1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
$NetBSD: patch-ba,v 1.3 2010/06/30 12:44:55 tron Exp $
Fix for security vulnerability reported in CVE-2010-1628 taken from here:
http://bugs.ghostscript.com/attachment.cgi?id=6350
--- psi/idosave.h.orig 2008-08-28 23:48:19.000000000 +0100
+++ psi/idosave.h 2010-06-30 13:31:32.000000000 +0100
@@ -18,6 +18,22 @@
# define idosave_INCLUDED
/*
+ * Structure for saved change chain for save/restore. Because of the
+ * garbage collector, we need to distinguish the cases where the change
+ * is in a static object, a dynamic ref, or a dynamic struct.
+ */
+typedef struct alloc_change_s alloc_change_t;
+struct alloc_change_s {
+ alloc_change_t *next;
+ ref_packed *where;
+ ref contents;
+#define AC_OFFSET_STATIC (-2) /* static object */
+#define AC_OFFSET_REF (-1) /* dynamic ref */
+#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
+ short offset; /* if >= 0, offset within struct */
+};
+
+/*
* Save a change that must be undone by restore. We have to pass the
* pointer to the containing object to alloc_save_change for two reasons:
*
@@ -29,6 +45,7 @@
* relocate the pointer to it from the change record during garbage
* collection.
*/
+
int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont,
ref_packed *ptr, client_name_t cname);
int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont,
@@ -36,6 +53,6 @@
/* Remove an AC_OFFSET_ALLOCATED element. */
void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname);
/* Allocate a structure for recording an allocation event. */
-int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr);
+int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp);
#endif /* idosave_INCLUDED */
|
