From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 14 Nov 2018 09:50:08 +0000 (+0000)
Subject: Bug 700176: check the *output* device for LockSafetyParams
Bug 700176: check the *output* device for LockSafetyParams
When calling .setdevice we were checking if LockSafetyParams was set, and if so
throwing an invalidaccess error.
The problem is, if another device, for example the pdf14 compositor is the 'top'
device, that does not (and cannot) honour LockSafetyParams.
To solve this, we'll now use the (relatively new) gxdso_current_output_device
spec_op to retrieve the *actual* output device, and check the LockSafetyParams
flag in that.
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=661e8d8fb8248c38d67958beda32f3a5876d0c3f
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 14 Nov 2018 21:04:46 +0000 (+0000)
Subject: Bug 700176: Use the actual output device for both devices in setdevice
Bug 700176: Use the actual output device for both devices in setdevice
Also fixes bug 700189.
The pdf14 compositor device, despite being a forwarding device, does not forward
all spec_ops to it's target, only a select few are special cased for that.
gxdso_current_output_device needs to be included in those special cases.
The original commit (661e8d8fb8248) changed the code to use the spec_op to
retrieve the output device, checking that for LockSafetyParams. If
LockSafetyParams is set, it returns an invalidaccess error if the new device
differs from the current device.
When we do the comparison between the two devices, we need to check the
output device in both cases.
This is complicated by the fact that the new device may not have ever been set
(and thus fully initialised), and may not have a spec_op method available at
that point.
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ea1b3ef437f39e45874f821c06bd953196625ac5
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 17 Sep 2018 13:06:12 +0000 (+0100)
Subject: Implement .currentoutputdevice operator
Implement .currentoutputdevice operator
The currentdevice operator returns the device currently installed in the
graphics state. This can be the output/page device, but also could be a
forwarding device (bbox device), compositor (pdf14) or subclass device
(erasepage optimisation, First/Last page etc).
In certain circumstances (for example during a setpagedevice) we want to be
sure we're retrieving the *actual* output/page device.
The new .currentoutputdevice operator uses the spec_op device method to traverse
any chain of devices and retrieve the final device in the chain, which
should always be the output/page device.
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7c3e7eee829cc3d2582e4aa7ae1fd495ca72cef1
From: Ken Sharp <ken.sharp@artifex.com>
Date: Mon, 19 Nov 2018 09:00:54 +0000 (+0000)
Subject: Coverity ID 327264 - move pointer NULL check
Coverity ID 327264 - move pointer NULL check
Due to recent changes in this code, the pointer was being dereferenced
before we checked it to see if it was NULL. Moe the check so that we
check for NULL before dereferencing.
The 'pvalue' of the operand can be NULL, even if the object is a t_device
type, because invalidate_stack_devices traverses the operand stack
looking for devices, and sets their pvalue member to NULL in order to
invalidate them so that they cannot be used.
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a4228a0d8d657fca3bb3becb93a43fae061beae8
---
diff -up ghostscript-9.07/base/gdevdflt.c.cve-2018-19409 ghostscript-9.07/base/gdevdflt.c
--- ghostscript-9.07/base/gdevdflt.c.cve-2018-19409 2013-02-14 08:58:13.000000000 +0100
+++ ghostscript-9.07/base/gdevdflt.c 2018-11-29 12:42:59.882160045 +0100
@@ -954,6 +954,11 @@ gx_default_dev_spec_op(gx_device *pdev,
return 4;
}
return 0; /* Otherwise no change */
+ case gxdso_current_output_device:
+ {
+ *(gx_device **)data = pdev;
+ return 0;
+ }
}
return gs_error_undefined;
}
diff -up ghostscript-9.07/base/gdevp14.c.cve-2018-19409 ghostscript-9.07/base/gdevp14.c
--- ghostscript-9.07/base/gdevp14.c.cve-2018-19409 2018-11-29 12:42:59.784161429 +0100
+++ ghostscript-9.07/base/gdevp14.c 2018-11-29 13:15:49.265339432 +0100
@@ -5089,6 +5089,11 @@ pdf14_dev_spec_op(gx_device *pdev, int d
return 0;
}
}
+ if (dev_spec_op == gxdso_current_output_device) {
+ gx_device * target = ((gx_device_forward *)pdev)->target;
+ return dev_proc(target, dev_spec_op)(target, dev_spec_op, data, size);
+ }
+
return gx_default_dev_spec_op(pdev, dev_spec_op, data, size);
}
diff -up ghostscript-9.07/base/gxdevsop.h.cve-2018-19409 ghostscript-9.07/base/gxdevsop.h
--- ghostscript-9.07/base/gxdevsop.h.cve-2018-19409 2013-02-14 08:58:13.000000000 +0100
+++ ghostscript-9.07/base/gxdevsop.h 2018-11-29 12:42:59.884160017 +0100
@@ -253,6 +253,10 @@ enum {
* Return 0 for 'no special treatment', or 1 for the anitdropout
* downscaler. */
gxdso_interpolate_antidropout,
+ /* Retrieve the last device in a device chain
+ (either forwarding or subclass devices).
