rpms / ghostscript

Clone
Source Code
GIT

Blame SOURCES/ghostscript-cve-2018-19134.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8-containeronly-stream-flatpak c8s c9 c9-beta
  1.   7c5933b6b6b1ded380197f75466cc9fc20f72cb5
  2.   SOURCES
  3.   ghostscript-cve-2018-19134.patch
Blob History Raw
1164f7 
From: Ken Sharp <ken.sharp@artifex.com>
1164f7 
Date: Thu, 8 Nov 2018 14:43:32 +0000 (+0000)
1164f7 
Subject: PS interpreter - check the Implementation of a Pattern before use
1164f7
1164f7 
PS interpreter - check the Implementation of a Pattern before use
1164f7
1164f7 
Bug #700141 "Type confusion in setpattern"
1164f7
1164f7 
As the bug thread says, we were not checking that the Implementation
1164f7 
of a pattern dictionary was a structure type, leading to a crash when
1164f7 
we tried to treat it as one.
1164f7
1164f7 
Here we make the st_pattern1_instance and st_pattern2_instance
1164f7 
structures public definitions and in zsetcolor we check the object
1164f7 
stored under the Implementation key in the supplied dictionary to see if
1164f7 
its a t_struct or t_astruct type, and if it is that its a
1164f7 
st_pattern1_instance or st_pattern2_instance structure.
1164f7
1164f7 
If either check fails we throw a typecheck error.
1164f7
1164f7 
We need to make the st_pattern1_instance and st_pattern2_instance
1164f7 
definitions public as they are defined in the graphics library and we
1164f7 
need to check in the interpreter.
1164f7
1164f7 
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=693baf02152119af6e6afd30bb8ec76d14f84bbf
1164f7 
---
1164f7
1164f7 
diff -up ghostscript-9.07/base/gsptype1.c.cve-2018-19134 ghostscript-9.07/base/gsptype1.c
1164f7 
--- ghostscript-9.07/base/gsptype1.c.cve-2018-19134	2018-12-06 14:24:51.562580221 +0100
1164f7 
+++ ghostscript-9.07/base/gsptype1.c	2018-12-06 14:25:19.570310740 +0100
1164f7 
@@ -50,7 +50,7 @@
1164f7
1164f7 
 /* GC descriptors */
1164f7 
 private_st_pattern1_template();
1164f7 
-private_st_pattern1_instance();
1164f7 
+public_st_pattern1_instance();
1164f7
1164f7 
 /* GC procedures */
1164f7 
 static ENUM_PTRS_BEGIN(pattern1_instance_enum_ptrs) {
1164f7 
diff -up ghostscript-9.07/base/gsptype2.c.cve-2018-19134 ghostscript-9.07/base/gsptype2.c
1164f7 
--- ghostscript-9.07/base/gsptype2.c.cve-2018-19134	2018-12-06 14:25:51.442004068 +0100
1164f7 
+++ ghostscript-9.07/base/gsptype2.c	2018-12-06 14:27:26.160092718 +0100
1164f7 
@@ -33,7 +33,7 @@
1164f7
1164f7 
 /* GC descriptors */
1164f7 
 private_st_pattern2_template();
1164f7 
-private_st_pattern2_instance();
1164f7 
+public_st_pattern2_instance();
1164f7
1164f7 
 /* GC procedures */
1164f7 
 static ENUM_PTRS_BEGIN(pattern2_instance_enum_ptrs) {
1164f7 
@@ -208,7 +208,7 @@ gs_pattern2_set_color(const gs_client_co
1164f7
1164f7 
     num_comps = pgs->device->color_info.num_components;
1164f7 
     for (k = 0; k < num_comps; k++) {
1164f7 
-        pgs->color_component_map.color_map[k] =
1164f7 
+        pgs->color_component_map.color_map[k] =
1164f7 
