From: Chris Liddell Date: Wed, 14 Nov 2018 09:50:08 +0000 (+0000) Subject: Bug 700176: check the *output* device for LockSafetyParams Bug 700176: check the *output* device for LockSafetyParams When calling .setdevice we were checking if LockSafetyParams was set, and if so throwing an invalidaccess error. The problem is, if another device, for example the pdf14 compositor is the 'top' device, that does not (and cannot) honour LockSafetyParams. To solve this, we'll now use the (relatively new) gxdso_current_output_device spec_op to retrieve the *actual* output device, and check the LockSafetyParams flag in that. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=661e8d8fb8248c38d67958beda32f3a5876d0c3f From: Chris Liddell Date: Wed, 14 Nov 2018 21:04:46 +0000 (+0000) Subject: Bug 700176: Use the actual output device for both devices in setdevice Bug 700176: Use the actual output device for both devices in setdevice Also fixes bug 700189. The pdf14 compositor device, despite being a forwarding device, does not forward all spec_ops to it's target, only a select few are special cased for that. gxdso_current_output_device needs to be included in those special cases. The original commit (661e8d8fb8248) changed the code to use the spec_op to retrieve the output device, checking that for LockSafetyParams. If LockSafetyParams is set, it returns an invalidaccess error if the new device differs from the current device. When we do the comparison between the two devices, we need to check the output device in both cases. This is complicated by the fact that the new device may not have ever been set (and thus fully initialised), and may not have a spec_op method available at that point. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ea1b3ef437f39e45874f821c06bd953196625ac5 From: Chris Liddell Date: Mon, 17 Sep 2018 13:06:12 +0000 (+0100) Subject: Implement .currentoutputdevice operator Implement .currentoutputdevice operator The currentdevice operator returns the device currently installed in the graphics state. This can be the output/page device, but also could be a forwarding device (bbox device), compositor (pdf14) or subclass device (erasepage optimisation, First/Last page etc). In certain circumstances (for example during a setpagedevice) we want to be sure we're retrieving the *actual* output/page device. The new .currentoutputdevice operator uses the spec_op device method to traverse any chain of devices and retrieve the final device in the chain, which should always be the output/page device. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7c3e7eee829cc3d2582e4aa7ae1fd495ca72cef1 From: Ken Sharp Date: Mon, 19 Nov 2018 09:00:54 +0000 (+0000) Subject: Coverity ID 327264 - move pointer NULL check Coverity ID 327264 - move pointer NULL check Due to recent changes in this code, the pointer was being dereferenced before we checked it to see if it was NULL. Moe the check so that we check for NULL before dereferencing. The 'pvalue' of the operand can be NULL, even if the object is a t_device type, because invalidate_stack_devices traverses the operand stack looking for devices, and sets their pvalue member to NULL in order to invalidate them so that they cannot be used. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a4228a0d8d657fca3bb3becb93a43fae061beae8 --- diff -up ghostscript-9.07/base/gdevdflt.c.cve-2018-19409 ghostscript-9.07/base/gdevdflt.c --- ghostscript-9.07/base/gdevdflt.c.cve-2018-19409 2013-02-14 08:58:13.000000000 +0100 +++ ghostscript-9.07/base/gdevdflt.c 2018-11-29 12:42:59.882160045 +0100 @@ -954,6 +954,11 @@ gx_default_dev_spec_op(gx_device *pdev, return 4; } return 0; /* Otherwise no change */ + case gxdso_current_output_device: + { + *(gx_device **)data = pdev; + return 0; + } } return gs_error_undefined; } diff -up ghostscript-9.07/base/gdevp14.c.cve-2018-19409 ghostscript-9.07/base/gdevp14.c --- ghostscript-9.07/base/gdevp14.c.cve-2018-19409 2018-11-29 12:42:59.784161429 +0100 +++ ghostscript-9.07/base/gdevp14.c 2018-11-29 13:15:49.265339432 +0100 @@ -5089,6 +5089,11 @@ pdf14_dev_spec_op(gx_device *pdev, int d return 0; } } + if (dev_spec_op == gxdso_current_output_device) { + gx_device * target = ((gx_device_forward *)pdev)->target; + return dev_proc(target, dev_spec_op)(target, dev_spec_op, data, size); + } + return gx_default_dev_spec_op(pdev, dev_spec_op, data, size); } diff -up ghostscript-9.07/base/gxdevsop.h.cve-2018-19409 ghostscript-9.07/base/gxdevsop.h --- ghostscript-9.07/base/gxdevsop.h.cve-2018-19409 2013-02-14 08:58:13.000000000 +0100 +++ ghostscript-9.07/base/gxdevsop.h 2018-11-29 12:42:59.884160017 +0100 @@ -253,6 +253,10 @@ enum { * Return 0 for 'no special treatment', or 1 for the anitdropout * downscaler. */ gxdso_interpolate_antidropout, + /* Retrieve the last device in a device chain + (either