cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security fix for SA40452

Browse Source 
Ghostscript "-P-" Command Line Option Security Issue.

ok kili@ (MAINTAINER)
This commit is contained in:
jasper 2010-08-19 08:19:45 +00:00
parent 786059a7ce
commit c7aa72883e
2 changed files with 218 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
print/ghostscript/gnu/Makefile
View File

@ -1,10 +1,10 @@
# $OpenBSD: Makefile,v 1.75 2010/07/26 20:07:31 edd Exp $
# $OpenBSD: Makefile,v 1.76 2010/08/19 08:19:45 jasper Exp $
COMMENT= GNU PostScript interpreter
VERSION= 8.63
DISTNAME= ghostscript-${VERSION}
REVISION= 13
REVISION= 14
CATEGORIES= print lang
SHARED_LIBS= gs 11.0

216
print/ghostscript/gnu/patches/patch-src_zfile_c Normal file
View File

@ -0,0 +1,216 @@
$OpenBSD: patch-src_zfile_c,v 1.4 2010/08/19 08:19:45 jasper Exp $
Security fix for SA40452
Ghostscript "-P-" Command Line Option Security Issue.
Patch from http://bugs.ghostscript.com/show_bug.cgi?id=691350#c15
--- src/zfile.c.orig Sun Jul 27 04:52:11 2008
+++ src/zfile.c Tue Aug 17 13:05:23 2010
@@ -896,7 +896,91 @@ check_file_permissions_aux(i_ctx_t *i_ctx_p, char *fna
return 0;
}
+/* return zero for success, -ve for error, +1 for continue */
+static int
+lib_file_open_search_with_no_combine(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx_p,
+ const char *fname, uint flen, char *buffer, int blen, uint *pclen, ref *pfile,
+ gx_io_device *iodev, bool starting_arg_file, char *fmode)
+{
+ stream *s;
+ uint blen1 = blen;
+ if (gp_file_name_reduce(fname, flen, buffer, &blen1) != gp_combine_success)
+ goto skip;
+ if (iodev_os_open_file(iodev, (const char *)buffer, blen1,
+ (const char *)fmode, &s, (gs_memory_t *)mem) == 0) {
+ if (starting_arg_file ||
+ check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) {
+ *pclen = blen1;
+ make_stream_file(pfile, s, "r");
+ return 0;
+ }
+ sclose(s);
+ return_error(e_invalidfileaccess);
+ }
+ skip:;
+ return 1;
+}
+/* return zero for success, -ve for error, +1 for continue */
+static int
+lib_file_open_search_with_combine(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx_p,
+ const char *fname, uint flen, char *buffer, int blen, uint *pclen, ref *pfile,
+ gx_io_device *iodev, bool starting_arg_file, char *fmode)
+{
+ stream *s;
+ const gs_file_path *pfpath = lib_path;
+ uint pi;
+
+ for (pi = 0; pi < r_size(&pfpath->list); ++pi) {
+ const ref *prdir = pfpath->list.value.refs + pi;
+ const char *pstr = (const char *)prdir->value.const_bytes;
+ uint plen = r_size(prdir), blen1 = blen;
+ gs_parsed_file_name_t pname;
+ gp_file_name_combine_result r;
+
+ /* We need to concatenate and parse the file name here
+ * if this path has a %device% prefix. */
+ if (pstr[0] == '%') {
+ int code;
+
+ /* We concatenate directly since gp_file_name_combine_*
+ * rules are not correct for other devices such as %rom% */
+ code = gs_parse_file_name(&pname, pstr, plen);
+ if (code < 0)
+ continue;
+ memcpy(buffer, pname.fname, pname.len);
+ memcpy(buffer+pname.len, fname, flen);
+ code = pname.iodev->procs.open_file(pname.iodev, buffer, pname.len + flen, fmode,
+ &s, (gs_memory_t *)mem);
+ if (code < 0)
+ continue;
+ make_stream_file(pfile, s, "r");
+ /* fill in the buffer with the device concatenated */
+ memcpy(buffer, pstr, plen);
+ memcpy(buffer+plen, fname, flen);
+ *pclen = plen + flen;
+ return 0;
+ } else {
+ r = gp_file_name_combine(pstr, plen,
+ fname, flen, false, buffer, &blen1);
+ if (r != gp_combine_success)
+ continue;
+ if (iodev_os_open_file(iodev, (const char *)buffer, blen1, (const char *)fmode,
+ &s, (gs_memory_t *)mem) == 0) {
+ if (starting_arg_file ||
+ check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) {
+ *pclen = blen1;
+ make_stream_file(pfile, s, "r");
+ return 0;
+ }
+ sclose(s);
+ return_error(e_invalidfileaccess);
+ }
+ }
+ }
+ return 1;
+}
+
/* Return a file object of of the file searched for using the search paths. */
