|
|
bd82b2 |
From: Chris Liddell <chris.liddell@artifex.com>
|
|
|
bd82b2 |
Date: Thu, 23 Aug 2018 13:13:25 +0000 (+0100)
|
|
|
bd82b2 |
Subject: Bug 699661: Avoid sharing pointers between pdf14 compositors
|
|
|
bd82b2 |
|
|
|
bd82b2 |
Bug 699661: Avoid sharing pointers between pdf14 compositors
|
|
|
bd82b2 |
|
|
|
bd82b2 |
If a copdevice is triggered when the pdf14 compositor is the device, we make
|
|
|
bd82b2 |
a copy of the device, then throw an error because, by default we're only allowed
|
|
|
bd82b2 |
to copy the device prototype - then freeing it calls the finalize, which frees
|
|
|
bd82b2 |
several pointers shared with the parent.
|
|
|
bd82b2 |
|
|
|
bd82b2 |
Make a pdf14 specific finish_copydevice() which NULLs the relevant pointers,
|
|
|
bd82b2 |
before, possibly, throwing the same error as the default method.
|
|
|
bd82b2 |
|
|
|
bd82b2 |
This also highlighted a problem with reopening the X11 devices, where a custom
|
|
|
bd82b2 |
error handler could be replaced with itself, meaning it also called itself,
|
|
|
bd82b2 |
and infifite recursion resulted.
|
|
|
bd82b2 |
|
|
|
bd82b2 |
Keep a note of if the handler replacement has been done, and don't do it a
|
|
|
bd82b2 |
second time.
|
|
|
bd82b2 |
|
|
|
bd82b2 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c432131c3fdb2143e148e8ba88555f7f7a63b25e
|
|
|
bd82b2 |
---
|
|
|
bd82b2 |
|
|
|
bd82b2 |
diff -up ghostscript-9.07/base/gdevp14.c.cve-2018-16540 ghostscript-9.07/base/gdevp14.c
|
|
|
bd82b2 |
--- ghostscript-9.07/base/gdevp14.c.cve-2018-16540 2019-01-14 12:57:56.324331784 +0100
|
|
|
bd82b2 |
+++ ghostscript-9.07/base/gdevp14.c 2019-01-14 13:00:38.224433442 +0100
|
|
|
bd82b2 |
@@ -176,6 +176,7 @@ static dev_proc_fill_mask(pdf14_fill_mas
|
|
|
bd82b2 |
static dev_proc_stroke_path(pdf14_stroke_path);
|
|
|
bd82b2 |
static dev_proc_begin_typed_image(pdf14_begin_typed_image);
|
|
|
bd82b2 |
static dev_proc_text_begin(pdf14_text_begin);
|
|
|
bd82b2 |
+static dev_proc_finish_copydevice(pdf14_finish_copydevice);
|
|
|
bd82b2 |
static dev_proc_create_compositor(pdf14_create_compositor);
|
|
|
bd82b2 |
static dev_proc_create_compositor(pdf14_forward_create_compositor);
|
|
|
bd82b2 |
static dev_proc_begin_transparency_group(pdf14_begin_transparency_group);
|
|
|
bd82b2 |
@@ -246,7 +247,7 @@ static const gx_color_map_procs *
|
|
|
bd82b2 |
pdf14_create_compositor, /* create_compositor */\
|
|
|
bd82b2 |
NULL, /* get_hardware_params */\
|
|
|
bd82b2 |
pdf14_text_begin, /* text_begin */\
|
|
|
bd82b2 |
- NULL, /* finish_copydevice */\
|
|
|
bd82b2 |
+ pdf14_finish_copydevice, /* finish_copydevice */\
|
|
|
bd82b2 |
pdf14_begin_transparency_group,\
|
|
|
bd82b2 |
pdf14_end_transparency_group,\
|
|
|
bd82b2 |
pdf14_begin_transparency_mask,\
|
|
|
bd82b2 |
@@ -3217,6 +3218,19 @@ pdf14_text_begin(gx_device * dev, gs_ima
|
|
|
bd82b2 |
return code;
|
|
|
bd82b2 |
}
|
|
|
bd82b2 |
|
|
|
bd82b2 |
+static int
|
|
|
bd82b2 |
+pdf14_finish_copydevice(gx_device *new_dev, const gx_device *from_dev)
|
|
|
bd82b2 |
+{
|
|
|
bd82b2 |
+ pdf14_device *pdev = (pdf14_device*)new_dev;
|
|
|
bd82b2 |
+
|
|
|
bd82b2 |
+ pdev->ctx = NULL;
|
|
|
bd82b2 |
+ pdev->trans_group_parent_cmap_procs = NULL;
|
|
|
bd82b2 |
+ pdev->smaskcolor = NULL;
|
|
|
bd82b2 |
+
|
|
|
bd82b2 |
+ /* Only allow copying the prototype. */
|
|
|
bd82b2 |
+ return (from_dev->memory ? gs_note_error(gs_error_rangecheck) : 0);
|
|
|
bd82b2 |
+}
|
|
|
bd82b2 |
+
|
|
|
bd82b2 |
/*
|
|
|
bd82b2 |
* Implement copy_mono by filling lots of small rectangles.
