Blame SOURCES/ghostscript-cve-2017-8291.patch

cd3fc1
From 3a0439ded9a206060f560bd6784942adeab759ff Mon Sep 17 00:00:00 2001
b53da0
From: Chris Liddell <chris.liddell@artifex.com>
b53da0
Date: Thu, 27 Apr 2017 13:03:33 +0100
b53da0
Subject: [PATCH 1/4] Bug 697799: have .eqproc check its parameters
b53da0
b53da0
The Ghostscript custom operator .eqproc was not check the number or type of
b53da0
the parameters it was given.
b53da0
---
b53da0
 psi/zmisc3.c | 6 ++++++
b53da0
 1 file changed, 6 insertions(+)
b53da0
b53da0
diff --git a/psi/zmisc3.c b/psi/zmisc3.c
b53da0
index 54b3042..0d357f1 100644
b53da0
--- a/psi/zmisc3.c
b53da0
+++ b/psi/zmisc3.c
b53da0
@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
b53da0
     ref2_t stack[MAX_DEPTH + 1];
b53da0
     ref2_t *top = stack;
b53da0
 
b53da0
+    if (ref_stack_count(&o_stack) < 2)
b53da0
+        return_error(e_stackunderflow);
b53da0
+    if (!r_is_array(op - 1) || !r_is_array(op)) {
b53da0
+        return_error(e_typecheck);
b53da0
+    }
b53da0
+
b53da0
     make_array(&stack[0].proc1, 0, 1, op - 1);
b53da0
     make_array(&stack[0].proc2, 0, 1, op);
b53da0
     for (;;) {
b53da0
-- 
b53da0
2.9.3
b53da0
b53da0
cd3fc1
From 9040e08c62422937c27fa5179657fbe3690809f3 Mon Sep 17 00:00:00 2001
b53da0
From: Chris Liddell <chris.liddell@artifex.com>
b53da0
Date: Thu, 27 Apr 2017 13:21:31 +0100
b53da0
Subject: [PATCH 2/4] Bug 697799: have .rsdparams check its parameters
b53da0
b53da0
The Ghostscript internal operator .rsdparams wasn't checking the number or
b53da0
type of the operands it was being passed. Do so.
b53da0
---
b53da0
 psi/zfrsd.c | 22 +++++++++++++++-------
b53da0
 1 file changed, 15 insertions(+), 7 deletions(-)
b53da0
b53da0
diff --git a/psi/zfrsd.c b/psi/zfrsd.c
b53da0
index fb4bce9..2629afa 100644
b53da0
--- a/psi/zfrsd.c
b53da0
+++ b/psi/zfrsd.c
b53da0
@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
b53da0
     ref *pFilter;
b53da0
     ref *pDecodeParms;
b53da0
     int Intent = 0;
b53da0
-    bool AsyncRead;
b53da0
+    bool AsyncRead = false;
b53da0
     ref empty_array, filter1_array, parms1_array;
b53da0
     uint i;
b53da0
-    int code;
b53da0
+    int code = 0;
b53da0
+
b53da0
+    if (ref_stack_count(&o_stack) < 1)
b53da0
+        return_error(e_stackunderflow);
b53da0
+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
b53da0
+        return_error(e_typecheck);
b53da0
+    }
b53da0
 
b53da0
     make_empty_array(&empty_array, a_readonly);
b53da0
-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
b53da0
+    if (r_has_type(op, t_dictionary)
b53da0
+        && dict_find_string(op, "Filter", &pFilter) > 0) {
b53da0
         if (!r_is_array(pFilter)) {
b53da0
             if (!r_has_type(pFilter, t_name))
b53da0
                 return_error(e_typecheck);
b53da0
@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
b53da0
                 return_error(e_typecheck);
b53da0
         }
b53da0
     }
b53da0
-    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
b53da0
+    if (r_has_type(op, t_dictionary))
b53da0
+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
b53da0
     if (code < 0 && code != e_rangecheck) /* out-of-range int is ok, use 0 */
b53da0
         return code;
b53da0
-    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
b53da0
-        )
b53da0
-        return code;
b53da0
+    if (r_has_type(op, t_dictionary))
b53da0
+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
b53da0
+            return code;
b53da0
     push(1);
b53da0
     op[-1] = *pFilter;
b53da0
     if (pDecodeParms)
b53da0
-- 
b53da0
2.9.3
b53da0
b53da0
cd3fc1
From ba6c38c25e8c0ece91c47d96578f3f7a0e6c4e6c Mon Sep 17 00:00:00 2001
b53da0
From: Chris Liddell <chris.liddell@artifex.com>
b53da0
Date: Wed, 3 May 2017 12:05:45 +0100
b53da0
Subject: [PATCH 3/4] Bug 697846: revision to commit 4f83478c88 (.eqproc)
b53da0
b53da0
When using the "DELAYBIND" feature, it turns out that .eqproc can be called with
b53da0
parameters that are not both procedures. In this case, it turns out, the
b53da0
expectation is for the operator to return 'false', rather than throw an error.
b53da0
---
b53da0
 psi/zmisc3.c | 15 +++++++++++++--
b53da0
 1 file changed, 13 insertions(+), 2 deletions(-)
b53da0
b53da0
diff --git a/psi/zmisc3.c b/psi/zmisc3.c
b53da0
index 0d357f1..9042908 100644
b53da0
--- a/psi/zmisc3.c
b53da0
+++ b/psi/zmisc3.c
b53da0
@@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p)
b53da0
     return gs_cliprestore(igs);
b53da0
 }
b53da0
 
