diff options
Diffstat (limited to 'print/ghostscript/patches/patch-ae')
-rw-r--r-- | print/ghostscript/patches/patch-ae | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/print/ghostscript/patches/patch-ae b/print/ghostscript/patches/patch-ae new file mode 100644 index 00000000000..642536e68fb --- /dev/null +++ b/print/ghostscript/patches/patch-ae @@ -0,0 +1,214 @@ +$NetBSD: patch-ae,v 1.6.2.2 2010/11/23 22:43:36 spz Exp $ + +Security patch for CVE-2010-2055 by Dr. Werner Fink taken from here: + +http://bugs.ghostscript.com/attachment.cgi?id=6449 + +--- psi/zfile.c.orig 2009-10-04 13:42:07.000000000 +0100 ++++ psi/zfile.c 2010-11-23 11:03:52.000000000 +0000 +@@ -902,6 +902,90 @@ + return 0; + } + ++/* return zero for success, -ve for error, +1 for continue */ ++static int ++lib_file_open_search_with_no_combine(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx_p, ++ const char *fname, uint flen, char *buffer, int blen, uint *pclen, ref *pfile, ++ gx_io_device *iodev, bool starting_arg_file, char *fmode) ++{ ++ stream *s; ++ uint blen1 = blen; ++ if (gp_file_name_reduce(fname, flen, buffer, &blen1) != gp_combine_success) ++ goto skip; ++ if (iodev_os_open_file(iodev, (const char *)buffer, blen1, ++ (const char *)fmode, &s, (gs_memory_t *)mem) == 0) { ++ if (starting_arg_file || ++ check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) { ++ *pclen = blen1; ++ make_stream_file(pfile, s, "r"); ++ return 0; ++ } ++ sclose(s); ++ return_error(e_invalidfileaccess); ++ } ++ skip:; ++ return 1; ++} ++ ++/* return zero for success, -ve for error, +1 for continue */ ++static int ++lib_file_open_search_with_combine(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx_p, ++ const char *fname, uint flen, char *buffer, int blen, uint *pclen, ref *pfile, ++ gx_io_device *iodev, bool starting_arg_file, char *fmode) ++{ ++ stream *s; ++ const gs_file_path *pfpath = lib_path; ++ uint pi; ++ ++ for (pi = 0; pi < r_size(&pfpath->list); ++pi) { ++ const ref *prdir = pfpath->list.value.refs + pi; ++ const char *pstr = (const char *)prdir->value.const_bytes; ++ uint plen = r_size(prdir), blen1 = blen; ++ gs_parsed_file_name_t pname; ++ gp_file_name_combine_result r; ++ ++ /* We need to concatenate and parse the file name here ++ * if this path has a %device% prefix. */ ++ if (pstr[0] == '%') { ++ int code; ++ ++ /* We concatenate directly since gp_file_name_combine_* ++ * rules are not correct for other devices such as %rom% */ ++ code = gs_parse_file_name(&pname, pstr, plen); ++ if (code < 0) ++ continue; ++ memcpy(buffer, pname.fname, pname.len); ++ memcpy(buffer+pname.len, fname, flen); ++ code = pname.iodev->procs.open_file(pname.iodev, buffer, pname.len + flen, fmode, ++ &s, (gs_memory_t *)mem); ++ if (code < 0) ++ continue; ++ make_stream_file(pfile, s, "r"); ++ /* fill in the buffer with the device concatenated */ ++ memcpy(buffer, pstr, plen); ++ memcpy(buffer+plen, fname, flen); ++ *pclen = plen + flen; ++ return 0; ++ } else { ++ r = gp_file_name_combine(pstr, plen, ++ fname, flen, false, buffer, &blen1); ++ if (r != gp_combine_success) ++ continue; ++ if (iodev_os_open_file(iodev, (const char *)buffer, blen1, (const char *)fmode, ++ &s, (gs_memory_t *)mem) == 0) { ++ if (starting_arg_file || ++ check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) { ++ *pclen = blen1; ++ make_stream_file(pfile, s, "r"); ++ return 0; ++ } ++ sclose(s); ++ return_error(e_invalidfileaccess); ++ } ++ } ++ } ++ return 1; ++} + + /* Return a file object of of the file searched for using the search paths. */ + /* The fname cannot contain a device part (%...