packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511

Browse Source 
(cherry picked from commit 6a34364e0a141b71f487687411b7ec62203903e4)
This commit is contained in:
zhangxianting 2024-06-27 15:09:46 +08:00 committed by openeuler-sync-bot
parent c37c3ddf2e
commit f47c6e77aa
7 changed files with 666 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch Normal file
View File

@ -0,0 +1,92 @@
From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 24 Jan 2024 18:25:12 +0000
Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related
params
Specifically, for CIDFont substitution.
---
pdf/pdf_font.c | 45 +++++++++++++++++++++++++++++++++++++++------
pdf/pdf_warnings.h | 2 +-
2 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index fa71605..89c13ab 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -228,22 +228,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di
memcpy(fontfname, fsprefix, fsprefixlen);
}
else {
- memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size);
- fsprefixlen = ctx->args.cidsubstpath.size;
+ if (ctx->args.cidsubstpath.size + 1 > gp_file_name_sizeof) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname, fsprefix, fsprefixlen);
+ }
+ else {
+ memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size);
+ fsprefixlen = ctx->args.cidsubstpath.size;
+ }
}
if (ctx->args.cidsubstfont.data == NULL) {
int len = 0;
- if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) {
- (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
+ if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0) {
+ if (len + fsprefixlen + 1 > gp_file_name_sizeof) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSUBSTFONT environment variable too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+ }
+ else {
+ (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
+ }
}
else {
memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
}
}
else {
- memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size);
- defcidfallacklen = ctx->args.cidsubstfont.size;
+ if (ctx->args.cidsubstfont.size > gp_file_name_sizeof - 1) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstFont parameter too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+ }
+ else {
+ memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size);
+ defcidfallacklen = ctx->args.cidsubstfont.size;
+ }
}
fontfname[fsprefixlen + defcidfallacklen] = '\0';
diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h
index 21b2403..bfbc3a7 100644
--- a/pdf/pdf_warnings.h
+++ b/pdf/pdf_warnings.h
@@ -58,5 +58,5 @@ PARAM(W_PDF_CA_OUTOFRANGE, "CA or ca value not in range 0.0 to 1.0, cla
PARAM(W_PDF_INVALID_DEFAULTSPACE, "Invalid DefaultGray, DefaultRGB or DefaultCMYK space specified, ignored."),
PARAM(W_PDF_INVALID_DECRYPT_LEN, "Invalid /Length supplied in Encryption dictionary."),
PARAM(W_PDF_INVALID_FONT_BASEENC, "Ignoring invalid BaseEncoding name in font"),
-
+PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."),
#undef PARAM
--
2.43.0

