Inicio Explorar Axuda
Iniciar sesión
crispAudio
/
poky
réplica de git://git.yoctoproject.org/poky
5
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: cefe82c765
Ramas Etiquetas
poky
/
meta
/
recipes-extended
/
ghostscript
/
files
/
0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch

0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch 7.8 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197 
  1. From 430f39144244ba4fd7b720cf87031e415e0fabce Mon Sep 17 00:00:00 2001
    2. 

  2. From: Chris Liddell <chris.liddell@artifex.com>
    3. 

  3. Date: Mon, 5 Nov 2018 15:42:52 +0800
    4. 

  4. Subject: [PATCH 2/2] Bug 699927: don't include operator arrays in execstack
    5. 

  5.  output
    6. 

  6. 

  7. When we transfer the contents of the execution stack into the array, take the
    8. 

  8. extra step of replacing any operator arrays on the stack with the operator
    9. 

  9. that reference them.
    10. 

  10. 

  11. This prevents the contents of Postscript defined, internal only operators (those
    12. 

  12. created with .makeoperator) being exposed via execstack (and thus, via error
    13. 

  13. handling).
    14. 

  14. 

  15. This necessitates a change in the resource remapping 'resource', which contains
    16. 

  16. a procedure which relies on the contents of the operators arrays being present.
    17. 

  17. As we already had internal-only variants of countexecstack and execstack
    18. 

  18. (.countexecstack and .execstack) - using those, and leaving thier operation
    19. 

  19. including the operator arrays means the procedure continues to work correctly.
    20. 

  20. 

  21. Both .countexecstack and .execstack are undefined after initialization.
    22. 

  22. 

  23. Also, when we store the execstack (or part thereof) for an execstackoverflow
    24. 

  24. error, make the same oparray/operator substitution as above for execstack.
    25. 

  25. 

  26. CVE: CVE-2018-18073
    27. 

  27. Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
    28. 

  28. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
    29. 

  29. ---
    30. 

  30.  Resource/Init/gs_init.ps  |  4 ++--
    31. 

  31.  Resource/Init/gs_resmp.ps |  2 +-
    32. 

  32.  psi/int.mak               |  2 +-
    33. 

  33.  psi/interp.c              | 14 +++++++++++---
    34. 

  34.  psi/interp.h              |  2 ++
    35. 

  35.  psi/zcontrol.c            | 13 ++++++++++---
    36. 

  36.  6 files changed, 27 insertions(+), 10 deletions(-)
    37. 

  37. 

  38. diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
    39. 

  39. index 7c71d18..f4c1053 100644
    40. 

  40. --- a/Resource/Init/gs_init.ps
    41. 

  41. +++ b/Resource/Init/gs_init.ps
    42. 

  42. @@ -2191,7 +2191,7 @@ SAFER { .setsafeglobal } if
    43. 

  43.    %% but can be easily restored (just delete the name from the list in the array). In future
    44. 

  44.    %% we may remove the operator and the code implementation entirely.
    45. 

  45.    [
    46. 

  46. -  /.bitadd /.charboxpath /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter
    47. 

  47. +  /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter
    48. 

  48.    /.execfile /.filenamesplit /.file_name_parent
    49. 

  49.    /.setdefaultmatrix /.isprocfilter /.unread /.psstringencode
    50. 

  50.    /.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength
    51. 

  51. @@ -2230,7 +2230,7 @@ SAFER { .setsafeglobal } if
    52. 

  52.    /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
    53. 

  53.    /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
    54. 

  54.    /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
    55. 

  55. -  /.type /.writecvs /.setSMask /.currentSMask
    56. 

  56. +  /.type /.writecvs /.setSMask /.currentSMask /.countexecstack /.execstack
    57. 

  57.  
    58. 

  58.    % Used by a free user in the Library of Congress. Apparently this is used to
    59. 

  59.    % draw a partial page, which is then filled in by the results of a barcode
    60. 

  60. diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps
    61. 

  61. index 7cacaf8..9bb4263 100644
    62. 

  62. --- a/Resource/Init/gs_resmp.ps
    63. 

  63. +++ b/Resource/Init/gs_resmp.ps
    64. 

