diff --git a/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch b/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch new file mode 100644 index 0000000000000000000000000000000000000000..351be7e6d0760c7d6a88ca5cd7ff45129ae27723 --- /dev/null +++ b/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch @@ -0,0 +1,92 @@ +From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 24 Jan 2024 18:25:12 +0000 +Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related + params + +Specifically, for CIDFont substitution. +--- + pdf/pdf_font.c | 45 +++++++++++++++++++++++++++++++++++++++------ + pdf/pdf_warnings.h | 2 +- + 2 files changed, 40 insertions(+), 7 deletions(-) + +diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c +index fa71605..89c13ab 100644 +--- a/pdf/pdf_font.c ++++ b/pdf/pdf_font.c +@@ -228,22 +228,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di + memcpy(fontfname, fsprefix, fsprefixlen); + } + else { +- memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size); +- fsprefixlen = ctx->args.cidsubstpath.size; ++ if (ctx->args.cidsubstpath.size + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname, fsprefix, fsprefixlen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidsubstpath.data, ctx->args.cidsubstpath.size); ++ fsprefixlen = ctx->args.cidsubstpath.size; ++ } + } + + if (ctx->args.cidsubstfont.data == NULL) { + int len = 0; +- if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) { +- (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ if (gp_getenv("CIDSUBSTFONT", (char *)0, &len) < 0) { ++ if (len + fsprefixlen + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSUBSTFONT environment variable too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ (void)gp_getenv("CIDSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ } + } + else { + memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); + } + } + else { +- memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size); +- defcidfallacklen = ctx->args.cidsubstfont.size; ++ if (ctx->args.cidsubstfont.size > gp_file_name_sizeof - 1) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstFont parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidsubstfont.data, ctx->args.cidsubstfont.size); ++ defcidfallacklen = ctx->args.cidsubstfont.size; ++ } + } + fontfname[fsprefixlen + defcidfallacklen] = '\0'; + +diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h +index 21b2403..bfbc3a7 100644 +--- a/pdf/pdf_warnings.h ++++ b/pdf/pdf_warnings.h +@@ -58,5 +58,5 @@ PARAM(W_PDF_CA_OUTOFRANGE, "CA or ca value not in range 0.0 to 1.0, cla + PARAM(W_PDF_INVALID_DEFAULTSPACE, "Invalid DefaultGray, DefaultRGB or DefaultCMYK space specified, ignored."), + PARAM(W_PDF_INVALID_DECRYPT_LEN, "Invalid /Length supplied in Encryption dictionary."), + PARAM(W_PDF_INVALID_FONT_BASEENC, "Ignoring invalid BaseEncoding name in font"), +- ++PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."), + #undef PARAM +-- +2.43.0 + diff --git a/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch b/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ce85390564c525a1b74cd0a09ac7da79b24165d --- /dev/null +++ b/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch @@ -0,0 +1,95 @@ +From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 24 Jan 2024 17:06:01 +0000 +Subject: [PATCH 5/6] Bug 707510(5): Reject OCRLanguage changes after SAFER + enabled + +In the devices that support OCR, OCRLanguage really ought never to be set from +PostScript, so reject attempts to change it if path_control_active is true. +--- + devices/gdevocr.c | 15 ++++++++++----- + devices/gdevpdfocr.c | 15 ++++++++++----- + devices/vector/gdevpdfp.c | 15 ++++++++++----- + 3 files changed, 30 insertions(+), 15 deletions(-) + +diff --git a/devices/gdevocr.c b/devices/gdevocr.c +index 88c759c..287b74b 100644 +--- a/devices/gdevocr.c ++++ b/devices/gdevocr.c +@@ -187,11 +187,16 @@ ocr_put_params(gx_device *dev, gs_param_list *plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdev->language)) +- len = sizeof(pdev->language)-1; +- memcpy(pdev->language, langstr.data, len); +- pdev->language[len] = 0; ++ if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdev->language)) ++ len = sizeof(pdev->language)-1; ++ memcpy(pdev->language, langstr.data, len); ++ pdev->language[len] = 0; ++ } + break; + case 1: + break; +diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c +index ff60c12..0f3478a 100644 +--- a/devices/gdevpdfocr.c ++++ b/devices/gdevpdfocr.c +@@ -50,11 +50,16 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdf_dev->ocr.language)) +- len = sizeof(pdf_dev->ocr.language)-1; +- memcpy(pdf_dev->ocr.language, langstr.data, len); +- pdf_dev->ocr.language[len] = 0; ++ if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdf_dev->ocr.language)) ++ len = sizeof(pdf_dev->ocr.language)-1; ++ memcpy(pdf_dev->ocr.language, langstr.data, len); ++ pdf_dev->ocr.language[len] = 0; ++ } + break; + case 1: + break; +diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c +index 42fa1c5..23e9bc8 100644 +--- a/devices/vector/gdevpdfp.c ++++ b/devices/vector/gdevpdfp.c +@@ -458,11 +458,16 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par + gs_param_string langstr; + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdev->ocr_language)) +- len = sizeof(pdev->ocr_language)-1; +- memcpy(pdev->ocr_language, langstr.data, len); +- pdev->ocr_language[len] = 0; ++ if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdev->ocr_language)) ++ len = sizeof(pdev->ocr_language)-1; ++ memcpy(pdev->ocr_language, langstr.data, len); ++ pdev->ocr_language[len] = 0; ++ } + break; + case 1: + break; +-- +2.43.0 + diff --git a/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch b/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch new file mode 100644 index 0000000000000000000000000000000000000000..25eca4a4684d896a91af1e0bf138bf9d2ec99fdb --- /dev/null +++ b/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch @@ -0,0 +1,40 @@ +From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:55:49 +0000 +Subject: [PATCH 2/6] Bug 707510 - don't allow PDF files with bad Filters to + overflow the debug buffer + +Item #2 of the report. + +Allocate a buffer to hold the filter name, instead of assuming it will +fit in a fixed buffer. + +Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like +this. +--- + pdf/pdf_file.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c +index 5698866..89298f0 100644 +--- a/pdf/pdf_file.c ++++ b/pdf/pdf_file.c +@@ -773,10 +773,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_ + + if (ctx->args.pdfdebug) + { +- char str[100]; ++ char *str; ++ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug"); ++ if (str == NULL) ++ return_error(gs_error_VMerror); + memcpy(str, (const char *)n->data, n->length); + str[n->length] = '\0'; + dmprintf1(ctx->memory, "FILTER NAME:%s\n", str); ++ gs_free_object(ctx->memory, str, "temp string for debug"); + } + + if (pdfi_name_is(n, "RunLengthDecode")) { +-- +2.43.0 + diff --git a/Bug-707510-don-t-use-strlen-on-passwords.patch b/Bug-707510-don-t-use-strlen-on-passwords.patch new file mode 100644 index 0000000000000000000000000000000000000000..702ca2f06beb99900bfbc753491529f408b5c4e9 --- /dev/null +++ b/Bug-707510-don-t-use-strlen-on-passwords.patch @@ -0,0 +1,40 @@ +From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:58:22 +0000 +Subject: [PATCH 1/6] Bug 707510 - don't use strlen on passwords + +Item #1 of the report. This looks like an oversight when first coding +the routine. We should use the PostScript string length, because +PostScript strings may not be NULL terminated (and as here may contain +internal NULL characters). + +Fix the R6 handler which has the same problem too. +--- + pdf/pdf_sec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c +index fa7131f..841eb72 100644 +--- a/pdf/pdf_sec.c ++++ b/pdf/pdf_sec.c +@@ -1271,7 +1271,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen, + /* If the supplied Password fails as the user *and* owner password, maybe its in + * the locale, not UTF-8, try converting to UTF-8 + */ +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +@@ -1318,7 +1318,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen, + /* If the supplied Password fails as the user *and* owner password, maybe its in + * the locale, not UTF-8, try converting to UTF-8 + */ +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +-- +2.43.0 + diff --git a/Bug-707510-fix-LIBIDN-usage.patch b/Bug-707510-fix-LIBIDN-usage.patch new file mode 100644 index 0000000000000000000000000000000000000000..d936f2fa8fa8d9e8a9134f72ab0124ccf65da8df --- /dev/null +++ b/Bug-707510-fix-LIBIDN-usage.patch @@ -0,0 +1,43 @@ +From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 12:16:56 +0000 +Subject: [PATCH 6/6] Bug 707510 - fix LIBIDN usage + +This wasn't a reported fault, but it bears fixing anyway. + +In case of ignored errors, we need to return the input password. +And not free the buffer if we did that.... +--- + pdf/pdf_sec.