|
 |
1164f7 |
From: Chris Liddell <chris.liddell@artifex.com>
|
|
|
1164f7 |
Date: Thu, 23 Aug 2018 14:41:18 +0000 (+0100)
|
|
|
1164f7 |
Subject: Bug 699664: Ensure the correct is in place before cleanup
|
|
|
1164f7 |
|
|
|
1164f7 |
Bug 699664: Ensure the correct is in place before cleanup
|
|
|
1164f7 |
|
|
|
1164f7 |
If the PS job replaces the device and leaves that graphics state in place, we
|
|
|
1164f7 |
wouldn't cleanup the default device in the normal way, but rely on the garbage
|
|
|
1164f7 |
collector.
|
|
|
1164f7 |
|
|
|
1164f7 |
This works (but isn't ideal), *except* when the job replaces the device with
|
|
|
1164f7 |
the null device (using the nulldevice operator) - this means that
|
|
|
1164f7 |
.uninstallpagedevice doesn't replace the existing device with the nulldevice
|
|
|
1164f7 |
(since it is already installed), the device from the graphics ends up being
|
|
|
1164f7 |
freed - and as it is the nulldevice, which we rely on, memory corruption
|
|
|
1164f7 |
and a segfault can happen.
|
|
|
1164f7 |
|
|
|
1164f7 |
We avoid this by checking if the current device is the nulldevice, and if so,
|
|
|
1164f7 |
restoring it away, before continuing with the device cleanup.
|
|
|
1164f7 |
|
|
|
1164f7 |
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=241d91112771a6104de10b3948c3f350d6690c1d
|
|
|
1164f7 |
---
|
|
|
1164f7 |
|
|
|
1164f7 |
diff -up ghostscript-9.07/psi/imain.c.cve-2018-16541 ghostscript-9.07/psi/imain.c
|
|
|
1164f7 |
--- ghostscript-9.07/psi/imain.c.cve-2018-16541 2018-11-29 15:54:54.640496328 +0100
|
|
|
1164f7 |
+++ ghostscript-9.07/psi/imain.c 2018-11-29 15:56:00.652563801 +0100
|
|
|
1164f7 |
@@ -846,6 +846,16 @@ gs_main_finit(gs_main_instance * minst,
|
|
|
1164f7 |
i_ctx_p = minst->i_ctx_p; /* interp_reclaim could change it. */
|
|
|
1164f7 |
}
|
|
|
1164f7 |
#ifndef PSI_INCLUDED
|
|
|
1164f7 |
+ if (i_ctx_p->pgs != NULL && i_ctx_p->pgs->device != NULL &&
|
|
|
1164f7 |
+ gx_device_is_null(i_ctx_p->pgs->device)) {
|
|
|
1164f7 |
+ /* if the job replaced the device with the nulldevice, we we need to grestore
|
|
|
1164f7 |
+ away that device, so the block below can properly dispense
|
|
|
1164f7 |
+ with the default device.
|
|
|
1164f7 |
+ */
|
|
|
1164f7 |
+ int code = gs_grestoreall(i_ctx_p->pgs);
|
|
|
1164f7 |
+ if (code < 0) return_error(gs_error_Fatal);
|
|
|
1164f7 |
+ }
|
|
|
1164f7 |
+
|
|
|
1164f7 |
if (i_ctx_p->pgs != NULL && i_ctx_p->pgs->device != NULL) {
|
|
|
1164f7 |
gx_device *pdev = i_ctx_p->pgs->device;
|
|
|
1164f7 |
const char * dname = pdev->dname;
|