             pinst->saved->color_component_map.color_map[k];
1164f7 
     }
1164f7 
     code = pcs->type->set_overprint(pcs, pgs);
1164f7 
diff -up ghostscript-9.07/base/gsptype2.h.cve-2018-19134 ghostscript-9.07/base/gsptype2.h
1164f7 
--- ghostscript-9.07/base/gsptype2.h.cve-2018-19134	2018-12-06 14:28:16.159611632 +0100
1164f7 
+++ ghostscript-9.07/base/gsptype2.h	2018-12-06 14:28:53.499252361 +0100
1164f7 
@@ -57,8 +57,8 @@ typedef struct gs_pattern2_instance_s {
1164f7 
     bool shfill;
1164f7 
 } gs_pattern2_instance_t;
1164f7
1164f7 
-#define private_st_pattern2_instance() /* in gsptype2.c */\
1164f7 
-  gs_private_st_composite(st_pattern2_instance, gs_pattern2_instance_t,\
1164f7 
+#define public_st_pattern2_instance() /* in gsptype2.c */\
1164f7 
+  gs_public_st_composite(st_pattern2_instance, gs_pattern2_instance_t,\
1164f7 
     "gs_pattern2_instance_t", pattern2_instance_enum_ptrs,\
1164f7 
     pattern2_instance_reloc_ptrs)
1164f7
1164f7 
diff -up ghostscript-9.07/base/gxcolor2.h.cve-2018-19134 ghostscript-9.07/base/gxcolor2.h
1164f7 
--- ghostscript-9.07/base/gxcolor2.h.cve-2018-19134	2018-12-06 14:29:16.623029864 +0100
1164f7 
+++ ghostscript-9.07/base/gxcolor2.h	2018-12-06 14:29:49.115717229 +0100
1164f7 
@@ -92,8 +92,8 @@ struct gs_pattern1_instance_s {
1164f7 
     gx_bitmap_id id;		/* key for cached bitmap (= id of mask) */
1164f7 
 };
1164f7
1164f7 
-#define private_st_pattern1_instance() /* in gsptype1.c */\
1164f7 
-  gs_private_st_composite(st_pattern1_instance, gs_pattern1_instance_t,\
1164f7 
+#define public_st_pattern1_instance() /* in gsptype1.c */\
1164f7 
+  gs_public_st_composite(st_pattern1_instance, gs_pattern1_instance_t,\
1164f7 
     "gs_pattern1_instance_t", pattern1_instance_enum_ptrs,\
1164f7 
     pattern1_instance_reloc_ptrs)
1164f7
1164f7 
diff -up ghostscript-9.07/psi/zcolor.c.cve-2018-19134 ghostscript-9.07/psi/zcolor.c
1164f7 
--- ghostscript-9.07/psi/zcolor.c.cve-2018-19134	2018-12-06 14:30:27.229350513 +0100
1164f7 
+++ ghostscript-9.07/psi/zcolor.c	2018-12-06 14:31:52.650528604 +0100
1164f7 
@@ -57,6 +57,8 @@
1164f7
1164f7 
 /* imported from gsht.c */
1164f7 
 extern  void    gx_set_effective_transfer(gs_state *);
1164f7 
+extern_st(st_pattern1_instance);
1164f7 
+extern_st(st_pattern2_instance);
1164f7
1164f7 
 /* Essential forward declarations */
1164f7 
 static int validate_spaces(i_ctx_t *i_ctx_p, ref *arr, int *depth);
1164f7 
@@ -283,6 +285,9 @@ zsetcolor(i_ctx_t * i_ctx_p)
1164f7 
             code = array_get(imemory, pImpl, 0, &pPatInst);
1164f7 
             if (code < 0)
1164f7 
                 return code;
1164f7 
+                if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
1164f7 
+                    return_error(gs_error_typecheck);
1164f7 
+
1164f7 
             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
1164f7 
             n_numeric_comps = ( pattern_instance_uses_base_space(cc.pattern)
1164f7 
                                   ? n_comps - 1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation