$OpenBSD: patch-src_psgen_c,v 1.3 2008/12/09 16:00:18 jasper Exp $ Among the changes in this patch are security fixes for CVE-2008-3863 and CVE-2008-4306 . Patch by Werner Fink, Debian #506261 --- src/psgen.c.orig Thu Jan 24 08:38:58 2002 +++ src/psgen.c Tue Dec 9 16:54:50 2008 @@ -24,6 +24,7 @@ * Boston, MA 02111-1307, USA. */ +#include #include "gsint.h" /* @@ -124,7 +125,7 @@ struct gs_token_st double xscale; double yscale; int llx, lly, urx, ury; /* Bounding box. */ - char filename[512]; + char filename[PATH_MAX]; char *skipbuf; unsigned int skipbuf_len; unsigned int skipbuf_pos; @@ -135,11 +136,11 @@ struct gs_token_st Color bgcolor; struct { - char name[512]; + char name[PATH_MAX]; FontPoint size; InputEncoding encoding; } font; - char filename[512]; + char filename[PATH_MAX]; } u; }; @@ -248,7 +249,7 @@ static int do_print = 1; static int user_fontp = 0; /* The user ^@font{}-defined font. */ -static char user_font_name[256]; +static char user_font_name[PATH_MAX]; static FontPoint user_font_pt; static InputEncoding user_font_encoding; @@ -978,7 +979,8 @@ large for page\n"), FATAL ((stderr, _("user font encoding can be only the system's default or `ps'"))); - strcpy (user_font_name, token.u.font.name); + memset (user_font_name, 0, sizeof(user_font_name)); + strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1); user_font_pt.w = token.u.font.size.w; user_font_pt.h = token.u.font.size.h; user_font_encoding = token.u.font.encoding; @@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, Token *token) buf[i] = ch; if (i + 1 >= sizeof (buf)) FATAL ((stderr, _("too long argument for %s escape:\n%.*s"), - escapes[i].name, i, buf)); + escapes[e].name, i, buf)); } buf[i] = '\0'; @@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, Token *token) switch (escapes[e].escape) { case ESC_FONT: - strcpy (token->u.font.name, buf); + memset (token->u.font.name, 0, sizeof(token->u.font.name)); + strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1); /* Check for the default font. */ if (strcmp (token->u.font.name, "default") == 0) @@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, Token *token) FATAL ((stderr, _("malformed font spec for ^@font escape: %s"), token->u.font.name)); - strcpy (token->u.font.name, cp); + memset (token->u.font.name, 0, sizeof(token->u.font.name)); + strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1); xfree (cp); } token->type = tFONT; @@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, Token *token) break; case ESC_SETFILENAME: - strcpy (token->u.filename, buf); + memset (token->u.filename, 0, sizeof(token->u.font.name)); + strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1); token->type = tSETFILENAME; break; @@ -2034,8 +2039,9 @@ dump_ps_page_header (char *fname, int empty) else { ftail++; - strncpy (buf, fname, ftail - fname); - buf[ftail - fname] = '\0'; + i = ftail - fname >= sizeof (buf)-1 ? sizeof (buf)-1 : ftail - fname; + strncpy (buf, fname, i); + buf[i] = '\0'; } if (nup > 1) @@ -2385,9 +2391,10 @@ recognize_eps_file (Token *token) MESSAGE (2, (stderr, "^@epsf=\"%s\"\n", token->u.epsf.filename)); i = strlen (token->u.epsf.filename); + /* if (i > 0 && token->u.epsf.filename[i - 1] == '|') { - /* Read EPS data from pipe. */ + / * Read EPS data from pipe. * / token->u.epsf.pipe = 1; token->u.epsf.filename[i - 1] = '\0'; token->u.epsf.fp = popen (token->u.epsf.filename, "r"); @@ -2400,6 +2407,7 @@ recognize_eps_file (Token *token) } } else + */ { char *filename;