diff --git a/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch b/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch new file mode 100644 index 0000000000000000000000000000000000000000..80fe9817f317d74d48f31c9528f4f88d02dbff25 --- /dev/null +++ b/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch @@ -0,0 +1,53 @@ +From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 24 Jan 2024 18:25:12 +0000 +Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related + params + +Specifically, for CIDFont substitution. +--- + pdf/ghostpdf.h | 1 + + pdf/pdf_font.c | 15 +++++++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/pdf/ghostpdf.h b/pdf/ghostpdf.h +index 3cc1b8c..47c34ec 100644 +--- a/pdf/ghostpdf.h ++++ b/pdf/ghostpdf.h +@@ -117,6 +117,7 @@ typedef enum pdf_warning_e { + W_PDF_INVALID_REAL, + W_PDF_DEVICEN_USES_ALL, + W_PDF_BAD_MEDIABOX, ++ W_PDF_BAD_CONFIG, + W_PDF_MAX_WARNING /* Must be last entry, add new warnings immediately before this and update pdf_warning_strings in ghostpdf.c */ + } pdf_warning; + +diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c +index 7fa8a42..ae24629 100644 +--- a/pdf/pdf_font.c ++++ b/pdf/pdf_font.c +@@ -166,8 +166,19 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di + code = 0; + + memcpy(fontfname, fsprefix, fsprefixlen); +- memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); +- fontfname[fsprefixlen + defcidfallacklen] = '\0'; ++ if (defcidfallacklen + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ return code;//goto exit; ++ } ++ code = 0; ++ memcpy(fontfname, fsprefix, fsprefixlen); ++ } ++ else { ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ fontfname[fsprefixlen + defcidfallacklen] = '\0'; ++ } + + code = pdfi_open_resource_file(ctx, fontfname, strlen(fontfname), &s); + if (code >= 0) { +-- +2.43.0 + diff --git a/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch b/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ce85390564c525a1b74cd0a09ac7da79b24165d --- /dev/null +++ b/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch @@ -0,0 +1,95 @@ +From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 24 Jan 2024 17:06:01 +0000 +Subject: [PATCH 5/6] Bug 707510(5): Reject OCRLanguage changes after SAFER + enabled + +In the devices that support OCR, OCRLanguage really ought never to be set from +PostScript, so reject attempts to change it if path_control_active is true. +--- + devices/gdevocr.c | 15 ++++++++++----- + devices/gdevpdfocr.c | 15 ++++++++++----- + devices/vector/gdevpdfp.c | 15 ++++++++++----- + 3 files changed, 30 insertions(+), 15 deletions(-) + +diff --git a/devices/gdevocr.c b/devices/gdevocr.c +index 88c759c..287b74b 100644 +--- a/devices/gdevocr.c ++++ b/devices/gdevocr.c +@@ -187,11 +187,16 @@ ocr_put_params(gx_device *dev, gs_param_list *plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdev->language)) +- len = sizeof(pdev->language)-1; +- memcpy(pdev->language, langstr.data, len); +- pdev->language[len] = 0; ++ if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdev->language)) ++ len = sizeof(pdev->language)-1; ++ memcpy(pdev->language, langstr.data, len); ++ pdev->language[len] = 0; ++ } + break; + case 1: + break; +diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c +index ff60c12..0f3478a 100644 +--- a/devices/gdevpdfocr.c ++++ b/devices/gdevpdfocr.c +@@ -50,11 +50,16 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdf_dev->ocr.language)) +- len = sizeof(pdf_dev->ocr.language)-1; +- memcpy(pdf_dev->ocr.language, langstr.data, len); +- pdf_dev->ocr.language[len] = 0; ++ if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdf_dev->ocr.language)) ++ len = sizeof(pdf_dev->ocr.language)-1; ++ memcpy(pdf_dev->ocr.language, langstr.data, len); ++ pdf_dev->ocr.language[len] = 0; ++ } + break; + case 1: + break; +diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c +index 42fa1c5..23e9bc8 100644 +--- a/devices/vector/gdevpdfp.c ++++ b/devices/vector/gdevpdfp.c +@@ -458,11 +458,16 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par + gs_param_string langstr; + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- len = langstr.size; +- if (len >= sizeof(pdev->ocr_language)) +- len = sizeof(pdev->ocr_language)-1; +- memcpy(pdev->ocr_language, langstr.data, len); +- pdev->ocr_language[len] = 0; ++ if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ return_error(gs_error_invalidaccess); ++ } ++ else { ++ len = langstr.size; ++ if (len >= sizeof(pdev->ocr_language)) ++ len = sizeof(pdev->ocr_language)-1; ++ memcpy(pdev->ocr_language, langstr.data, len); ++ pdev->ocr_language[len] = 0; ++ } + break; + case 1: + break; +-- +2.43.0 + diff --git a/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch b/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch new file mode 100644 index 0000000000000000000000000000000000000000..25eca4a4684d896a91af1e0bf138bf9d2ec99fdb --- /dev/null +++ b/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch @@ -0,0 +1,40 @@ +From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:55:49 +0000 +Subject: [PATCH 2/6] Bug 707510 - don't allow PDF files with bad Filters to + overflow the debug buffer + +Item #2 of the report. + +Allocate a buffer to hold the filter name, instead of assuming it will +fit in a fixed buffer. + +Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like +this. +--- + pdf/pdf_file.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c +index 5698866..89298f0 100644 +--- a/pdf/pdf_file.c ++++ b/pdf/pdf_file.c +@@ -773,10 +773,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_ + + if (ctx->args.pdfdebug) + { +- char str[100]; ++ char *str; ++ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug"); ++ if (str == NULL) ++ return_error(gs_error_VMerror); + memcpy(str, (const char *)n->data, n->length); + str[n->length] = '\0'; + dmprintf1(ctx->memory, "FILTER NAME:%s\n", str); ++ gs_free_object(ctx->memory, str, "temp string for debug"); + } + + if (pdfi_name_is(n, "RunLengthDecode")) { +-- +2.43.0 + diff --git a/Bug-707510-don-t-use-strlen-on-passwords.patch b/Bug-707510-don-t-use-strlen-on-passwords.patch new file mode 100644 index 0000000000000000000000000000000000000000..8bf2b373e452ab45d50338eb517aaab5e1853b3d --- /dev/null +++ b/Bug-707510-don-t-use-strlen-on-passwords.patch @@ -0,0 +1,40 @@ +From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:58:22 +0000 +Subject: [PATCH 1/6] Bug 707510 - don't use strlen on passwords + +Item #1 of the report. This looks like an oversight when first coding +the routine. We should use the PostScript string length, because +PostScript strings may not be NULL terminated (and as here may contain +internal NULL characters). + +Fix the R6 handler which has the same problem too. +--- + pdf/pdf_sec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c +index ff60805..2bb59e1 100644 +--- a/pdf/pdf_sec.c ++++ b/pdf/pdf_sec.c +@@ -1250,7 +1250,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen, + if (code < 0) { + pdf_string *P = NULL, *P_UTF8 = NULL; + +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) { + return code; + } +@@ -1300,7 +1300,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen, + if (code < 0) { + pdf_string *P = NULL, *P_UTF8 = NULL; + +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +-- +2.43.0 + diff --git a/Bug-707510-fix-LIBIDN-usage.patch b/Bug-707510-fix-LIBIDN-usage.patch new file mode 100644 index 0000000000000000000000000000000000000000..d936f2fa8fa8d9e8a9134f72ab0124ccf65da8df --- /dev/null +++ b/Bug-707510-fix-LIBIDN-usage.patch @@ -0,0 +1,43 @@ +From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 12:16:56 +0000 +Subject: [PATCH 6/6] Bug 707510 - fix LIBIDN usage + +This wasn't a reported fault, but it bears fixing anyway. + +In case of ignored errors, we need to return the input password. +And not free the buffer if we did that.... +--- + pdf/pdf_sec.