diff --git a/package/ghostscript/0001-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch b/package/ghostscript/0001-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch new file mode 100644 index 0000000000..bb1227f687 --- /dev/null +++ b/package/ghostscript/0001-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch @@ -0,0 +1,28 @@ +From 830afae5454dea3bff903869d82022306890a96c Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Fri, 1 Oct 2021 12:44:44 +0100 +Subject: [PATCH] Bug 704405: Fix typo in non-forked lcms2 code. + +[Retrieved from: +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=830afae5454dea3bff903869d82022306890a96c] +Signed-off-by: Fabrice Fontaine +--- + base/gsicc_lcms2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gsicc_lcms2.c b/base/gsicc_lcms2.c +index ccf1d7051..9badb6dee 100644 +--- a/base/gsicc_lcms2.c ++++ b/base/gsicc_lcms2.c +@@ -462,7 +462,7 @@ int + gscms_transform_color(gx_device *dev, gsicc_link_t *icclink, void *inputcolor, + void *outputcolor, int num_bytes) + { +- return gscms_transformm_color_const(dev, icclink, inputcolor, outputcolor, num_bytes); ++ return gscms_transform_color_const(dev, icclink, inputcolor, outputcolor, num_bytes); + } + + int +-- +2.25.1 + diff --git a/package/ghostscript/0001-bug-702985-drop-use-of-FT_CALLBACK_DEF.patch b/package/ghostscript/0001-bug-702985-drop-use-of-FT_CALLBACK_DEF.patch deleted file mode 100644 index 044dcc72f1..0000000000 --- a/package/ghostscript/0001-bug-702985-drop-use-of-FT_CALLBACK_DEF.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 41ef9a0bc36b9db7115fbe9623f989bfb47bbade Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Tue, 20 Oct 2020 09:49:45 +0100 -Subject: [PATCH] Bug 702985: drop use of FT_CALLBACK_DEF() def - -From 2.10.3, Freetype disappeared the FT_CALLBACK_DEF() macro, which is what -we used when defining our callbacks from Freetype. - -No guidance forthcoming from the Freetype developer who made those changes, -so change to explicitly declaring the callbacks file static. - -Should fix the reported build failures. - -Downloaded from upstream commit: -https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b - -Signed-off-by: Bernd Kuhls ---- - base/fapi_ft.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/base/fapi_ft.c b/base/fapi_ft.c -index 65fa6dcf4..21aef2f06 100644 ---- a/base/fapi_ft.c -+++ b/base/fapi_ft.c -@@ -125,7 +125,7 @@ static void - delete_inc_int_info(gs_fapi_server * a_server, - FT_IncrementalRec * a_inc_int_info); - --FT_CALLBACK_DEF(void *) -+static void * - FF_alloc(FT_Memory memory, long size) - { - gs_memory_t *mem = (gs_memory_t *) memory->user; -@@ -133,7 +133,7 @@ FF_alloc(FT_Memory memory, long size) - return (gs_malloc(mem, size, 1, "FF_alloc")); - } - --FT_CALLBACK_DEF(void *) -+static void * - FF_realloc(FT_Memory memory, long cur_size, long new_size, void *block) - { - gs_memory_t *mem = (gs_memory_t *) memory->user; -@@ -153,7 +153,7 @@ FT_CALLBACK_DEF(void *) - return (tmp); - } - --FT_CALLBACK_DEF(void) -+static void - FF_free(FT_Memory memory, void *block) - { - gs_memory_t *mem = (gs_memory_t *) memory->user; --- -2.17.1 - diff --git a/package/ghostscript/0002-Bug-704342-Include-device-specifier-strings-in-acces.patch b/package/ghostscript/0002-Bug-704342-Include-device-specifier-strings-in-acces.patch deleted file mode 100644 index 81436d8228..0000000000 --- a/package/ghostscript/0002-Bug-704342-Include-device-specifier-strings-in-acces.patch +++ /dev/null @@ -1,234 +0,0 @@ -From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Tue, 7 Sep 2021 20:36:12 +0100 -Subject: [PATCH] Bug 704342: Include device specifier strings in access - validation - -for the "%pipe%", %handle%" and %printer% io devices. - -We previously validated only the part after the "%pipe%" Postscript device -specifier, but this proved insufficient. - -This rebuilds the original file name string, and validates it complete. The -slight complication for "%pipe%" is it can be reached implicitly using -"|" so we have to check both prefixes. - -Addresses CVE-2021-3781 - -Signed-off-by: Peter Korsgaard ---- - base/gdevpipe.c | 22 +++++++++++++++- - base/gp_mshdl.c | 11 +++++++- - base/gp_msprn.c | 10 ++++++- - base/gp_os2pr.c | 13 +++++++++- - base/gslibctx.c | 69 ++++++++++--------------------------------------- - 5 files changed, 65 insertions(+), 60 deletions(-) - -diff --git a/base/gdevpipe.c b/base/gdevpipe.c -index 96d71f5d8..5bdc485be 100644 ---- a/base/gdevpipe.c -+++ b/base/gdevpipe.c -@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, - #else - gs_lib_ctx_t *ctx = mem->gs_lib_ctx; - gs_fs_list_t *fs = ctx->core->fs; -+ /* The pipe device can be reached in two ways, explicltly with %pipe% -+ or implicitly with "|", so we have to check