (byte *) where - (byte *) pcont->value.pstruct;
else {
- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
+ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
r_type(pcont), (intptr_t) pcont, (intptr_t) where);
gs_abort((const gs_memory_t *)mem);
}
diff --git a/psi/iutil.c b/psi/iutil.c
index ea582e6..63d966c 100644
--- a/psi/iutil.c
+++ b/psi/iutil.c
@@ -537,7 +537,11 @@ other:
break;
}
/* Internal operator, no name. */
+#if DEBUG
gs_sprintf(buf, "@"PRI_INTPTR, (intptr_t) op->value.opproc);
+#else
+ gs_sprintf(buf, "@anonymous_operator", (intptr_t) op->value.opproc);
+#endif
break;
}
case t_real:
--
2.43.0

17
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.55.0
Release: 9
Release: 10
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -28,6 +28,15 @@ Patch9: fix-CVE-2024-29510.patch
Patch10: fix-CVE-2024-33869.patch
Patch11: fix-CVE-2024-33870.patch
# https://bugs.ghostscript.com/show_bug.cgi?id=707510
# CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511
Patch12: Bug-707510-don-t-use-strlen-on-passwords.patch
Patch13: Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
Patch14: Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
Patch15: Bug-707510-review-printing-of-pointers.patch
Patch16: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
Patch17: Bug-707510-fix-LIBIDN-usage.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel
@ -187,6 +196,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Thu Jul 04 2024 zhangxianting <zhangxianting@uniontech.com> - 9.55.0-10
- Type:CVE
- ID:NA
- SUG:NA
- DECS: fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511
* Sun May 26 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-9
- Type:CVE
- ID:NA