  64. @@ -183,7 +183,7 @@ setpacking
    65. 

  65.    % We don't check them.
    66. 

  66.  
    67. 

  67.    currentglobal //false setglobal                  % <object> bGlobal
    68. 

  68. -  countexecstack array execstack                   % <object> bGlobal [execstack]
    69. 

  69. +  //false .countexecstack array //false .execstack % <object> bGlobal [execstack]
    70. 

  70.    dup //null exch                                  % <object> bGlobal [execstack] null [execstack]
    71. 

  71.    length 3 sub -1 0 {                              % <object> bGlobal [execstack] null i
    72. 

  72.      2 index exch get                               % <object> bGlobal [execstack] null proc
    73. 

  73. diff --git a/psi/int.mak b/psi/int.mak
    74. 

  74. index 5d9b3d5..6ab5bf0 100644
    75. 

  75. --- a/psi/int.mak
    76. 

  76. +++ b/psi/int.mak
    77. 

  77. @@ -323,7 +323,7 @@ $(PSOBJ)zarray.$(OBJ) : $(PSSRC)zarray.c $(OP) $(memory__h)\
    78. 

  78.  
    79. 

  79.  $(PSOBJ)zcontrol.$(OBJ) : $(PSSRC)zcontrol.c $(OP) $(string__h)\
    80. 

  80.   $(estack_h) $(files_h) $(ipacked_h) $(iutil_h) $(store_h) $(stream_h)\
    81. 

  81. - $(INT_MAK) $(MAKEDIRS)
    82. 

  82. + $(interp_h) $(INT_MAK) $(MAKEDIRS)
    83. 

  83.  	$(PSCC) $(PSO_)zcontrol.$(OBJ) $(C_) $(PSSRC)zcontrol.c
    84. 

  84.  
    85. 

  85.  $(PSOBJ)zdict.$(OBJ) : $(PSSRC)zdict.c $(OP)\
    86. 

  86. diff --git a/psi/interp.c b/psi/interp.c
    87. 

  87. index b70769d..6dc0dda 100644
    88. 

  88. --- a/psi/interp.c
    89. 

  89. +++ b/psi/interp.c
    90. 

  90. @@ -142,7 +142,6 @@ static int oparray_pop(i_ctx_t *);
    91. 

  91.  static int oparray_cleanup(i_ctx_t *);
    92. 

  92.  static int zerrorexec(i_ctx_t *);
    93. 

  93.  static int zfinderrorobject(i_ctx_t *);
    94. 

  94. -static int errorexec_find(i_ctx_t *, ref *);
    95. 

  95.  static int errorexec_pop(i_ctx_t *);
    96. 

  96.  static int errorexec_cleanup(i_ctx_t *);
    97. 

  97.  static int zsetstackprotect(i_ctx_t *);
    98. 

  98. @@ -761,7 +760,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
    99. 

  99.  {
    100. 

  100.      uint size = ref_stack_count(pstack) - skip;
    101. 

  101.      uint save_space = ialloc_space(idmemory);
    102. 

  102. -    int code;
    103. 

  103. +    int code, i;
    104. 

  104.  
    105. 

  105.      if (size > 65535)
    106. 

  106.          size = 65535;
    107. 

  107. @@ -770,6 +769,15 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
    108. 

  108.      if (code >= 0)
    109. 

  109.          code = ref_stack_store(pstack, arr, size, 0, 1, true, idmemory,
    110. 

  110.                                 "copy_stack");
    111. 

  111. +    /* If we are copying the exec stack, try to replace any oparrays with
    112. 

  112. +     * with the operator than references them
    113. 

  113. +     */
    114. 

  114. +    if (pstack == &e_stack) {
    115. 

  115. +        for (i = 0; i < size; i++) {
    116. 

  116. +            if (errorexec_find(i_ctx_p, &arr->value.refs[i]) < 0)
    117. 

  117. +                make_null(&arr->value.refs[i]);
    118. 

  118. +        }
    119. 

  119. +    }
    120. 

  120.      ialloc_set_space(idmemory, save_space);
    121. 

  121.      return code;
    122. 