forwarding or subclass devices). + */ + gxdso_current_output_device, /* Add new gxdso_ keys above this. */ gxdso_pattern__LAST }; diff -up ghostscript-9.07/psi/zdevice.c.cve-2018-19409 ghostscript-9.07/psi/zdevice.c --- ghostscript-9.07/psi/zdevice.c.cve-2018-19409 2013-02-14 08:58:13.000000000 +0100 +++ ghostscript-9.07/psi/zdevice.c 2018-11-29 12:42:59.884160017 +0100 @@ -34,6 +34,7 @@ #include "gxgetbit.h" #include "store.h" #include "gsicc_manage.h" +#include "gxdevsop.h" /* .copydevice2 */ static int @@ -56,6 +57,7 @@ zcopydevice2(i_ctx_t *i_ctx_p) } /* - currentdevice */ +/* Returns the current device in the graphics state */ int zcurrentdevice(i_ctx_t *i_ctx_p) { @@ -70,6 +72,34 @@ zcurrentdevice(i_ctx_t *i_ctx_p) return 0; } +/* - .currentoutputdevice */ +/* Returns the *output* device - which will often + be the same as above, but not always: if a compositor + or other forwarding device, or subclassing device is + in force, that will be referenced by the graphics state + rather than the output device. + This is equivalent of currentdevice device, but returns + the *device* object, rather than the dictionary describing + the device and device state. + */ +static int +zcurrentoutputdevice(i_ctx_t *i_ctx_p) +{ + os_ptr op = osp; + gx_device *odev = NULL, *dev = gs_currentdevice(igs); + gs_ref_memory_t *mem = (gs_ref_memory_t *) dev->memory; + int code = dev_proc(dev, dev_spec_op)(dev, + gxdso_current_output_device, (void *)&odev, 0); + if (code < 0) + return code; + + push(1); + make_tav(op, t_device, + (mem == 0 ? avm_foreign : imemory_space(mem)) | a_all, + pdevice, odev); + return 0; +} + /* .devicename */ static int zdevicename(i_ctx_t *i_ctx_p) @@ -450,13 +480,34 @@ zputdeviceparams(i_ctx_t *i_ctx_p) int zsetdevice(i_ctx_t *i_ctx_p) { - gx_device *dev = gs_currentdevice(igs); + gx_device *odev = NULL, *dev = gs_currentdevice(igs); + gx_device *ndev = NULL; os_ptr op = osp; - int code = 0; + int code = dev_proc(dev, dev_spec_op)(dev, + gxdso_current_output_device, (void *)&odev, 0); + if (code < 0) + return code; check_write_type(*op, t_device); - if (dev->LockSafetyParams) { /* do additional checking if locked */ - if(op->value.pdevice != dev) /* don't allow a different device */ + + if (op->value.pdevice == 0) + return gs_note_error(gs_error_undefined); + + /* slightly icky special case: the new device may not have had + * it's procs initialised, at this point - but we need to check + * whether we're being asked to change the device here + */ + if (dev_proc((op->value.pdevice), dev_spec_op) == NULL) + ndev = op->value.pdevice; + else + code = dev_proc((op->value.pdevice), dev_spec_op)(op->value.pdevice, + gxdso_current_output_device, (void *)&ndev, 0); + + if (code < 0) + return code; + + if (odev->LockSafetyParams) { /* do additional checking if locked */ + if(ndev != odev) /* don't allow a different device */ return_error(e_invalidaccess); } #ifndef PSI_INCLUDED @@ -480,6 +531,7 @@ const op_def zdevice_op_defs[] = { {"1.copydevice2", zcopydevice2}, {"0currentdevice", zcurrentdevice}, + {"0.currentoutputdevice", zcurrentoutputdevice}, {"1.devicename", zdevicename}, {"0.doneshowpage", zdoneshowpage}, {"0flushpage", zflushpage}, diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-19409 ghostscript-9.07/Resource/Init/gs_init.ps --- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-19409 2018-11-29 12:42:59.873160172 +0100 +++ ghostscript-9.07/Resource/Init/gs_init.ps 2018-11-29 12:42:59.884160017 +0100 @@ -2160,7 +2160,7 @@ SAFER { .setsafe } if /.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams -/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath +/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice % Used by a free user in the Library of Congress. Apparently this is used to % draw a partial page, which is then filled in by the results of a barcode diff -up ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-19409 ghostscript-9.07/Resource/Init/gs_setpd.ps --- ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-19409 2018-11-29 12:42:59.880160073 +0100 +++ ghostscript-9.07/Resource/Init/gs_setpd.ps 2018-11-29 12:42:59.885160002 +0100 @@ -772,7 +772,13 @@ SETPDDEBUG { (Selecting.) = pstack flush % Stack: mark SETPDDEBUG { (Constructing.) = pstack flush } if - currentdevice .devicename 2 index /OutputDevice get eq + % Non-obvious: we need to check the name of the output device, to tell + % whether we're going to have to replace the entire device chain (which + % may be only one device, or may be multiple devices. + % If we're not replacing the entire change, we have to use the device in + % the graphics state, so the configuration of the entire device chain is + % correctly set. + .currentoutputdevice .devicename 2 index /OutputDevice get eq { currentdevice } { 1 index /OutputDevice get finddevice } ifelse