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c +index 841eb72..270ed32 100644 +--- a/pdf/pdf_sec.c ++++ b/pdf/pdf_sec.c +@@ -182,8 +182,11 @@ static int apply_sasl(pdf_context *ctx, char *Password, int Len, char **NewPassw + * Fortunately, the stringprep error codes are sorted to make + * this easy: the errors we want to ignore are the ones with + * codes less than 100. */ +- if ((int)err < 100) ++ if ((int)err < 100) { ++ NewPassword = Password; ++ NewLen = Len; + return 0; ++ } + + return_error(gs_error_ioerror); + } +@@ -301,7 +304,8 @@ error: + pdfi_countdown(Key); + gs_free_object(ctx->memory, Test, "R5 password test"); + #ifdef HAVE_LIBIDN +- gs_free_object(ctx->memory, UTF8_Password, "free sasl result"); ++ if (UTF8_Password != Password) ++ gs_free_object(ctx->memory, UTF8_Password, "free sasl result"); + #endif + return code; + } +-- +2.43.0 + diff --git a/Bug-707510-review-printing-of-pointers.patch b/Bug-707510-review-printing-of-pointers.patch new file mode 100644 index 0000000000000000000000000000000000000000..09994df5964627fefac89b2969ae3f151a6eb7ff --- /dev/null +++ b/Bug-707510-review-printing-of-pointers.patch @@ -0,0 +1,334 @@ +From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:53:44 +0000 +Subject: [PATCH 4/6] Bug 707510 - review printing of pointers + +This is for item 4 of the report, which is addressed by the change in +gdevpdtb.c. That change uses a fixed name for fonts which have no name +instead of using the pointer to the address of the font. + +The remaining changes are all due to reviewing the use of PRI_INTPTR. +In general we only use that for debugging purposes but there were a few +places which were printing pointers arbitrarily, even in a release build. + +We really don't want to do that so I've modified the places which were +printing pointer unconditionally so that they only do so if DEBUG is +set at compile time, or a specific debug flag is set. +--- + base/gsfont.c | 2 +- + base/gsicc_cache.c | 6 +++--- + base/gsmalloc.c | 2 +- + base/gxclmem.c | 3 +-- + base/gxcpath.c | 4 ++++ + base/gxpath.c | 6 ++++++ + base/szlibc.c | 2 ++ + devices/gdevupd.c | 5 +++++ + devices/vector/gdevpdtb.c | 2 +- + psi/ialloc.c | 2 +- + psi/igc.c | 4 ++-- + psi/igcstr.c | 4 ++-- + psi/iinit.c | 4 ++++ + psi/imainarg.c | 3 ++- + psi/isave.c | 2 +- + psi/iutil.c | 4 ++++ + 16 files changed, 40 insertions(+), 15 deletions(-) + +diff --git a/base/gsfont.c b/base/gsfont.c +index 8e2015b..cc9af15 100644 +--- a/base/gsfont.c ++++ b/base/gsfont.c +@@ -791,7 +791,7 @@ gs_purge_font(gs_font * pfont) + else if (pdir->scaled_fonts == pfont) + pdir->scaled_fonts = next; + else { /* Shouldn't happen! */ +- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); ++ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); + } + + /* Purge the font from the scaled font cache. */ +diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c +index 13eb003..8dcdb71 100644 +--- a/base/gsicc_cache.c ++++ b/base/gsicc_cache.c +@@ -151,7 +151,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr) + + while (link_cache->head != NULL) { + if (link_cache->head->ref_count != 0) { +- emprintf2(mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", ++ if_debug2m(gs_debug_flag_icc, mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", + (intptr_t)link_cache->head, link_cache->head->ref_count); + link_cache->head->ref_count = 0; /* force removal */ + } +@@ -573,7 +573,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache, + /* that was building it failed to be able to complete building it. Try this only + a limited number of times before we bail. */ + if (curr->valid == false) { +- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ ++ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ + } + gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */ + } +@@ -600,7 +600,7 @@ gsicc_remove_link(gsicc_link_t *link, const gs_memory_t *memory) + /* NOTE: link->ref_count must be 0: assert ? */ + gx_monitor_enter(icc_link_cache->lock); + if (link->ref_count != 0) { +- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); ++ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); + } + curr = icc_link_cache->head; + prev = NULL; +diff --git a/base/gsmalloc.c b/base/gsmalloc.c +index 63c8b6b..3182b56 100644 +--- a/base/gsmalloc.c ++++ b/base/gsmalloc.c +@@ -420,7 +420,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new + client_name_t cname) + { + if (gs_heap_object_type(mem, data) != &st_bytes) +- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n", ++ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n", + client_name_string(cname), (intptr_t)data); + return gs_heap_resize_object(mem, data, new_num, cname); + } +diff --git a/base/gxclmem.c b/base/gxclmem.c +index 1905a43..933cb4e 100644 +--- a/base/gxclmem.c ++++ b/base/gxclmem.c +@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete) + /* leaks if other users of the memfile don't 'fclose with delete=true */ + if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) { + /* TODO: do the cleanup rather than just giving an error */ +- emprintf1(f->memory, +- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", ++ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", + (intptr_t)f); + return_error(gs_error_invalidfileaccess); + } else { +diff --git a/base/gxcpath.c b/base/gxcpath.c +index 437b065..a8a5504 100644 +--- a/base/gxcpath.c ++++ b/base/gxcpath.c +@@ -175,8 +175,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath, + { + if (shared) { + if (shared->path.segments == &shared->path.local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *pcpath = *shared; +@@ -233,8 +235,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath, + if (shared) { + if ((shared->path.segments == &shared->path.local_segments) && + !safely_nested) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + pcpath->path = shared->path; +diff --git a/base/gxpath.c b/base/gxpath.c +index e700729..0e9dba8 100644 +--- a/base/gxpath.c ++++ b/base/gxpath.c +@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared, + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem, + ppath->procs = &default_path_procs; + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + gs_free_object(mem, ppath, cname); + return 0; + } +@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared, + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +diff --git a/base/szlibc.c b/base/szlibc.c +index 0be3338..35a2fce 100644 +--- a/base/szlibc.c ++++ b/base/szlibc.c +@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data) + gs_free_object(mem, data, "s_zlib_free(data)"); + for (; ; block = block->next) { + if (block == 0) { ++#ifdef DEBUG + lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data); ++#endif + return; + } + if (block->data == data) +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index 7826507..12dfbc0 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1040,8 +1040,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out) + */ + if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) { + #if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS) ++#ifdef DEBUG + errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n", + (intptr_t)udev,(intptr_t) out); ++#else ++ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n", ++ (intptr_t)udev,(intptr_t) out); ++#endif + #endif + return_error(gs_error_undefined); + } +diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c +index 5c8fb8d..aacbca2 100644 +--- a/devices/vector/gdevpdtb.c ++++ b/devices/vector/gdevpdtb.c +@@ -371,7 +371,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, pdf_base_font_t **ppbfont, + font_name.size -= SUBSET_PREFIX_SIZE; + } + } else { +- gs_snprintf(fnbuf, sizeof(fnbuf), ".F" PRI_INTPTR, (intptr_t)copied); ++ gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous"); + font_name.data = (byte *)fnbuf; + font_name.size = strlen(fnbuf); + } +diff --git a/psi/ialloc.c b/psi/ialloc.c +index d84ec00..85e36ac 100644 +--- a/psi/ialloc.c ++++ b/psi/ialloc.c +@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, ref * parr, client_name_t cname) + size = num_refs * sizeof(ref); + break; + default: +- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!", ++ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!", + r_type(parr), num_refs, (intptr_t)obj); + return; + } +diff --git a/psi/igc.c b/psi/igc.c +index 373cdcc..137783c 100644 +--- a/psi/igc.c ++++ b/psi/igc.c +@@ -1062,7 +1062,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_state_t * pstate) + + if (cp == 0) { /* We were tracing outside collectible */ + /* storage. This can't happen. */ +- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n", ++ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n", + (intptr_t)cptr); + gs_abort(pstate->heap); + } +@@ -1291,7 +1291,7 @@ igc_reloc_struct_ptr(const