/* The fname cannot contain a device part (%...%) but the lib paths might. */
/* The startup code calls this to open the initialization file gs_init.ps. */
@@ -913,6 +997,8 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_mem
char fmode[4] = { 'r', 0, 0, 0 }; /* room for binary suffix */
stream *s;
gx_io_device *iodev = iodev_default;
+ gs_main_instance *minst = get_minst_from_memory(mem);
+ int code;
/* when starting arg files (@ files) iodev_default is not yet set */
if (iodev == 0)
@@ -926,75 +1012,37 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_mem
search_with_no_combine = starting_arg_file;
search_with_combine = true;
}
- if (search_with_no_combine) {
- uint blen1 = blen;
- if (gp_file_name_reduce(fname, flen, buffer, &blen1) != gp_combine_success)
- goto skip;
- if (iodev_os_open_file(iodev, (const char *)buffer, blen1,
- (const char *)fmode, &s, (gs_memory_t *)mem) == 0) {
- if (starting_arg_file ||
- check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) {
- *pclen = blen1;
- make_stream_file(pfile, s, "r");
- return 0;
- }
- iodev_os_fclose(iodev, s->file);
- return_error(e_invalidfileaccess);
- }
- skip:;
- }
- if (search_with_combine) {
- const gs_file_path *pfpath = lib_path;
- uint pi;
-
- for (pi = 0; pi < r_size(&pfpath->list); ++pi) {
- const ref *prdir = pfpath->list.value.refs + pi;
- const char *pstr = (const char *)prdir->value.const_bytes;
- uint plen = r_size(prdir), blen1 = blen;
- gs_parsed_file_name_t pname;
- gp_file_name_combine_result r;
-
- /* We need to concatenate and parse the file name here
- * if this path has a %device% prefix. */
- if (pstr[0] == '%') {
- int code;
-
- /* We concatenate directly since gp_file_name_combine_*
- * rules are not correct for other devices such as %rom% */
- if (i_ctx_p == NULL)
- continue; /* devices not yet initialized */
- gs_parse_file_name(&pname, pstr, plen);
- memcpy(buffer, pname.fname, pname.len);
- memcpy(buffer+pname.len, fname, flen);
- code = pname.iodev->procs.open_file(pname.iodev, buffer, pname.len + flen, fmode,
- &s, (gs_memory_t *)mem);
- if (code < 0)
- continue;
- make_stream_file(pfile, s, "r");
- /* fill in the buffer with the device concatenated */
- memcpy(buffer, pstr, plen);
- memcpy(buffer+plen, fname, flen);
- *pclen = plen + flen;
- return 0;
- } else {
- r = gp_file_name_combine(pstr, plen,
- fname, flen, false, buffer, &blen1);
- if (r != gp_combine_success)
- continue;
- if (iodev_os_open_file(iodev, (const char *)buffer, blen1, (const char *)fmode,
- &s, (gs_memory_t *)mem) == 0) {
- if (starting_arg_file ||
- check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) {
- *pclen = blen1;
- make_stream_file(pfile, s, "r");
- return 0;
- }
- iodev_os_fclose(iodev, s->file);
- return_error(e_invalidfileaccess);
- }
- }
- }
+ if (minst->search_here_first) {
+ if (search_with_no_combine) {
+ code = lib_file_open_search_with_no_combine(lib_path, mem, i_ctx_p,
+ fname, flen, buffer, blen, pclen, pfile,
+ iodev, starting_arg_file, fmode);
+ if (code <= 0) /* +ve means continue continue */
+ return code;
+ }
+ if (search_with_combine) {
+ code = lib_file_open_search_with_combine(lib_path, mem, i_ctx_p,
+ fname, flen, buffer, blen, pclen, pfile,
+ iodev, starting_arg_file, fmode);
+ if (code <= 0) /* +ve means continue searching */
+ return code;
+ }
+ } else {
+ if (search_with_combine) {
+ code = lib_file_open_search_with_combine(lib_path, mem, i_ctx_p,
+ fname, flen, buffer, blen, pclen, pfile,
+ iodev, starting_arg_file, fmode);
+ if (code <= 0) /* +ve means continue searching */
+ return code;
+ }
+ if (search_with_no_combine) {
+ code = lib_file_open_search_with_no_combine(lib_path, mem, i_ctx_p,
+ fname, flen, buffer, blen, pclen, pfile,
+ iodev, starting_arg_file, fmode);
+ if (code <= 0) /* +ve means continue searching */
+ return code;
+ }
}
return_error(e_undefinedfilename);
}