diff --git a/base/gdevpipe.c b/base/gdevpipe.c

index 96d71f5d81..752a2f1d94 100644

--- a/base/gdevpipe.c

+++ b/base/gdevpipe.c

@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,

 #else

     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;

     gs_fs_list_t *fs = ctx->core->fs;

+    /* The pipe device can be reached in two ways, explicltly with %pipe%

+       or implicitly with "|", so we have to check for both

+     */

+    char f[gp_file_name_sizeof];

+    const char *pipestr = "|";

+    const size_t pipestrlen = strlen(pipestr);

+    int code1;

+    const size_t preflen = strlen(iodev->dname);

+    const size_t nlen = strlen(fname);

+

+    if (preflen + nlen >= gp_file_name_sizeof)

+        return_error(gs_error_invalidaccess);

+

+    memcpy(f, iodev->dname, preflen);

+    memcpy(f + preflen, fname, nlen + 1);

+

+    code1 = gp_validate_path(mem, f, access);

+

+    memcpy(f, pipestr, pipestrlen);

+    memcpy(f + pipestrlen, fname, nlen + 1);

-    if (gp_validate_path(mem, fname, access) != 0)

+    if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )

         return gs_error_invalidfileaccess;

     /*

diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c

index 2b964ed749..8d87ceadc0 100644

--- a/base/gp_mshdl.c

+++ b/base/gp_mshdl.c

@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,

     long hfile;	/* Correct for Win32, may be wrong for Win64 */

     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;

     gs_fs_list_t *fs = ctx->core->fs;

+    char f[gp_file_name_sizeof];

+    const size_t preflen = strlen(iodev->dname);

+    const size_t nlen = strlen(fname);

-    if (gp_validate_path(mem, fname, access) != 0)

+    if (preflen + nlen >= gp_file_name_sizeof)

+        return_error(gs_error_invalidaccess);

+

+    memcpy(f, iodev->dname, preflen);

+    memcpy(f + preflen, fname, nlen + 1);

+

+    if (gp_validate_path(mem, f, access) != 0)

         return gs_error_invalidfileaccess;

     /* First we try the open_handle method. */

diff --git a/base/gp_msprn.c b/base/gp_msprn.c

index ed48279685..746a974f78 100644

--- a/base/gp_msprn.c

+++ b/base/gp_msprn.c

@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,

     uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;

     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;

     gs_fs_list_t *fs = ctx->core->fs;

+    const size_t preflen = strlen(iodev->dname);

+    const size_t nlen = strlen(fname);

-    if (gp_validate_path(mem, fname, access) != 0)

+    if (preflen + nlen >= gp_file_name_sizeof)

+        return_error(gs_error_invalidaccess);

+

+    memcpy(pname, iodev->dname, preflen);

+    memcpy(pname + preflen, fname, nlen + 1);

+

+    if (gp_validate_path(mem, pname, access) != 0)

         return gs_error_invalidfileaccess;

     /* First we try the open_printer method. */

diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c

index f852c71fc8..ba54cde66f 100644

--- a/base/gp_os2pr.c

+++ b/base/gp_os2pr.c

@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,

            FILE ** pfile, char *rfname, uint rnamelen)

 {

     os2_printer_t *pr = (os2_printer_t *)iodev->state;

-    char driver_name[256];

+    char driver_name[gp_file_name_sizeof];

     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;

     gs_fs_list_t *fs = ctx->core->fs;

+    const size_t preflen = strlen(iodev->dname);

+    const int size_t = strlen(fname);

+

+    if (preflen + nlen >= gp_file_name_sizeof)

+        return_error(gs_error_invalidaccess);

+

+    memcpy(driver_name, iodev->dname, preflen);

+    memcpy(driver_name + preflen, fname, nlen + 1);

+

+    if (gp_validate_path(mem, driver_name, access) != 0)

+        return gs_error_invalidfileaccess;

     /* First we try the open_printer method. */

     /* Note that the loop condition here ensures we don't

diff --git a/base/gslibctx.c b/base/gslibctx.c

index 6dfed6cd5a..318039fad0 100644

--- a/base/gslibctx.c

+++ b/base/gslibctx.c

@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)

 int

 gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)

 {

-    char *fp, f[gp_file_name_sizeof];

-    const int pipe = 124; /* ASCII code for '|' */

-    const int len = strlen(fname);

-    int i, code;

+    char f[gp_file_name_sizeof];

+    int code;

     /* Be sure the string copy will fit */

-    if (len >= gp_file_name_sizeof)

+    if (strlen(fname) >= gp_file_name_sizeof)

         return gs_error_rangecheck;

     strcpy(f, fname);

-    fp = f;

     /* Try to rewrite any %d (or similar) in the string */

     rewrite_percent_specifiers(f);

-    for (i = 0; i < len; i++) {

-        if (f[i] == pipe) {

-           fp = &f[i + 1];

-           /* Because we potentially have to check file permissions at two levels

-              for the output file (gx_device_open_output_file and the low level

-              fopen API, if we're using a pipe, we have to add both the full string,

-              (including the '|', and just the command to which we pipe - since at

-              the pipe_fopen(), the leading '|' has been stripped.

-            */

-           code = gs_add_control_path(mem, gs_permit_file_writing, f);

-           if (code < 0)

-               return code;

-           code = gs_add_control_path(mem, gs_permit_file_control, f);

-           if (code < 0)

-               return code;

-           break;

-        }

-        if (!IS_WHITESPACE(f[i]))

-            break;

-    }

-    code = gs_add_control_path(mem, gs_permit_file_control, fp);

+

+    code = gs_add_control_path(mem, gs_permit_file_control, f);

     if (code < 0)

         return code;

-    return gs_add_control_path(mem, gs_permit_file_writing, fp);

+    return gs_add_control_path(mem, gs_permit_file_writing, f);

 }

 int

 gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)

 {

-    char *fp, f[gp_file_name_sizeof];

-    const int pipe = 124; /* ASCII code for '|' */

-    const int len = strlen(fname);

-    int i, code;

+    char f[gp_file_name_sizeof];

+    int code;

     /* Be sure the string copy will fit */

-    if (len >= gp_file_name_sizeof)

+    if (strlen(fname) >= gp_file_name_sizeof)

         return gs_error_rangecheck;

     strcpy(f, fname);

-    fp = f;

     /* Try to rewrite any %d (or similar) in the string */

-    for (i = 0; i < len; i++) {

-        if (f[i] == pipe) {

-           fp = &f[i + 1];

-           /* Because we potentially have to check file permissions at two levels

-              for the output file (gx_device_open_output_file and the low level

-              fopen API, if we're using a pipe, we have to add both the full string,

-              (including the '|', and just the command to which we pipe - since at

-              the pipe_fopen(), the leading '|' has been stripped.

-            */

-           code = gs_remove_control_path(mem, gs_permit_file_writing, f);

-           if (code < 0)

-               return code;

-           code = gs_remove_control_path(mem, gs_permit_file_control, f);

-           if (code < 0)

-               return code;

-           break;

-        }

-        if (!IS_WHITESPACE(f[i]))

-            break;

-    }

-    code = gs_remove_control_path(mem, gs_permit_file_control, fp);

+    rewrite_percent_specifiers(f);

+

+    code = gs_remove_control_path(mem, gs_permit_file_control, f);

     if (code < 0)

         return code;

-    return gs_remove_control_path(mem, gs_permit_file_writing, fp);

+    return gs_remove_control_path(mem, gs_permit_file_writing, f);

 }

 int

-- 

2.17.1