95
Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch Normal file
View File

@ -0,0 +1,95 @@
From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 24 Jan 2024 17:06:01 +0000
Subject: [PATCH 5/6] Bug 707510(5): Reject OCRLanguage changes after SAFER
enabled
In the devices that support OCR, OCRLanguage really ought never to be set from
PostScript, so reject attempts to change it if path_control_active is true.
---
devices/gdevocr.c | 15 ++++++++++-----
devices/gdevpdfocr.c | 15 ++++++++++-----
devices/vector/gdevpdfp.c | 15 ++++++++++-----
3 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/devices/gdevocr.c b/devices/gdevocr.c
index 88c759c..287b74b 100644
--- a/devices/gdevocr.c
+++ b/devices/gdevocr.c
@@ -187,11 +187,16 @@ ocr_put_params(gx_device *dev, gs_param_list *plist)
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- len = langstr.size;
- if (len >= sizeof(pdev->language))
- len = sizeof(pdev->language)-1;
- memcpy(pdev->language, langstr.data, len);
- pdev->language[len] = 0;
+ if (pdev->memory->gs_lib_ctx->core->path_control_active) {
+ return_error(gs_error_invalidaccess);
+ }
+ else {
+ len = langstr.size;
+ if (len >= sizeof(pdev->language))
+ len = sizeof(pdev->language)-1;
+ memcpy(pdev->language, langstr.data, len);
+ pdev->language[len] = 0;
+ }
break;
case 1:
break;
diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
index ff60c12..0f3478a 100644
--- a/devices/gdevpdfocr.c
+++ b/devices/gdevpdfocr.c
@@ -50,11 +50,16 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist)
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- len = langstr.size;
- if (len >= sizeof(pdf_dev->ocr.language))
- len = sizeof(pdf_dev->ocr.language)-1;
- memcpy(pdf_dev->ocr.language, langstr.data, len);
- pdf_dev->ocr.language[len] = 0;
+ if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) {
+ return_error(gs_error_invalidaccess);
+ }
+ else {
+ len = langstr.size;
+ if (len >= sizeof(pdf_dev->ocr.language))
+ len = sizeof(pdf_dev->ocr.language)-1;
+ memcpy(pdf_dev->ocr.language, langstr.data, len);
+ pdf_dev->ocr.language[len] = 0;
+ }
break;
case 1:
break;
diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
index 42fa1c5..23e9bc8 100644
--- a/devices/vector/gdevpdfp.c
+++ b/devices/vector/gdevpdfp.c
@@ -458,11 +458,16 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
gs_param_string langstr;
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- len = langstr.size;
- if (len >= sizeof(pdev->ocr_language))
- len = sizeof(pdev->ocr_language)-1;
- memcpy(pdev->ocr_language, langstr.data, len);
- pdev->ocr_language[len] = 0;
+ if (pdev->memory->gs_lib_ctx->core->path_control_active) {
+ return_error(gs_error_invalidaccess);
+ }
+ else {
+ len = langstr.size;
+ if (len >= sizeof(pdev->ocr_language))
+ len = sizeof(pdev->ocr_language)-1;
+ memcpy(pdev->ocr_language, langstr.data, len);
+ pdev->ocr_language[len] = 0;
+ }
break;
case 1:
break;
--
2.43.0

40
Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch Normal file
View File

@ -0,0 +1,40 @@
From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:55:49 +0000
Subject: [PATCH 2/6] Bug 707510 - don't allow PDF files with bad Filters to
overflow the debug buffer
Item #2 of the report.
Allocate a buffer to hold the filter name, instead of assuming it will
fit in a fixed buffer.
Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like
this.
---
pdf/pdf_file.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c
index 5698866..89298f0 100644
--- a/pdf/pdf_file.c
+++ b/pdf/pdf_file.c
@@ -773,10 +773,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_
if (ctx->args.pdfdebug)
{
- char str[100];
+ char *str;
+ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug");
+ if (str == NULL)
+ return_error(gs_error_VMerror);
memcpy(str, (const char *)n->data, n->length);
str[n->length] = '\0';
dmprintf1(ctx->memory, "FILTER NAME:%s\n", str);
+ gs_free_object(ctx->memory, str, "temp string for debug");
}
if (pdfi_name_is(n, "RunLengthDecode")) {
--
2.43.0

40
Bug-707510-don-t-use-strlen-on-passwords.patch Normal file
View File

@ -0,0 +1,40 @@
From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:58:22 +0000
Subject: [PATCH 1/6] Bug 707510 - don't use strlen on passwords
Item #1 of the report. This looks like an oversight when first coding
the routine. We should use the PostScript string length, because
PostScript strings may not be NULL terminated (and as here may contain
internal NULL characters).
Fix the R6 handler which has the same problem too.
---
pdf/pdf_sec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c
index fa7131f..841eb72 100644
--- a/pdf/pdf_sec.c
+++ b/pdf/pdf_sec.c
@@ -1271,7 +1271,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen,
/* If the supplied Password fails as the user *and* owner password, maybe its in
* the locale, not UTF-8, try converting to UTF-8
*/
- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
+ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
if (code < 0)
return code;
memcpy(P->data, Password, PasswordLen);
@@ -1318,7 +1318,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen,
/* If the supplied Password fails as the user *and* owner password, maybe its in
* the locale, not UTF-8, try converting to UTF-8
*/
- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
+ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
if (code < 0)
return code;
memcpy(P->data, Password, PasswordLen);
--
2.43.0