|
|
|
bd82b2 |
*/
|
|
|
bd82b2 |
@@ -7499,6 +7513,7 @@ c_pdf14trans_clist_read_update(gs_compos
|
|
|
bd82b2 |
before reopening the device */
|
|
|
bd82b2 |
if (p14dev->ctx != NULL) {
|
|
|
bd82b2 |
pdf14_ctx_free(p14dev->ctx);
|
|
|
bd82b2 |
+ p14dev->ctx = NULL;
|
|
|
bd82b2 |
}
|
|
|
bd82b2 |
dev_proc(tdev, open_device) (tdev);
|
|
|
bd82b2 |
}
|
|
|
bd82b2 |
diff -up ghostscript-9.07/base/gdevxini.c.cve-2018-16540 ghostscript-9.07/base/gdevxini.c
|
|
|
bd82b2 |
--- ghostscript-9.07/base/gdevxini.c.cve-2018-16540 2019-01-14 13:01:43.310670279 +0100
|
|
|
bd82b2 |
+++ ghostscript-9.07/base/gdevxini.c 2019-01-14 13:04:10.937939293 +0100
|
|
|
bd82b2 |
@@ -59,7 +59,8 @@ static struct xv_ {
|
|
|
bd82b2 |
Boolean alloc_error;
|
|
|
bd82b2 |
XErrorHandler orighandler;
|
|
|
bd82b2 |
XErrorHandler oldhandler;
|
|
|
bd82b2 |
-} x_error_handler;
|
|
|
bd82b2 |
+ Boolean set;
|
|
|
bd82b2 |
+} x_error_handler = {0};
|
|
|
bd82b2 |
|
|
|
bd82b2 |
static int
|
|
|
bd82b2 |
x_catch_alloc(Display * dpy, XErrorEvent * err)
|
|
|
bd82b2 |
@@ -74,7 +75,8 @@ x_catch_alloc(Display * dpy, XErrorEvent
|
|
|
bd82b2 |
int
|
|
|
bd82b2 |
x_catch_free_colors(Display * dpy, XErrorEvent * err)
|
|
|
bd82b2 |
{
|
|
|
bd82b2 |
- if (err->request_code == X_FreeColors)
|
|
|
bd82b2 |
+ if (err->request_code == X_FreeColors ||
|
|
|
bd82b2 |
+ x_error_handler.orighandler == x_catch_free_colors)
|
|
|
bd82b2 |
return 0;
|
|
|
bd82b2 |
return x_error_handler.orighandler(dpy, err);
|
|
|
bd82b2 |
}
|
|
|
bd82b2 |
@@ -274,8 +276,10 @@ gdev_x_open(gx_device_X * xdev)
|
|
|
bd82b2 |
return_error(gs_error_ioerror);
|
|
|
bd82b2 |
}
|
|
|
bd82b2 |
/* Buggy X servers may cause a Bad Access on XFreeColors. */
|
|
|
bd82b2 |
- x_error_handler.orighandler = XSetErrorHandler(x_catch_free_colors);
|
|
|
bd82b2 |
-
|
|
|
bd82b2 |
+ if (!x_error_handler.set) {
|
|
|
bd82b2 |
+ x_error_handler.orighandler = XSetErrorHandler(x_catch_free_colors);
|
|
|
bd82b2 |
+ x_error_handler.set = True;
|
|
|
bd82b2 |
+ }
|
|
|
bd82b2 |
/* Get X Resources. Use the toolkit for this. */
|
|
|
bd82b2 |
XtToolkitInitialize();
|
|
|
bd82b2 |
app_con = XtCreateApplicationContext();
|