+ */
+ gxdso_current_output_device,
/* Add new gxdso_ keys above this. */
gxdso_pattern__LAST
};
diff -up ghostscript-9.07/psi/zdevice.c.cve-2018-19409 ghostscript-9.07/psi/zdevice.c
--- ghostscript-9.07/psi/zdevice.c.cve-2018-19409 2013-02-14 08:58:13.000000000 +0100
+++ ghostscript-9.07/psi/zdevice.c 2018-11-29 12:42:59.884160017 +0100
@@ -34,6 +34,7 @@
#include "gxgetbit.h"
#include "store.h"
#include "gsicc_manage.h"
+#include "gxdevsop.h"
/* <device> <keep_open> .copydevice2 <newdevice> */
static int
@@ -56,6 +57,7 @@ zcopydevice2(i_ctx_t *i_ctx_p)
}
/* - currentdevice <device> */
+/* Returns the current device in the graphics state */
int
zcurrentdevice(i_ctx_t *i_ctx_p)
{
@@ -70,6 +72,34 @@ zcurrentdevice(i_ctx_t *i_ctx_p)
return 0;
}
+/* - .currentoutputdevice <device> */
+/* Returns the *output* device - which will often
+ be the same as above, but not always: if a compositor
+ or other forwarding device, or subclassing device is
+ in force, that will be referenced by the graphics state
+ rather than the output device.
+ This is equivalent of currentdevice device, but returns
+ the *device* object, rather than the dictionary describing
+ the device and device state.
+ */
+static int
+zcurrentoutputdevice(i_ctx_t *i_ctx_p)
+{
+ os_ptr op = osp;
+ gx_device *odev = NULL, *dev = gs_currentdevice(igs);
+ gs_ref_memory_t *mem = (gs_ref_memory_t *) dev->memory;
+ int code = dev_proc(dev, dev_spec_op)(dev,
+ gxdso_current_output_device, (void *)&odev, 0);
+ if (code < 0)
+ return code;
+
+ push(1);
+ make_tav(op, t_device,
+ (mem == 0 ? avm_foreign : imemory_space(mem)) | a_all,
+ pdevice, odev);
+ return 0;
+}
+
/* <device> .devicename <string> */
static int
zdevicename(i_ctx_t *i_ctx_p)
@@ -450,13 +480,34 @@ zputdeviceparams(i_ctx_t *i_ctx_p)
int
zsetdevice(i_ctx_t *i_ctx_p)
{
- gx_device *dev = gs_currentdevice(igs);
+ gx_device *odev = NULL, *dev = gs_currentdevice(igs);
+ gx_device *ndev = NULL;
os_ptr op = osp;
- int code = 0;
+ int code = dev_proc(dev, dev_spec_op)(dev,
+ gxdso_current_output_device, (void *)&odev, 0);
+ if (code < 0)
+ return code;
check_write_type(*op, t_device);
- if (dev->LockSafetyParams) { /* do additional checking if locked */
- if(op->value.pdevice != dev) /* don't allow a different device */
+
+ if (op->value.pdevice == 0)
+ return gs_note_error(gs_error_undefined);
+
+ /* slightly icky special case: the new device may not have had
+ * it's procs initialised, at this point - but we need to check
+ * whether we're being asked to change the device here
+ */
+ if (dev_proc((op->value.pdevice), dev_spec_op) == NULL)
+ ndev = op->value.pdevice;
+ else
+ code = dev_proc((op->value.pdevice), dev_spec_op)(op->value.pdevice,
+ gxdso_current_output_device, (void *)&ndev, 0);
+
+ if (code < 0)
+ return code;
+
+ if (odev->LockSafetyParams) { /* do additional checking if locked */
+ if(ndev != odev) /* don't allow a different device */
return_error(e_invalidaccess);
}
#ifndef PSI_INCLUDED
@@ -480,6 +531,7 @@ const op_def zdevice_op_defs[] =
{
{"1.copydevice2", zcopydevice2},
{"0currentdevice", zcurrentdevice},
+ {"0.currentoutputdevice", zcurrentoutputdevice},
{"1.devicename", zdevicename},
{"0.doneshowpage", zdoneshowpage},
{"0flushpage", zflushpage},
diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-19409 ghostscript-9.07/Resource/Init/gs_init.ps
--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-19409 2018-11-29 12:42:59.873160172 +0100
+++ ghostscript-9.07/Resource/Init/gs_init.ps 2018-11-29 12:42:59.884160017 +0100
@@ -2160,7 +2160,7 @@ SAFER { .setsafe } if
/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
-/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
+/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice
% Used by a free user in the Library of Congress. Apparently this is used to
% draw a partial page, which is then filled in by the results of a barcode
diff -up ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-19409 ghostscript-9.07/Resource/Init/gs_setpd.ps
--- ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-19409 2018-11-29 12:42:59.880160073 +0100
+++ ghostscript-9.07/Resource/Init/gs_setpd.ps 2018-11-29 12:42:59.885160002 +0100
@@ -772,7 +772,13 @@ SETPDDEBUG { (Selecting.) = pstack flush
% Stack: mark <orig> <request> <merged> <failed>
SETPDDEBUG { (Constructing.) = pstack flush } if
- currentdevice .devicename 2 index /OutputDevice get eq
+ % Non-obvious: we need to check the name of the output device, to tell
+ % whether we're going to have to replace the entire device chain (which
+ % may be only one device, or may be multiple devices.
+ % If we're not replacing the entire change, we have to use the device in
+ % the graphics state, so the configuration of the entire device chain is
+ % correctly set.
+ .currentoutputdevice .devicename 2 index /OutputDevice get eq
{ currentdevice }
{ 1 index /OutputDevice get finddevice }
ifelse