43
Bug-707510-fix-LIBIDN-usage.patch Normal file
View File

@ -0,0 +1,43 @@
From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 12:16:56 +0000
Subject: [PATCH 6/6] Bug 707510 - fix LIBIDN usage
This wasn't a reported fault, but it bears fixing anyway.
In case of ignored errors, we need to return the input password.
And not free the buffer if we did that....
---
pdf/pdf_sec.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c
index 841eb72..270ed32 100644
--- a/pdf/pdf_sec.c
+++ b/pdf/pdf_sec.c
@@ -182,8 +182,11 @@ static int apply_sasl(pdf_context *ctx, char *Password, int Len, char **NewPassw
* Fortunately, the stringprep error codes are sorted to make
* this easy: the errors we want to ignore are the ones with
* codes less than 100. */
- if ((int)err < 100)
+ if ((int)err < 100) {
+ NewPassword = Password;
+ NewLen = Len;
return 0;
+ }
return_error(gs_error_ioerror);
}
@@ -301,7 +304,8 @@ error:
pdfi_countdown(Key);
gs_free_object(ctx->memory, Test, "R5 password test");
#ifdef HAVE_LIBIDN
- gs_free_object(ctx->memory, UTF8_Password, "free sasl result");
+ if (UTF8_Password != Password)
+ gs_free_object(ctx->memory, UTF8_Password, "free sasl result");
#endif
return code;
}
--
2.43.0