%) but the lib paths might. */ +@@ -919,6 +1003,8 @@ + char fmode[4] = { 'r', 0, 0, 0 }; /* room for binary suffix */ + stream *s; + gx_io_device *iodev = iodev_default; ++ gs_main_instance *minst = get_minst_from_memory(mem); ++ int code; + + /* when starting arg files (@ files) iodev_default is not yet set */ + if (iodev == 0) +@@ -932,75 +1018,36 @@ + search_with_no_combine = starting_arg_file; + search_with_combine = true; + } +- if (search_with_no_combine) { +- uint blen1 = blen; +- +- if (gp_file_name_reduce(fname, flen, buffer, &blen1) != gp_combine_success) +- goto skip; +- if (iodev_os_open_file(iodev, (const char *)buffer, blen1, +- (const char *)fmode, &s, (gs_memory_t *)mem) == 0) { +- if (starting_arg_file || +- check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) { +- *pclen = blen1; +- make_stream_file(pfile, s, "r"); +- return 0; +- } +- sclose(s); +- return_error(e_invalidfileaccess); +- } +- skip:; +- } +- if (search_with_combine) { +- const gs_file_path *pfpath = lib_path; +- uint pi; +- +- for (pi = 0; pi < r_size(&pfpath->list); ++pi) { +- const ref *prdir = pfpath->list.value.refs + pi; +- const char *pstr = (const char *)prdir->value.const_bytes; +- uint plen = r_size(prdir), blen1 = blen; +- gs_parsed_file_name_t pname; +- gp_file_name_combine_result r; +- +- /* We need to concatenate and parse the file name here +- * if this path has a %device% prefix. */ +- if (pstr[0] == '%') { +- int code; +- +- /* We concatenate directly since gp_file_name_combine_* +- * rules are not correct for other devices such as %rom% */ +- code = gs_parse_file_name(&pname, pstr, plen); +- if (code < 0) +- continue; +- memcpy(buffer, pname.fname, pname.len); +- memcpy(buffer+pname.len, fname, flen); +- code = pname.iodev->procs.open_file(pname.iodev, buffer, pname.len + flen, fmode, +- &s, (gs_memory_t *)mem); +- if (code < 0) +- continue; +- make_stream_file(pfile, s, "r"); +- /* fill in the buffer with the device concatenated */ +- memcpy(buffer, pstr, plen); +- memcpy(buffer+plen, fname, flen); +- *pclen = plen + flen; +- return 0; +- } else { +- r = gp_file_name_combine(pstr, plen, +- fname, flen, false, buffer, &blen1); +- if (r != gp_combine_success) +- continue; +- if (iodev_os_open_file(iodev, (const char *)buffer, blen1, (const char *)fmode, +- &s, (gs_memory_t *)mem) == 0) { +- if (starting_arg_file || +- check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) { +- *pclen = blen1; +- make_stream_file(pfile, s, "r"); +- return 0; +- } +- sclose(s); +- return_error(e_invalidfileaccess); +- } +- } +- } ++ if (minst->search_here_first) { ++ if (search_with_no_combine) { ++ code = lib_file_open_search_with_no_combine(lib_path, mem, i_ctx_p, ++ fname, flen, buffer, blen, pclen, pfile, ++ iodev, starting_arg_file, fmode); ++ if (code <= 0) /* +ve means continue continue */ ++ return code; ++ } ++ if (search_with_combine) { ++ code = lib_file_open_search_with_combine(lib_path, mem, i_ctx_p, ++ fname, flen, buffer, blen, pclen, pfile, ++ iodev, starting_arg_file, fmode); ++ if (code <= 0) /* +ve means continue searching */ ++ return code; ++ } ++ } else { ++ if (search_with_combine) { ++ code = lib_file_open_search_with_combine(lib_path, mem, i_ctx_p, ++ fname, flen, buffer, blen, pclen, pfile, ++ iodev, starting_arg_file, fmode); ++ if (code <= 0) /* +ve means continue searching */ ++ return code; ++ } ++ if (search_with_no_combine) { ++ code = lib_file_open_search_with_no_combine(lib_path, mem, i_ctx_p, ++ fname, flen, buffer, blen, pclen, pfile, ++ iodev, starting_arg_file, fmode); ++ if (code <= 0) /* +ve means continue searching */ ++ return code; ++ } + } + return_error(e_undefinedfilename); + } |