From f28a3a7317e4673f3585945ca380f96f44f0223f Mon Sep 17 00:00:00 2001 From: 15198808626 Date: Sun, 17 Dec 2023 21:43:39 -0800 Subject: [PATCH 1/2] 0001-Fix-bugs-701787-701806-701810.-Problems-with-cdj970-.patch --- ...701806-701810.-Problems-with-cdj970-.patch | 288 ++++++++++++++++++ contrib/gdevdj9.c | 133 ++++---- debian/changelog | 7 + 3 files changed, 364 insertions(+), 64 deletions(-) create mode 100644 0001-Fix-bugs-701787-701806-701810.-Problems-with-cdj970-.patch diff --git a/0001-Fix-bugs-701787-701806-701810.-Problems-with-cdj970-.patch b/0001-Fix-bugs-701787-701806-701810.-Problems-with-cdj970-.patch new file mode 100644 index 0000000..d3a66ce --- /dev/null +++ b/0001-Fix-bugs-701787-701806-701810.-Problems-with-cdj970-.patch @@ -0,0 +1,288 @@ +From 4f73e8b4d578e69a17f452fa60d2130c5faaefd6 Mon Sep 17 00:00:00 2001 +From: Ray Johnston +Date: Fri, 1 Nov 2019 11:55:23 -0700 +Subject: [PATCH] Fix bugs 701787, 701806, 701810. Problems with cdj970 device. + +As Robin mentioned in bug 701787, the device was changing resolution AFTER +the device had been opened and all of the buffers configured. + +Move the "one time" initial setup into the open function, leaving the code +to write the header in the print_page function. Presumably that only needs +to be written once even if there are multiple pages. + +Also add a check for valid resolutions since it appears that the intent was +to have the "Quality" parameter set up 300 or 600 dpi. Other deskjet devices +have this type of check. + +Add a gs_closedevice if the Quality is changed since this will change the +resolution and thus the page buffer geometry. + +Lastly, fix cdj970_put_params so that errors are not ignored for all but the +last (which happened to be BlackCorrect). + +These changes prevent the bugs cited, but remain untested except for some +parameter testing to make sure bad values don't cause memory violations. It +does seem that some parameter values that are out of range (like Quality) are +ignored, but that may be intentional. +--- + contrib/gdevdj9.c | 172 ++++++++++++++++++++++++---------------------- + 1 file changed, 88 insertions(+), 84 deletions(-) + +diff --git a/contrib/gdevdj9.c b/contrib/gdevdj9.c +index a77a102c8..ef5337324 100644 +--- a/contrib/gdevdj9.c ++++ b/contrib/gdevdj9.c +@@ -574,26 +574,55 @@ static int cdj_set_bpp(gx_device *, int, int); + static int + hp_colour_open(gx_device * pdev) + { +- int retCode; ++ int retCode = 0; ++ ++ /* Change the margins if necessary. */ ++ static const float dj_a4[4] = { ++ DESKJET_MARGINS_A4 ++ }; ++ ++ static const float dj_letter[4] = { ++ DESKJET_MARGINS_LETTER ++ }; ++ const float *m = (float *)0; + + cdj970->PageCtr = 0; + ++ /* quality setup */ ++ if (cdj970->quality == DRAFT) { ++ gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0); ++ cdj970->xscal = 0; ++ cdj970->yscal = 0; ++ cdj970->intensities = 2; ++ } else if (cdj970->quality == NORMAL) { ++ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); ++ cdj970->xscal = 1; ++ cdj970->yscal = 1; ++ /* intensities = 4 from initialization */ ++ } else { /* quality == PRESENTATION */ ++ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); ++ cdj970->xscal = 0; ++ cdj970->yscal = 0; ++ /* intensities = 4 from initialization */ ++ } ++ ++ m = (gdev_pcl_paper_size((gx_device *) pdev) == ++ PAPER_SIZE_A4 ? dj_a4 : dj_letter); ++ ++ gx_device_set_margins((gx_device *) pdev, m, true); ++ + /* Set up colour params if put_params has not already done so */ + if (pdev->color_info.num_components == 0) { +- int code = cdj_set_bpp(pdev, pdev->color_info.depth, ++ retCode = cdj_set_bpp(pdev, pdev->color_info.depth, + pdev->color_info.num_components); + +- if (code < 0) +- return code; ++ if (retCode < 0) ++ return retCode; + } + + retCode = gdev_prn_open(pdev); +- if (retCode < 0) +- return (retCode); +- else { ++ if (retCode >= 0) { + retCode = gdev_prn_open_printer(pdev, true); +- if (retCode < 0) +- return (retCode); + } + + return 0; +@@ -647,26 +676,25 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist) + int bpp = 0; + int code = 0; + +- code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code); +- code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code); +- code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code); +- code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code); +- code = +- cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1f, 9.0f, +- code); +- code = +- cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0f, 9.0f, code); +- code = +- cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0f, 9.0f, code); +- code = +- cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0f, 9.0f, code); +- code = +- cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0f, 9.0f, code); +- code = +- cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0f, 9.0f, +- code); +- +- if (code < 0) ++ if ((code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code)) < 0) ++ return code; ++ if ((code = cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0, code)) < 0) + return code; + + code = cdj_put_param_bpp(pdev, plist, bpp, bpp, 0); +@@ -674,7 +702,11 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist) + if (code < 0) + return code; + +- cdj970->quality = quality; ++ if (cdj970->quality != quality) { ++ if (pdev->is_open) ++ gs_closedevice(pdev); /* quality can change resolution, force re-open */ ++ cdj970->quality = quality; ++ } + cdj970->papertype = papertype; + cdj970->duplex = duplex; + cdj970->mastergamma = mastergamma; +@@ -684,7 +716,7 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist) + cdj970->gammavalk = gammavalk; + cdj970->blackcorrect = blackcorrect; + +- return 0; ++ return code; + } + + /**********************************************************************************/ +@@ -783,47 +815,6 @@ cdj970_terminate_page(gx_device_printer * pdev, gp_file * prn_stream) + gp_fputs("\033*rC\f\033&l-2H", prn_stream); /* End Graphics, Reset */ + } + +-/* cdj970_one_time_initialisation: +-----------------------------------------------------------------------------------*/ +-static void +-cdj970_one_time_initialisation(gx_device_printer * pdev) +-{ +- /* Change the margins if necessary. */ +- static const float dj_a4[4] = { +- DESKJET_MARGINS_A4 +- }; +- +- static const float dj_letter[4] = { +- DESKJET_MARGINS_LETTER +- }; +- const float *m = (float *)0; +- +- /* quality setup */ +- if (cdj970->quality == DRAFT) { +- gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0); +- cdj970->xscal = 0; +- cdj970->yscal = 0; +- cdj970->intensities = 2; +- } else if (cdj970->quality == NORMAL) { +- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); +- cdj970->xscal = 1; +- cdj970->yscal = 1; +- /* intensities = 4 from initialization */ +- } else { /* quality == PRESENTATION */ +- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); +- cdj970->xscal = 0; +- cdj970->yscal = 0; +- /* intensities = 4 from initialization */ +- } +- +- m = (gdev_pcl_paper_size((gx_device *) pdev) == +- PAPER_SIZE_A4 ? dj_a4 : dj_letter); +- +- gx_device_set_margins((gx_device *) pdev, m, true); +- +- cdj970_write_header((gx_device *) pdev, pdev->file); +-} +- + /* cdj970_print_page: Here comes the hp970 output routine + ----------------------------------------------------------------------------------*/ + static int +@@ -836,7 +827,7 @@ cdj970_print_page(gx_device_printer * pdev, gp_file * prn_stream) + Gamma gamma; + + if (cdj970->PageCtr == 0 && cdj970->ptype == DJ970C) { +- cdj970_one_time_initialisation(pdev); ++ cdj970_write_header((gx_device *)pdev, prn_stream); + } + + /* make a local writable copy of the Gamma tables */ +@@ -2279,6 +2270,10 @@ cdj_set_bpp(gx_device * pdev, int bpp, int ccomps) + ci->dither_colors = (bpp >= 8 ? 5 : bpp > 1 ? 2 : 0); + } + ++ if (ci->depth != ((bpp > 1) && (bpp < 8) ? 8 : bpp)) { ++ if (pdev->is_open) ++ gs_closedevice(pdev); /* depth changed, make sure we re-open */ ++ } + ci->depth = ((bpp > 1) && (bpp < 8) ? 8 : bpp); + + return (0); +@@ -2597,16 +2592,16 @@ cdj_put_param_bpp(gx_device * pdev, + gs_param_list * plist, + int new_bpp, int real_bpp, int ccomps) + { +- if (new_bpp == 0 && ccomps == 0) +- return gdev_prn_put_params(pdev, plist); +- else { +- gx_device_color_info save_info; +- int save_bpp; +- int code; ++ int code = 0; ++ int save_bpp; ++ gx_device_color_info save_info; + +- save_info = pdev->color_info; +- save_bpp = save_info.depth; ++ save_info = pdev->color_info; ++ save_bpp = save_info.depth; + ++ if (new_bpp == 0 && ccomps == 0) { ++ code = gdev_prn_put_params(pdev, plist); ++ } else { + if (save_bpp == 8 && save_ccomps == 3 && !cprn_device->cmyk) + save_bpp = 3; + +@@ -2630,12 +2625,21 @@ cdj_put_param_bpp(gx_device * pdev, + if ((cdj970->color_info.depth != save_bpp + || (ccomps != 0 && ccomps != save_ccomps)) + && pdev->is_open) +- return (gs_closedevice(pdev)); ++ gs_closedevice(pdev); ++ } + +- return (0); ++ /* check for valid resolutions */ ++ if (pdev->HWResolution[0] != pdev->HWResolution[1] || ++ (pdev->HWResolution[0] != 300.0 && pdev->HWResolution[0] != 600.0) ) { ++ param_signal_error(plist, "HWResolution", gs_error_rangecheck); ++ emprintf1(pdev->memory, "\ncdj970: Invalid resolution: '%f'. Only 300 or 600 supported.\n\n", ++ pdev->HWResolution[0]); ++ cdj_set_bpp(pdev, save_bpp, save_ccomps); ++ return gs_error_rangecheck; ++ } ++ return code; + + #undef save_ccomps +- } + } + + /* cdj970_write_header: +-- +2.25.1 + diff --git a/contrib/gdevdj9.c b/contrib/gdevdj9.c index 1191a32..8cdb50f 100644 --- a/contrib/gdevdj9.c +++ b/contrib/gdevdj9.c @@ -574,26 +574,55 @@ static int cdj_set_bpp(gx_device *, int, int); static int hp_colour_open(gx_device * pdev) { - int retCode; + int retCode = 0; + + /* Change the margins if necessary. */ + static const float dj_a4[4] = { + DESKJET_MARGINS_A4 + }; + + static const float dj_letter[4] = { + DESKJET_MARGINS_LETTER + }; + const float *m = (float *)0; cdj970->PageCtr = 0; + /* quality setup */ + if (cdj970->quality == DRAFT) { + gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0); + cdj970->xscal = 0; + cdj970->yscal = 0; + cdj970->intensities = 2; + } else if (cdj970->quality == NORMAL) { + gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); + cdj970->xscal = 1; + cdj970->yscal = 1; + /* intensities = 4 from initialization */ + } else { /* quality == PRESENTATION */ + gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); + cdj970->xscal = 0; + cdj970->yscal = 0; + /* intensities = 4 from initialization */ + } + + m = (gdev_pcl_paper_size((gx_device *) pdev) == + PAPER_SIZE_A4 ? dj_a4 : dj_letter); + + gx_device_set_margins((gx_device *) pdev, m, true); + /* Set up colour params if put_params has not already done so */ if (pdev->color_info.num_components == 0) { - int code = cdj_set_bpp(pdev, pdev->color_info.depth, + retCode = cdj_set_bpp(pdev, pdev->color_info.depth, pdev->color_info.num_components); - if (code < 0) - return code; + if (retCode < 0) + return retCode; } retCode = gdev_prn_open(pdev); - if (retCode < 0) - return (retCode); - else { + if (retCode >= 0) { retCode = gdev_prn_open_printer(pdev, true); - if (retCode < 0) - return (retCode); } return 0; @@ -674,7 +703,11 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist) if (code < 0) return code; - cdj970->quality = quality; + if (cdj970->quality != quality) { + if (pdev->is_open) + gs_closedevice(pdev); /* quality can change resolution, force re-open */ + cdj970->quality = quality; + } cdj970->papertype = papertype; cdj970->duplex = duplex; cdj970->mastergamma = mastergamma; @@ -684,7 +717,7 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist) cdj970->gammavalk = gammavalk; cdj970->blackcorrect = blackcorrect; - return 0; + return code; } /**********************************************************************************/ @@ -783,47 +816,6 @@ cdj970_terminate_page(gx_device_printer * pdev, gp_file * prn_stream) gp_fputs("\033*rC\f\033&l-2H", prn_stream); /* End Graphics, Reset */ } -/* cdj970_one_time_initialisation: -----------------------------------------------------------------------------------*/ -static void -cdj970_one_time_initialisation(gx_device_printer * pdev) -{ - /* Change the margins if necessary. */ - static const float dj_a4[4] = { - DESKJET_MARGINS_A4 - }; - - static const float dj_letter[4] = { - DESKJET_MARGINS_LETTER - }; - const float *m = (float *)0; - - /* quality setup */ - if (cdj970->quality == DRAFT) { - gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0); - cdj970->xscal = 0; - cdj970->yscal = 0; - cdj970->intensities = 2; - } else if (cdj970->quality == NORMAL) { - gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); - cdj970->xscal = 1; - cdj970->yscal = 1; - /* intensities = 4 from initialization */ - } else { /* quality == PRESENTATION */ - gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); - cdj970->xscal = 0; - cdj970->yscal = 0; - /* intensities = 4 from initialization */ - } - - m = (gdev_pcl_paper_size((gx_device *) pdev) == - PAPER_SIZE_A4 ? dj_a4 : dj_letter); - - gx_device_set_margins((gx_device *) pdev, m, true); - - cdj970_write_header((gx_device *) pdev, pdev->file); -} - /* cdj970_print_page: Here comes the hp970 output routine ----------------------------------------------------------------------------------*/ static int @@ -836,7 +828,7 @@ cdj970_print_page(gx_device_printer * pdev, gp_file * prn_stream) Gamma gamma; if (cdj970->PageCtr == 0 && cdj970->ptype == DJ970C) { - cdj970_one_time_initialisation(pdev); + cdj970_write_header((gx_device *)pdev, prn_stream); } /* make a local writable copy of the Gamma tables */ @@ -2279,6 +2271,10 @@ cdj_set_bpp(gx_device * pdev, int bpp, int ccomps) ci->dither_colors = (bpp >= 8 ? 5 : bpp > 1 ? 2 : 0); } + if (ci->depth != ((bpp > 1) && (bpp < 8) ? 8 : bpp)) { + if (pdev->is_open) + gs_closedevice(pdev); /* depth changed, make sure we re-open */ + } ci->depth = ((bpp > 1) && (bpp < 8) ? 8 : bpp); return (0); @@ -2597,16 +2593,16 @@ cdj_put_param_bpp(gx_device * pdev, gs_param_list * plist, int new_bpp, int real_bpp, int ccomps) { - if (new_bpp == 0 && ccomps == 0) - return gdev_prn_put_params(pdev, plist); - else { - gx_device_color_info save_info; - int save_bpp; - int code; + int code = 0; + int save_bpp; + gx_device_color_info save_info; - save_info = pdev->color_info; - save_bpp = save_info.depth; + save_info = pdev->color_info; + save_bpp = save_info.depth; + if (new_bpp == 0 && ccomps == 0) { + code = gdev_prn_put_params(pdev, plist); + } else { if (save_bpp == 8 && save_ccomps == 3 && !cprn_device->cmyk) save_bpp = 3; @@ -2630,12 +2626,21 @@ cdj_put_param_bpp(gx_device * pdev, if ((cdj970->color_info.depth != save_bpp || (ccomps != 0 && ccomps != save_ccomps)) && pdev->is_open) - return (gs_closedevice(pdev)); + gs_closedevice(pdev); + } - return (0); + /* check for valid resolutions */ + if (pdev->HWResolution[0] != pdev->HWResolution[1] || + (pdev->HWResolution[0] != 300.0 && pdev->HWResolution[0] != 600.0) ) { + param_signal_error(plist, "HWResolution", gs_error_rangecheck); + emprintf1(pdev->memory, "\ncdj970: Invalid resolution: '%f'. Only 300 or 600 supported.\n\n", + pdev->HWResolution[0]); + cdj_set_bpp(pdev, save_bpp, save_ccomps); + return gs_error_rangecheck; + } + return code; #undef save_ccomps - } } /* cdj970_write_header: diff --git a/debian/changelog b/debian/changelog index 8525a9e..7e3da9a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ghostscript (9.50~dfsg-ok7) yeqiaoyuan; urgency=medium + + * CVE问题修复: + - CVE-2020-16291 + + -- yeqiaoyuan Sun, 17 Dec 2023 21:35:46 -0800 + ghostscript (9.50~dfsg-ok6) yangtze; urgency=medium * Update package info. -- Gitee From abd66130b6eb03c58e4df34d799209d4630cd852 Mon Sep 17 00:00:00 2001 From: ppi Date: Mon, 18 Dec 2023 16:19:43 +0800 Subject: [PATCH 2/2] devices/gdevepsn.c --- devices/gdevepsn.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/devices/gdevepsn.c b/devices/gdevepsn.c index 49faaf3..3e53883 100644 --- a/devices/gdevepsn.c +++ b/devices/gdevepsn.c @@ -159,10 +159,10 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high, int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev); /* Note that in_size is a multiple of 8. */ int in_size = line_size * (8 * in_y_mult); - byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)"); - byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)"); - byte *in = buf1; - byte *out = buf2; + byte *buf1; + byte *buf2; + byte *in; + byte *out; int out_y_mult = (y_24pin ? 3 : 1); int x_dpi = (int)pdev->x_pixels_per_inch; char start_graphics = @@ -174,6 +174,17 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high, int bytes_per_space = dots_per_space * out_y_mult; int tab_min_pixels = x_dpi * MIN_TAB_10THS / 10; int skip = 0, lnum = 0, pass, ypass; + + if (bytes_per_space == 0) { + /* This avoids divide by zero later on, bug 701843. */ + return_error(gs_error_rangecheck); + } + + buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)"); + buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)"); + in = buf1; + out = buf2; + /* Check allocations */ if ( buf1 == 0 || buf2 == 0 ) -- Gitee