b53da0
+static inline bool
b53da0
+eqproc_check_type(ref *r)
b53da0
+{
b53da0
+    return r_has_type(r, t_array)
b53da0
+           || r_has_type(r, t_mixedarray)
b53da0
+           || r_has_type(r, t_shortarray)
b53da0
+           || r_has_type(r, t_oparray);
b53da0
+}
b53da0
+
b53da0
 /* <proc1> <proc2> .eqproc <bool> */
b53da0
 /*
b53da0
  * Test whether two procedures are equal to depth 10.
b53da0
@@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p)
b53da0
 
b53da0
     if (ref_stack_count(&o_stack) < 2)
b53da0
         return_error(e_stackunderflow);
b53da0
-    if (!r_is_array(op - 1) || !r_is_array(op)) {
b53da0
-        return_error(e_typecheck);
b53da0
+    if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
b53da0
+        make_false(op - 1);
b53da0
+        pop(1);
b53da0
+        return 0;
b53da0
     }
b53da0
 
b53da0
     make_array(&stack[0].proc1, 0, 1, op - 1);
b53da0
-- 
b53da0
2.9.3
b53da0
b53da0
cd3fc1
From ae3fdbd05b0e654273402e7391288a091a1c0a9e Mon Sep 17 00:00:00 2001
b53da0
From: Chris Liddell <chris.liddell@artifex.com>
b53da0
Date: Thu, 11 May 2017 14:07:48 +0100
b53da0
Subject: [PATCH 4/4] Bug 697892: fix check for op stack underflow.
b53da0
b53da0
In the original fix, I used the wrong method to check for stack underflow, this
b53da0
is using the correct method.
b53da0
---
b53da0
 psi/zfrsd.c  | 3 +--
cd3fc1
 psi/zmisc3.c | 3 +--
cd3fc1
 2 files changed, 2 insertions(+), 4 deletions(-)
b53da0
b53da0
diff --git a/psi/zfrsd.c b/psi/zfrsd.c
b53da0
index 2629afa..fd9872e 100644
b53da0
--- a/psi/zfrsd.c
b53da0
+++ b/psi/zfrsd.c
b53da0
@@ -54,8 +54,7 @@ zrsdparams(i_ctx_t *i_ctx_p)
b53da0
     uint i;
b53da0
     int code = 0;
b53da0
 
b53da0
-    if (ref_stack_count(&o_stack) < 1)
b53da0
-        return_error(e_stackunderflow);
b53da0
+    check_op(1);
b53da0
     if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
b53da0
         return_error(e_typecheck);
b53da0
     }
b53da0
diff --git a/psi/zmisc3.c b/psi/zmisc3.c
cd3fc1
index 9042908..43803b5 100644
b53da0
--- a/psi/zmisc3.c
b53da0
+++ b/psi/zmisc3.c
cd3fc1
@@ -65,8 +65,7 @@ zeqproc(i_ctx_t *i_ctx_p)
cd3fc1
     ref2_t stack[MAX_DEPTH + 1];
cd3fc1
     ref2_t *top = stack;
b53da0
 
cd3fc1
-    if (ref_stack_count(&o_stack) < 2)
cd3fc1
-        return_error(e_stackunderflow);
b53da0
+    check_op(2);
b53da0
     if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
b53da0
         make_false(op - 1);
b53da0
         pop(1);
b53da0
-- 
b53da0
2.9.3
b53da0