2008-12-09 11:00:17 -05:00
|
|
|
$OpenBSD: patch-src_psgen_c,v 1.3 2008/12/09 16:00:18 jasper Exp $
|
|
|
|
|
|
|
|
Among the changes in this patch are security fixes for CVE-2008-3863
|
|
|
|
and CVE-2008-4306 . Patch by Werner Fink, Debian #506261
|
|
|
|
|
2008-12-09 10:23:55 -05:00
|
|
|
--- src/psgen.c.orig Thu Jan 24 08:38:58 2002
|
2008-12-09 11:00:17 -05:00
|
|
|
+++ src/psgen.c Tue Dec 9 16:54:50 2008
|
|
|
|
@@ -24,6 +24,7 @@
|
|
|
|
* Boston, MA 02111-1307, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
+#include <limits.h>
|
|
|
|
#include "gsint.h"
|
|
|
|
|
|
|
|
/*
|
|
|
|
@@ -124,7 +125,7 @@ struct gs_token_st
|
|
|
|
double xscale;
|
|
|
|
double yscale;
|
|
|
|
int llx, lly, urx, ury; /* Bounding box. */
|
|
|
|
- char filename[512];
|
|
|
|
+ char filename[PATH_MAX];
|
|
|
|
char *skipbuf;
|
|
|
|
unsigned int skipbuf_len;
|
|
|
|
unsigned int skipbuf_pos;
|
|
|
|
@@ -135,11 +136,11 @@ struct gs_token_st
|
|
|
|
Color bgcolor;
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
- char name[512];
|
|
|
|
+ char name[PATH_MAX];
|
|
|
|
FontPoint size;
|
|
|
|
InputEncoding encoding;
|
|
|
|
} font;
|
|
|
|
- char filename[512];
|
|
|
|
+ char filename[PATH_MAX];
|
|
|
|
} u;
|
|
|
|
};
|
|
|
|
|
|
|
|
@@ -248,7 +249,7 @@ static int do_print = 1;
|
|
|
|
static int user_fontp = 0;
|
|
|
|
|
|
|
|
/* The user ^@font{}-defined font. */
|
|
|
|
-static char user_font_name[256];
|
|
|
|
+static char user_font_name[PATH_MAX];
|
|
|
|
static FontPoint user_font_pt;
|
|
|
|
static InputEncoding user_font_encoding;
|
|
|
|
|
|
|
|
@@ -978,7 +979,8 @@ large for page\n"),
|
|
|
|
FATAL ((stderr,
|
|
|
|
_("user font encoding can be only the system's default or `ps'")));
|
|
|
|
|
|
|
|
- strcpy (user_font_name, token.u.font.name);
|
|
|
|
+ memset (user_font_name, 0, sizeof(user_font_name));
|
|
|
|
+ strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1);
|
|
|
|
user_font_pt.w = token.u.font.size.w;
|
|
|
|
user_font_pt.h = token.u.font.size.h;
|
|
|
|
user_font_encoding = token.u.font.encoding;
|
|
|
|
@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, Token *token)
|
|
|
|
buf[i] = ch;
|
|
|
|
if (i + 1 >= sizeof (buf))
|
|
|
|
FATAL ((stderr, _("too long argument for %s escape:\n%.*s"),
|
|
|
|
- escapes[i].name, i, buf));
|
|
|
|
+ escapes[e].name, i, buf));
|
|
|
|
}
|
|
|
|
buf[i] = '\0';
|
|
|
|
|
|
|
|
@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, Token *token)
|
|
|
|
switch (escapes[e].escape)
|
|
|
|
{
|
|
|
|
case ESC_FONT:
|
|
|
|
- strcpy (token->u.font.name, buf);
|
|
|
|
+ memset (token->u.font.name, 0, sizeof(token->u.font.name));
|
|
|
|
+ strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1);
|
|
|
|
|
|
|
|
/* Check for the default font. */
|
|
|
|
if (strcmp (token->u.font.name, "default") == 0)
|
|
|
|
@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, Token *token)
|
|
|
|
FATAL ((stderr, _("malformed font spec for ^@font escape: %s"),
|
|
|
|
token->u.font.name));
|
|
|
|
|
|
|
|
- strcpy (token->u.font.name, cp);
|
|
|
|
+ memset (token->u.font.name, 0, sizeof(token->u.font.name));
|
|
|
|
+ strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1);
|
|
|
|
xfree (cp);
|
|
|
|
}
|
|
|
|
token->type = tFONT;
|
|
|
|
@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, Token *token)
|
|
|
|
break;
|
|
|
|
|
|
|
|
case ESC_SETFILENAME:
|
|
|
|
- strcpy (token->u.filename, buf);
|
|
|
|
+ memset (token->u.filename, 0, sizeof(token->u.font.name));
|
|
|
|
+ strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1);
|
|
|
|
token->type = tSETFILENAME;
|
|
|
|
break;
|
|
|
|
|
|
|
|
@@ -2034,8 +2039,9 @@ dump_ps_page_header (char *fname, int empty)
|
2005-02-11 14:12:42 -05:00
|
|
|
else
|
|
|
|
{
|
|
|
|
ftail++;
|
|
|
|
- strncpy (buf, fname, ftail - fname);
|
|
|
|
- buf[ftail - fname] = '\0';
|
|
|
|
+ i = ftail - fname >= sizeof (buf)-1 ? sizeof (buf)-1 : ftail - fname;
|
|
|
|
+ strncpy (buf, fname, i);
|
|
|
|
+ buf[i] = '\0';
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nup > 1)
|
2008-12-09 11:00:17 -05:00
|
|
|
@@ -2385,9 +2391,10 @@ recognize_eps_file (Token *token)
|
2005-02-11 14:12:42 -05:00
|
|
|
MESSAGE (2, (stderr, "^@epsf=\"%s\"\n", token->u.epsf.filename));
|
|
|
|
|
|
|
|
i = strlen (token->u.epsf.filename);
|
|
|
|
+ /*
|
|
|
|
if (i > 0 && token->u.epsf.filename[i - 1] == '|')
|
|
|
|
{
|
|
|
|
- /* Read EPS data from pipe. */
|
|
|
|
+ / * Read EPS data from pipe. * /
|
|
|
|
token->u.epsf.pipe = 1;
|
|
|
|
token->u.epsf.filename[i - 1] = '\0';
|
|
|
|
token->u.epsf.fp = popen (token->u.epsf.filename, "r");
|
2008-12-09 11:00:17 -05:00
|
|
|
@@ -2400,6 +2407,7 @@ recognize_eps_file (Token *token)
|
2005-02-11 14:12:42 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
+ */
|
|
|
|
{
|
|
|
|
char *filename;
|
|
|
|
|