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c +index 841eb72..270ed32 100644 +--- a/pdf/pdf_sec.c ++++ b/pdf/pdf_sec.c +@@ -182,8 +182,11 @@ static int apply_sasl(pdf_context *ctx, char *Password, int Len, char **NewPassw + * Fortunately, the stringprep error codes are sorted to make + * this easy: the errors we want to ignore are the ones with + * codes less than 100. */ +- if ((int)err < 100) ++ if ((int)err < 100) { ++ NewPassword = Password; ++ NewLen = Len; + return 0; ++ } + + return_error(gs_error_ioerror); + } +@@ -301,7 +304,8 @@ error: + pdfi_countdown(Key); + gs_free_object(ctx->memory, Test, "R5 password test"); + #ifdef HAVE_LIBIDN +- gs_free_object(ctx->memory, UTF8_Password, "free sasl result"); ++ if (UTF8_Password != Password) ++ gs_free_object(ctx->memory, UTF8_Password, "free sasl result"); + #endif + return code; + } +-- +2.43.0 + diff --git a/Bug-707510-review-printing-of-pointers.patch b/Bug-707510-review-printing-of-pointers.patch new file mode 100644 index 0000000000000000000000000000000000000000..8e0a44594e42d7f47e85f17a9c6d1917286b2c1d --- /dev/null +++ b/Bug-707510-review-printing-of-pointers.patch @@ -0,0 +1,334 @@ +From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:53:44 +0000 +Subject: [PATCH 4/6] Bug 707510 - review printing of pointers + +This is for item 4 of the report, which is addressed by the change in +gdevpdtb.c. That change uses a fixed name for fonts which have no name +instead of using the pointer to the address of the font. + +The remaining changes are all due to reviewing the use of PRI_INTPTR. +In general we only use that for debugging purposes but there were a few +places which were printing pointers arbitrarily, even in a release build. + +We really don't want to do that so I've modified the places which were +printing pointer unconditionally so that they only do so if DEBUG is +set at compile time, or a specific debug flag is set. +--- + base/gsfont.c | 2 +- + base/gsicc_cache.c | 6 +++--- + base/gsmalloc.c | 2 +- + base/gxclmem.c | 3 +-- + base/gxcpath.c | 4 ++++ + base/gxpath.c | 6 ++++++ + base/szlibc.c | 2 ++ + devices/gdevupd.c | 5 +++++ + devices/vector/gdevpdtb.c | 2 +- + psi/ialloc.c | 2 +- + psi/igc.c | 4 ++-- + psi/igcstr.c | 4 ++-- + psi/iinit.c | 4 ++++ + psi/imainarg.c | 3 ++- + psi/isave.c | 2 +- + psi/iutil.c | 4 ++++ + 16 files changed, 40 insertions(+), 15 deletions(-) + +diff --git a/base/gsfont.c b/base/gsfont.c +index 3fcb8de..9e9863e 100644 +--- a/base/gsfont.c ++++ b/base/gsfont.c +@@ -778,7 +778,7 @@ gs_purge_font(gs_font * pfont) + else if (pdir->scaled_fonts == pfont) + pdir->scaled_fonts = next; + else { /* Shouldn't happen! */ +- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); ++ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); + } + + /* Purge the font from the scaled font cache. */ +diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c +index ba33206..63e0348 100644 +--- a/base/gsicc_cache.c ++++ b/base/gsicc_cache.c +@@ -149,7 +149,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr) + + while (link_cache->head != NULL) { + if (link_cache->head->ref_count != 0) { +- emprintf2(mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", ++ if_debug2m(gs_debug_flag_icc, mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", + (intptr_t)link_cache->head, link_cache->head->ref_count); + link_cache->head->ref_count = 0; /* force removal */ + } +@@ -560,7 +560,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache, + /* that was building it failed to be able to complete building it */ + /* this is probably a fatal error. MV ??? */ + if (curr->valid == false) { +- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ ++ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ + } + gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */ + } +@@ -587,7 +587,7 @@ gsicc_remove_link(gsicc_link_t *link, const gs_memory_t *memory) + /* NOTE: link->ref_count must be 0: assert ? */ + gx_monitor_enter(icc_link_cache->lock); + if (link->ref_count != 0) { +- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); ++ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); + } + curr = icc_link_cache->head; + prev = NULL; +diff --git a/base/gsmalloc.c b/base/gsmalloc.c +index e5eae62..6e4c7f2 100644 +--- a/base/gsmalloc.c ++++ b/base/gsmalloc.c +@@ -419,7 +419,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new + client_name_t cname) + { + if (gs_heap_object_type(mem, data) != &st_bytes) +- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n", ++ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n", + client_name_string(cname), (intptr_t)data); + return gs_heap_resize_object(mem, data, new_num, cname); + } +diff --git a/base/gxclmem.c b/base/gxclmem.c +index 832d120..bc6cdd9 100644 +--- a/base/gxclmem.c ++++ b/base/gxclmem.c +@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete) + /* leaks if other users of the memfile don't 'fclose with delete=true */ + if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) { + /* TODO: do the cleanup rather than just giving an error */ +- emprintf1(f->memory, +- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", ++ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", + (intptr_t)f); + return_error(gs_error_invalidfileaccess); + } else { +diff --git a/base/gxcpath.c b/base/gxcpath.c +index 4cec26c..b8d22d7 100644 +--- a/base/gxcpath.c ++++ b/base/gxcpath.c +@@ -172,8 +172,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath, + { + if (shared) { + if (shared->path.segments == &shared->path.local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *pcpath = *shared; +@@ -230,8 +232,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath, + if (shared) { + if ((shared->path.segments == &shared->path.local_segments) && + !safely_nested) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + pcpath->path = shared->path; +diff --git a/base/gxpath.c b/base/gxpath.c +index 5bbcf5d..5e9e07a 100644 +--- a/base/gxpath.c ++++ b/base/gxpath.c +@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared, + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem, + ppath->procs = &default_path_procs; + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + gs_free_object(mem, ppath, cname); + return 0; + } +@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared, + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +diff --git a/base/szlibc.c b/base/szlibc.c +index 0be3338..35a2fce 100644 +--- a/base/szlibc.c ++++ b/base/szlibc.c +@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data) + gs_free_object(mem, data, "s_zlib_free(data)"); + for (; ; block = block->next) { + if (block == 0) { ++#ifdef DEBUG + lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data); ++#endif + return; + } + if (block->data == data) +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index 7952165..60d5755 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1039,8 +1039,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out) + */ + if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) { + #if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS) ++#ifdef DEBUG + errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n", + (intptr_t)udev,(intptr_t) out); ++#else ++ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n", ++ (intptr_t)udev,(intptr_t) out); ++#endif + #endif + return_error(gs_error_undefined); + } +diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c +index 42ef43e..075c6e7 100644 +--- a/devices/vector/gdevpdtb.c ++++ b/devices/vector/gdevpdtb.c +@@ -371,7 +371,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, pdf_base_font_t **ppbfont, + font_name.size -= SUBSET_PREFIX_SIZE; + } + } else { +- gs_sprintf(fnbuf, ".F" PRI_INTPTR, (intptr_t)copied); ++ gs_sprintf(fnbuf, "Anonymous"); + font_name.data = (byte *)fnbuf; + font_name.size = strlen(fnbuf); + } +diff --git a/psi/ialloc.c b/psi/ialloc.c +index d84ec00..85e36ac 100644 +--- a/psi/ialloc.c ++++ b/psi/ialloc.c +@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, ref * parr, client_name_t cname) + size = num_refs * sizeof(ref); + break; + default: +- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!", ++ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!", + r_type(parr), num_refs, (intptr_t)obj); + return; + } +diff --git a/psi/igc.c b/psi/igc.c +index 420a013..9a8f504 100644 +--- a/psi/igc.c ++++ b/psi/igc.c +@@ -1061,7 +1061,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_state_t * pstate) + + if (cp == 0) { /* We were tracing outside collectible */ + /* storage. This can't happen. */ +- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n", ++ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n", + (intptr_t)cptr); + gs_abort(pstate->heap); + } +@@ -1290,7 +1290,7 @@ igc_reloc_struct_ptr(const void /*obj_header_t */ *obj, gc_state_t * gcst) + + if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj ctop) { + if (back > (cp->ctop - cp->cbase) >> obj_back_shift) { +- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n", ++ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n", + back, (intptr_t)obj); + gs_abort(NULL); + } +diff --git a/psi/igcstr.c b/psi/igcstr.c +index 4c4baf3..3ea13ae 100644 +--- a/psi/igcstr.c ++++ b/psi/igcstr.c +@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst) + return false; + #ifdef DEBUG + if (ptr - HDR_ID_OFFSET < cp->ctop) { +- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", ++ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", + (intptr_t)ptr - HDR_ID_OFFSET, size, (intptr_t)cp->ctop, (intptr_t)cp->climit); + return false; + } else if (ptr + size > cp->climit) { /* +@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst) + while (ptr - HDR_ID_OFFSET == scp->climit && scp->outer != 0) + scp = scp->outer; + if (ptr - HDR_ID_OFFSET + size > scp->climit) { +- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", ++ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", + (intptr_t)ptr - HDR_ID_OFFSET, size, + (intptr_t)scp->ctop, (intptr_t)scp->climit); + return false; +diff --git a/psi/iinit.c b/psi/iinit.c +index e347129..3371979 100644 +--- a/psi/iinit.c ++++ b/psi/iinit.c +@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p) + if (def->proc != 0) { + code = def->proc(i_ctx_p); + if (code < 0) { ++#ifdef DEBUG + lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n", + (intptr_t)def->proc, code); ++#else ++ lprintf("op_init proc returned error !\n"); ++#endif + return code; + } + } +diff --git a/psi/imainarg.c b/psi/imainarg.c +index f5fe1f3..0be2997 100644 +--- a/psi/imainarg.c ++++ b/psi/imainarg.c +@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instance * minst, int argc, char *argv[]) + if (gs_debug[':'] && !have_dumped_args) { + int i; + +- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ", ++ if (gs_debug_c(gs_debug_flag_init_details)) ++ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ", + (intptr_t)minst); + for (i=1; iheap, "%s ", argv[i]); +diff --git a/psi/isave.c b/psi/isave.c +index f0f3db0..d5f1448 100644 +--- a/psi/isave.c ++++ b/psi/isave.c +@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *mem, const ref * pcont, + else if (r_is_struct(pcont)) + cp->offset = (byte *) where - (byte *) pcont->value.pstruct; + else { +- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n", ++ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n", + r_type(pcont), (intptr_t) pcont, (intptr_t) where); + gs_abort((const gs_memory_t *)mem); + } +diff --git a/psi/iutil.c b/psi/iutil.c +index ea582e6..63d966c 100644 +--- a/psi/iutil.c ++++ b/psi/iutil.c +@@ -537,7 +537,11 @@ other: + break; + } + /* Internal operator, no name. */ ++#if DEBUG + gs_sprintf(buf, "@"PRI_INTPTR, (intptr_t) op->value.opproc); ++#else ++ gs_sprintf(buf, "@anonymous_operator", (intptr_t) op->value.opproc); ++#endif + break; + } + case t_real: +-- +2.43.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 8585f07c01eadadf7c6615947ffbcda7be359dbf..58e8492b5f66307add4b2376e1ffb30aaf9ab3a9 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 8 +Release: 9 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -27,6 +27,15 @@ Patch8: fix-CVE-2024-29510.patch Patch9: fix-CVE-2024-33869.patch Patch10: fix-CVE-2024-33870.patch +# https://bugs.ghostscript.com/show_bug.cgi?id=707510 +# CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 +Patch11: Bug-707510-don-t-use-strlen-on-passwords.patch +Patch12: Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch +Patch13: Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch +Patch14: Bug-707510-review-printing-of-pointers.patch +Patch15: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch +Patch16: Bug-707510-fix-LIBIDN-usage.patch + BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel @@ -186,6 +195,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Thu Jul 04 2024 zhangxianting - 9.55.0-9 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: fix CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 + * Sun May 26 2024 xuchenchen - 9.55.0-8 - Type:CVE - ID:NA