334
Bug-707510-review-printing-of-pointers.patch Normal file
View File

@ -0,0 +1,334 @@
From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:53:44 +0000
Subject: [PATCH 4/6] Bug 707510 - review printing of pointers
This is for item 4 of the report, which is addressed by the change in
gdevpdtb.c. That change uses a fixed name for fonts which have no name
instead of using the pointer to the address of the font.
The remaining changes are all due to reviewing the use of PRI_INTPTR.
In general we only use that for debugging purposes but there were a few
places which were printing pointers arbitrarily, even in a release build.
We really don't want to do that so I've modified the places which were
printing pointer unconditionally so that they only do so if DEBUG is
set at compile time, or a specific debug flag is set.
---
base/gsfont.c | 2 +-
base/gsicc_cache.c | 6 +++---
base/gsmalloc.c | 2 +-
base/gxclmem.c | 3 +--
base/gxcpath.c | 4 ++++
base/gxpath.c | 6 ++++++
base/szlibc.c | 2 ++
devices/gdevupd.c | 5 +++++
devices/vector/gdevpdtb.c | 2 +-
psi/ialloc.c | 2 +-
psi/igc.c | 4 ++--
psi/igcstr.c | 4 ++--
psi/iinit.c | 4 ++++
psi/imainarg.c | 3 ++-
psi/isave.c | 2 +-
psi/iutil.c | 4 ++++
16 files changed, 40 insertions(+), 15 deletions(-)
diff --git a/base/gsfont.c b/base/gsfont.c
index 8e2015b..cc9af15 100644
--- a/base/gsfont.c
+++ b/base/gsfont.c
@@ -791,7 +791,7 @@ gs_purge_font(gs_font * pfont)
else if (pdir->scaled_fonts == pfont)
pdir->scaled_fonts = next;
else { /* Shouldn't happen! */
- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
+ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
}
/* Purge the font from the scaled font cache. */
diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c
index 13eb003..8dcdb71 100644
--- a/base/gsicc_cache.c
+++ b/base/gsicc_cache.c
@@ -151,7 +151,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr)
while (link_cache->head != NULL) {
if (link_cache->head->ref_count != 0) {
- emprintf2(mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
+ if_debug2m(gs_debug_flag_icc, mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
(intptr_t)link_cache->head, link_cache->head->ref_count);
link_cache->head->ref_count = 0; /* force removal */
}
@@ -573,7 +573,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache,
/* that was building it failed to be able to complete building it. Try this only
a limited number of times before we bail. */
if (curr->valid == false) {
- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
+ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
}
gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */
}
@@ -600,7 +600,7 @@ gsicc_remove_link(gsicc_link_t *link, const gs_memory_t *memory)
/* NOTE: link->ref_count must be 0: assert ? */
gx_monitor_enter(icc_link_cache->lock);
if (link->ref_count != 0) {
- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
+ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
}
curr = icc_link_cache->head;
prev = NULL;
diff --git a/base/gsmalloc.c b/base/gsmalloc.c
index 63c8b6b..3182b56 100644
--- a/base/gsmalloc.c
+++ b/base/gsmalloc.c
@@ -420,7 +420,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new
client_name_t cname)
{
if (gs_heap_object_type(mem, data) != &st_bytes)
- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n",
+ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n",
client_name_string(cname), (intptr_t)data);
return gs_heap_resize_object(mem, data, new_num, cname);
}
diff --git a/base/gxclmem.c b/base/gxclmem.c
index 1905a43..933cb4e 100644
--- a/base/gxclmem.c
+++ b/base/gxclmem.c
@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete)
/* leaks if other users of the memfile don't 'fclose with delete=true */
if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) {
/* TODO: do the cleanup rather than just giving an error */
- emprintf1(f->memory,
- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
+ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
(intptr_t)f);
return_error(gs_error_invalidfileaccess);
} else {
diff --git a/base/gxcpath.c b/base/gxcpath.c
index 437b065..a8a5504 100644
--- a/base/gxcpath.c
+++ b/base/gxcpath.c
@@ -175,8 +175,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath,
{
if (shared) {
if (shared->path.segments == &shared->path.local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*pcpath = *shared;
@@ -233,8 +235,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath,
if (shared) {
if ((shared->path.segments == &shared->path.local_segments) &&
!safely_nested) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
pcpath->path = shared->path;
diff --git a/base/gxpath.c b/base/gxpath.c
index e700729..0e9dba8 100644
--- a/base/gxpath.c
+++ b/base/gxpath.c
@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem,
ppath->procs = &default_path_procs;
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
gs_free_object(mem, ppath, cname);
return 0;
}
@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
(intptr_t)shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
diff --git a/base/szlibc.c b/base/szlibc.c
index 0be3338..35a2fce 100644
--- a/base/szlibc.c
+++ b/base/szlibc.c
@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data)
gs_free_object(mem, data, "s_zlib_free(data)");
for (; ; block = block->next) {
if (block == 0) {
+#ifdef DEBUG
lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data);
+#endif
return;
}
if (block->data == data)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index 7826507..12dfbc0 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1040,8 +1040,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out)
*/
if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) {
#if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS)
+#ifdef DEBUG
errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
(intptr_t)udev,(intptr_t) out);
+#else
+ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+ (intptr_t)udev,(intptr_t) out);
+#endif
#endif
return_error(gs_error_undefined);
}
diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c
index 5c8fb8d..aacbca2 100644
--- a/devices/vector/gdevpdtb.c
+++ b/devices/vector/gdevpdtb.c
@@ -371,7 +371,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, pdf_base_font_t **ppbfont,
font_name.size -= SUBSET_PREFIX_SIZE;
}
} else {
- gs_snprintf(fnbuf, sizeof(fnbuf), ".F" PRI_INTPTR, (intptr_t)copied);
+ gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous");
font_name.data = (byte *)fnbuf;
font_name.size = strlen(fnbuf);
}
diff --git a/psi/ialloc.c b/psi/ialloc.c
index d84ec00..85e36ac 100644
--- a/psi/ialloc.c
+++ b/psi/ialloc.c
@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, ref * parr, client_name_t cname)
size = num_refs * sizeof(ref);
break;
default:
- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
+ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
r_type(parr), num_refs, (intptr_t)obj);
return;
}
diff --git a/psi/igc.c b/psi/igc.c
index 373cdcc..137783c 100644
--- a/psi/igc.c
+++ b/psi/igc.c
@@ -1062,7 +1062,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_state_t * pstate)
if (cp == 0) { /* We were tracing outside collectible */
/* storage. This can't happen. */
- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
+ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
(intptr_t)cptr);
gs_abort(pstate->heap);
}
@@ -1291,7 +1291,7 @@ igc_reloc_struct_ptr(const void /*obj_header_t */ *obj, gc_state_t * gcst)
if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj <cp->ctop) {
if (back > (cp->ctop - cp->cbase) >> obj_back_shift) {
- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n",
+ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n",
back, (intptr_t)obj);
gs_abort(NULL);
}
diff --git a/psi/igcstr.c b/psi/igcstr.c
index 0e10f74..1bc7e7a 100644
--- a/psi/igcstr.c
+++ b/psi/igcstr.c
@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
return false;
#ifdef DEBUG
if (ptr < cp->ctop) {
- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
(intptr_t)ptr, size, (intptr_t)cp->ctop, (intptr_t)cp->climit);
return false;
} else if (ptr + size > cp->climit) { /*
@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
while (ptr == scp->climit && scp->outer != 0)
scp = scp->outer;
if (ptr + size > scp->climit) {
- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
(intptr_t)ptr, size,
(intptr_t)scp->ctop, (intptr_t)scp->climit);
return false;
diff --git a/psi/iinit.c b/psi/iinit.c
index e347129..3371979 100644
--- a/psi/iinit.c
+++ b/psi/iinit.c
@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p)
if (def->proc != 0) {
code = def->proc(i_ctx_p);
if (code < 0) {
+#ifdef DEBUG
lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n",
(intptr_t)def->proc, code);
+#else
+ lprintf("op_init proc returned error !\n");
+#endif
return code;
}
}
diff --git a/psi/imainarg.c b/psi/imainarg.c
index aaf41b6..3b9efdc 100644
--- a/psi/imainarg.c
+++ b/psi/imainarg.c
@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instance * minst, int argc, char *argv[])
if (gs_debug[':'] && !have_dumped_args) {
int i;
- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
+ if (gs_debug_c(gs_debug_flag_init_details))
+ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
(intptr_t)minst);
for (i=1; i<argc; i++)
dmprintf1(minst->heap, "%s ", argv[i]);
diff --git a/psi/isave.c b/psi/isave.c
index f0f3db0..d5f1448 100644
--- a/psi/isave.c
+++ b/psi/isave.c
@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *mem, const ref * pcont,
else if (r_is_struct(pcont))
cp->offset = (byte *) where - (byte *) pcont->value.pstruct;
else {
- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
+ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
r_type(pcont), (intptr_t) pcont, (intptr_t) where);
gs_abort((const gs_memory_t *)mem);
}
diff --git a/psi/iutil.c b/psi/iutil.c
index 39a0a31..e24bbfd 100644
--- a/psi/iutil.c
+++ b/psi/iutil.c
@@ -537,7 +537,11 @@ other:
break;
}
/* Internal operator, no name. */
+#if DEBUG
gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc);
+#else
+ gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc);
+#endif
break;
}
case t_real:
--
2.43.0

23
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.56.1
Release: 5
Release: 6
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -45,6 +45,14 @@ Patch106: fix-CVE-2024-29510.patch
Patch107: fix-CVE-2024-33869.patch
Patch108: fix-CVE-2024-33870.patch
Patch109: fix-CVE-2024-33871.patch
# https://bugs.ghostscript.com/show_bug.cgi?id=707510
# CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511
Patch110: Bug-707510-don-t-use-strlen-on-passwords.patch
Patch111: Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
Patch112: Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
Patch113: Bug-707510-review-printing-of-pointers.patch
Patch114: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
Patch115: Bug-707510-fix-LIBIDN-usage.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -122,6 +130,13 @@ PDF files using Ghostscript and dvips
%patch107 -p1
%patch108 -p1
%patch109 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch113 -p1
%patch114 -p1
%patch115 -p1
# Libraries that we already have packaged(see Build Requirements):
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
@ -215,6 +230,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Thu Jul 04 2024 zhangxianting <zhangxianting@uniontech.com> - 9.56.1-6
- Type:CVE
- ID:NA
- SUG:NA
- DECS: fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511
* Fri May 10 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.56.1-5
- Type:CVE
- ID:NA