  122.  }
    123. 

  123. @@ -1934,7 +1942,7 @@ zfinderrorobject(i_ctx_t *i_ctx_p)
    124. 

  124.   * .errorexec with errobj != null, store it in *perror_object and return 1,
    125. 

  125.   * otherwise return 0;
    126. 

  126.   */
    127. 

  127. -static int
    128. 

  128. +int
    129. 

  129.  errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object)
    130. 

  130.  {
    131. 

  131.      long i;
    132. 

  132. diff --git a/psi/interp.h b/psi/interp.h
    133. 

  133. index e9275b9..4f551d1 100644
    134. 

  134. --- a/psi/interp.h
    135. 

  135. +++ b/psi/interp.h
    136. 

  136. @@ -91,5 +91,7 @@ void gs_interp_reset(i_ctx_t *i_ctx_p);
    137. 

  137.  /* Define the top-level interface to the interpreter. */
    138. 

  138.  int gs_interpret(i_ctx_t **pi_ctx_p, ref * pref, int user_errors,
    139. 

  139.                   int *pexit_code, ref * perror_object);
    140. 

  140. +int
    141. 

  141. +errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object);
    142. 

  142.  
    143. 

  143.  #endif /* interp_INCLUDED */
    144. 

  144. diff --git a/psi/zcontrol.c b/psi/zcontrol.c
    145. 

  145. index 36da22c..0362cf4 100644
    146. 

  146. --- a/psi/zcontrol.c
    147. 

  147. +++ b/psi/zcontrol.c
    148. 

  148. @@ -24,6 +24,7 @@
    149. 

  149.  #include "ipacked.h"
    150. 

  150.  #include "iutil.h"
    151. 

  151.  #include "store.h"
    152. 

  152. +#include "interp.h"
    153. 

  153.  
    154. 

  154.  /* Forward references */
    155. 

  155.  static int check_for_exec(const_os_ptr);
    156. 

  156. @@ -787,7 +788,7 @@ zexecstack2(i_ctx_t *i_ctx_p)
    157. 

  157.  /* Continuation operator to do the actual transfer. */
    158. 

  158.  /* r_size(op1) was set just above. */
    159. 

  159.  static int
    160. 

  160. -do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1)
    161. 

  161. +do_execstack(i_ctx_t *i_ctx_p, bool include_marks, bool include_oparrays, os_ptr op1)
    162. 

  162.  {
    163. 

  163.      os_ptr op = osp;
    164. 

  164.      ref *arefs = op1->value.refs;
    165. 

  165. @@ -829,6 +830,12 @@ do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1)
    166. 

  166.                                    strlen(tname), (const byte *)tname);
    167. 

  167.                  break;
    168. 

  168.              }
    169. 

  169. +            case t_array:
    170. 

  170. +            case t_shortarray:
    171. 

  171. +            case t_mixedarray:
    172. 

  172. +                if (!include_oparrays && errorexec_find(i_ctx_p, rq) < 0)
    173. 

  173. +                    make_null(rq);
    174. 

  174. +                break;
    175. 

  175.              default:
    176. 

  176.                  ;
    177. 

  177.          }
    178. 

  178. @@ -841,14 +848,14 @@ execstack_continue(i_ctx_t *i_ctx_p)
    179. 

  179.  {
    180. 

  180.      os_ptr op = osp;
    181. 

  181.  
    182. 

  182. -    return do_execstack(i_ctx_p, false, op);
    183. 

  183. +    return do_execstack(i_ctx_p, false, false, op);
    184. 

  184.  }
    185. 

  185.  static int
    186. 

  186.  execstack2_continue(i_ctx_t *i_ctx_p)
    187. 

  187.  {
    188. 

  188.      os_ptr op = osp;
    189. 

  189.  
    190. 

  190. -    return do_execstack(i_ctx_p, op->value.boolval, op - 1);
    191. 

  191. +    return do_execstack(i_ctx_p, op->value.boolval, true, op - 1);
    192. 

  192.  }
    193. 

  193.  
    194. 

  194.  /* - .needinput - */
    195. 

  195. -- 
    196. 

  196. 2.7.4
    197. 

  197.