void /*obj_header_t */ *obj, gc_state_t * gcst) + + if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj ctop) { + if (back > (cp->ctop - cp->cbase) >> obj_back_shift) { +- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n", ++ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n", + back, (intptr_t)obj); + gs_abort(NULL); + } +diff --git a/psi/igcstr.c b/psi/igcstr.c +index 0e10f74..1bc7e7a 100644 +--- a/psi/igcstr.c ++++ b/psi/igcstr.c +@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst) + return false; + #ifdef DEBUG + if (ptr < cp->ctop) { +- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", ++ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", + (intptr_t)ptr, size, (intptr_t)cp->ctop, (intptr_t)cp->climit); + return false; + } else if (ptr + size > cp->climit) { /* +@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst) + while (ptr == scp->climit && scp->outer != 0) + scp = scp->outer; + if (ptr + size > scp->climit) { +- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", ++ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", + (intptr_t)ptr, size, + (intptr_t)scp->ctop, (intptr_t)scp->climit); + return false; +diff --git a/psi/iinit.c b/psi/iinit.c +index e347129..3371979 100644 +--- a/psi/iinit.c ++++ b/psi/iinit.c +@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p) + if (def->proc != 0) { + code = def->proc(i_ctx_p); + if (code < 0) { ++#ifdef DEBUG + lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n", + (intptr_t)def->proc, code); ++#else ++ lprintf("op_init proc returned error !\n"); ++#endif + return code; + } + } +diff --git a/psi/imainarg.c b/psi/imainarg.c +index aaf41b6..3b9efdc 100644 +--- a/psi/imainarg.c ++++ b/psi/imainarg.c +@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instance * minst, int argc, char *argv[]) + if (gs_debug[':'] && !have_dumped_args) { + int i; + +- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ", ++ if (gs_debug_c(gs_debug_flag_init_details)) ++ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ", + (intptr_t)minst); + for (i=1; iheap, "%s ", argv[i]); +diff --git a/psi/isave.c b/psi/isave.c +index f0f3db0..d5f1448 100644 +--- a/psi/isave.c ++++ b/psi/isave.c +@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *mem, const ref * pcont, + else if (r_is_struct(pcont)) + cp->offset = (byte *) where - (byte *) pcont->value.pstruct; + else { +- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n", ++ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n", + r_type(pcont), (intptr_t) pcont, (intptr_t) where); + gs_abort((const gs_memory_t *)mem); + } +diff --git a/psi/iutil.c b/psi/iutil.c +index 39a0a31..e24bbfd 100644 +--- a/psi/iutil.c ++++ b/psi/iutil.c +@@ -537,7 +537,11 @@ other: + break; + } + /* Internal operator, no name. */ ++#if DEBUG + gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc); ++#else ++ gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc); ++#endif + break; + } + case t_real: +-- +2.43.0 + diff --git a/ghostscript.spec b/ghostscript.spec index c0e7fab89626fc7f6a9ce3e6baa25f74793a2621..5410cf5a7a6a945275c1584dd33cdf8055c1feaf 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.56.1 -Release: 5 +Release: 6 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -45,6 +45,14 @@ Patch106: fix-CVE-2024-29510.patch Patch107: fix-CVE-2024-33869.patch Patch108: fix-CVE-2024-33870.patch Patch109: fix-CVE-2024-33871.patch +# https://bugs.ghostscript.com/show_bug.cgi?id=707510 +# CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 +Patch110: Bug-707510-don-t-use-strlen-on-passwords.patch +Patch111: Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch +Patch112: Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch +Patch113: Bug-707510-review-printing-of-pointers.patch +Patch114: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch +Patch115: Bug-707510-fix-LIBIDN-usage.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -122,6 +130,13 @@ PDF files using Ghostscript and dvips %patch107 -p1 %patch108 -p1 %patch109 -p1 +%patch110 -p1 +%patch111 -p1 +%patch112 -p1 +%patch113 -p1 +%patch114 -p1 +%patch115 -p1 + # Libraries that we already have packaged(see Build Requirements): rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib @@ -215,6 +230,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Thu Jul 04 2024 zhangxianting - 9.56.1-6 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 + * Fri May 10 2024 xuchenchen - 9.56.1-5 - Type:CVE - ID:NA