for both -+ */ -+ char f[gp_file_name_sizeof]; -+ const char *pipestr = "|"; -+ const size_t pipestrlen = strlen(pipestr); -+ const size_t preflen = strlen(iodev->dname); -+ const size_t nlen = strlen(fname); -+ int code1; -+ -+ if (preflen + nlen >= gp_file_name_sizeof) -+ return_error(gs_error_invalidaccess); -+ -+ memcpy(f, iodev->dname, preflen); -+ memcpy(f + preflen, fname, nlen + 1); -+ -+ code1 = gp_validate_path(mem, f, access); -+ -+ memcpy(f, pipestr, pipestrlen); -+ memcpy(f + pipestrlen, fname, nlen + 1); - -- if (gp_validate_path(mem, fname, access) != 0) -+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) - return gs_error_invalidfileaccess; - - /* -diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c -index 2b964ed74..8d87ceadc 100644 ---- a/base/gp_mshdl.c -+++ b/base/gp_mshdl.c -@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, - long hfile; /* Correct for Win32, may be wrong for Win64 */ - gs_lib_ctx_t *ctx = mem->gs_lib_ctx; - gs_fs_list_t *fs = ctx->core->fs; -+ char f[gp_file_name_sizeof]; -+ const size_t preflen = strlen(iodev->dname); -+ const size_t nlen = strlen(fname); - -- if (gp_validate_path(mem, fname, access) != 0) -+ if (preflen + nlen >= gp_file_name_sizeof) -+ return_error(gs_error_invalidaccess); -+ -+ memcpy(f, iodev->dname, preflen); -+ memcpy(f + preflen, fname, nlen + 1); -+ -+ if (gp_validate_path(mem, f, access) != 0) - return gs_error_invalidfileaccess; - - /* First we try the open_handle method. */ -diff --git a/base/gp_msprn.c b/base/gp_msprn.c -index ed4827968..746a974f7 100644 ---- a/base/gp_msprn.c -+++ b/base/gp_msprn.c -@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, - uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; - gs_lib_ctx_t *ctx = mem->gs_lib_ctx; - gs_fs_list_t *fs = ctx->core->fs; -+ const size_t preflen = strlen(iodev->dname); -+ const size_t nlen = strlen(fname); - -- if (gp_validate_path(mem, fname, access) != 0) -+ if (preflen + nlen >= gp_file_name_sizeof) -+ return_error(gs_error_invalidaccess); -+ -+ memcpy(pname, iodev->dname, preflen); -+ memcpy(pname + preflen, fname, nlen + 1); -+ -+ if (gp_validate_path(mem, pname, access) != 0) - return gs_error_invalidfileaccess; - - /* First we try the open_printer method. */ -diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c -index f852c71fc..ba54cde66 100644 ---- a/base/gp_os2pr.c -+++ b/base/gp_os2pr.c -@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, - FILE ** pfile, char *rfname, uint rnamelen) - { - os2_printer_t *pr = (os2_printer_t *)iodev->state; -- char driver_name[256]; -+ char driver_name[gp_file_name_sizeof]; - gs_lib_ctx_t *ctx = mem->gs_lib_ctx; - gs_fs_list_t *fs = ctx->core->fs; -+ const size_t preflen = strlen(iodev->dname); -+ const int size_t = strlen(fname); -+ -+ if (preflen + nlen >= gp_file_name_sizeof) -+ return_error(gs_error_invalidaccess); -+ -+ memcpy(driver_name, iodev->dname, preflen); -+ memcpy(driver_name + preflen, fname, nlen + 1); -+ -+ if (gp_validate_path(mem, driver_name, access) != 0) -+ return gs_error_invalidfileaccess; - - /* First we try the open_printer method. */ - /* Note that the loop condition here ensures we don't -diff --git a/base/gslibctx.c b/base/gslibctx.c -index 6dfed6cd5..318039fad 100644 ---- a/base/gslibctx.c -+++ b/base/gslibctx.c -@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) - int - gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) - { -- char *fp, f[gp_file_name_sizeof]; -- const int pipe = 124; /* ASCII code for '|' */ -- const int len = strlen(fname); -- int i, code; -+ char f[gp_file_name_sizeof]; -+ int code; - - /* Be sure the string copy will fit */ -- if (len >= gp_file_name_sizeof) -+ if (strlen(fname) >= gp_file_name_sizeof) - return gs_error_rangecheck; - strcpy(f, fname); -- fp = f; - /* Try to rewrite any %d (or similar) in the string */ - rewrite_percent_specifiers(f); -- for (i = 0; i < len; i++) { -- if (f[i] == pipe) { -- fp = &f[i + 1]; -- /* Because we potentially have to check file permissions at two levels -- for the output file (gx_device_open_output_file and the low level -- fopen API, if we're using a pipe, we have to add both the full string, -- (including the '|', and just the command to which we pipe - since at -- the pipe_fopen(), the leading '|' has been stripped. -- */ -- code = gs_add_control_path(mem, gs_permit_file_writing, f); -- if (code < 0) -- return code; -- code = gs_add_control_path(mem, gs_permit_file_control, f); -- if (code < 0) -- return code; -- break; -- } -- if (!IS_WHITESPACE(f[i])) -- break; -- } -- code = gs_add_control_path(mem, gs_permit_file_control, fp); -+ -+ code = gs_add_control_path(mem, gs_permit_file_control, f); - if (code < 0) - return code; -- return gs_add_control_path(mem, gs_permit_file_writing, fp); -+ return gs_add_control_path(mem, gs_permit_file_writing, f); - } - - int - gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) - { -- char *fp, f[gp_file_name_sizeof]; -- const int pipe = 124; /* ASCII code for '|' */ -- const int len = strlen(fname); -- int i, code; -+ char f[gp_file_name_sizeof]; -+ int code; - - /* Be sure the string copy will fit */ -- if (len >= gp_file_name_sizeof) -+ if (strlen(fname) >= gp_file_name_sizeof) - return gs_error_rangecheck; - strcpy(f, fname); -- fp = f; - /* Try to rewrite any %d (or similar) in the string */ -- for (i = 0; i < len; i++) { -- if (f[i] == pipe) { -- fp = &f[i + 1]; -- /* Because we potentially have to check file permissions at two levels -- for the output file (gx_device_open_output_file and the low level -- fopen API, if we're using a pipe, we have to add both the full string, -- (including the '|', and just the command to which we pipe - since at -- the pipe_fopen(), the leading '|' has been stripped. -- */ -- code = gs_remove_control_path(mem, gs_permit_file_writing, f); -- if (code < 0) -- return code; -- code = gs_remove_control_path(mem, gs_permit_file_control, f); -- if (code < 0) -- return code; -- break; -- } -- if (!IS_WHITESPACE(f[i])) -- break; -- } -- code = gs_remove_control_path(mem, gs_permit_file_control, fp); -+ rewrite_percent_specifiers(f); -+ -+ code = gs_remove_control_path(mem, gs_permit_file_control, f); - if (code < 0) - return code; -- return gs_remove_control_path(mem, gs_permit_file_writing, fp); -+ return gs_remove_control_path(mem, gs_permit_file_writing, f); - } - - int --- -2.20.1 - diff --git a/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch b/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch deleted file mode 100644 index 352f1754f6..0000000000 --- a/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Fri, 12 Feb 2021 10:34:23 +0000 -Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. - -During function result sampling, after the callout to the Postscript -interpreter, make sure there is enough stack space available before pushing -or popping entries. - -In thise case, the Postscript procedure for the "function" is totally invalid -(as a function), and leaves the op stack in an unrecoverable state (as far as -function evaluation is concerned). We end up popping more entries off the -stack than are available. - -To cope, add in stack limit checking to throw an appropriate error when this -happens. - -[Retrieved from: -https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25] -Signed-off-by: Fabrice Fontaine ---- - psi/zfsample.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/psi/zfsample.c b/psi/zfsample.c -index 290809405..652ae02c6 100644 ---- a/psi/zfsample.c -+++ b/psi/zfsample.c -@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) - } else { - if (stack_depth_adjust) { - stack_depth_adjust -= num_out; -- push(O_STACK_PAD - stack_depth_adjust); -- for (i=0;i -Date: Tue, 1 Jun 2021 19:57:16 +0100 -Subject: [PATCH] Bug 703902: Fix op stack management in - sampled_data_continue() - -Replace pop() (which does no checking, and doesn't handle stack extension -blocks) with ref_stack_pop() which does do all that. - -We still use pop() in one case (it's faster), but we have to later use -ref_stack_pop() before calling sampled_data_sample() which also accesses the -op stack. - -Fixes: -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 - -[Retrieved from: -https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] -Signed-off-by: Fabrice Fontaine ---- - psi/zfsample.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/psi/zfsample.c b/psi/zfsample.c -index 0e8e4bc8d..00cd0cfdd 100644 ---- a/psi/zfsample.c -+++ b/psi/zfsample.c -@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p) - for (j = 0; j < bps; j++) - data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ - } -- pop(num_out); /* Move op to base of result values */ - -- /* Check if we are done collecting data. */ -+ pop(num_out); /* Move op to base of result values */ - -+ /* From here on, we have to use ref_stack_pop() rather than pop() -+ so that it handles stack extension blocks properly, before calling -+ sampled_data_sample() which also uses the op stack. -+ */ -+ /* Check if we are done collecting data. */ - if (increment_cube_indexes(params, penum->indexes)) { - if (stack_depth_adjust == 0) -- pop(O_STACK_PAD); /* Remove spare stack space */ -+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ - else -- pop(stack_depth_adjust - num_out); -+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); - /* Execute the closing procedure, if given */ - code = 0; - if (esp_finish_proc != 0) -@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) - if ((O_STACK_PAD - stack_depth_adjust) < 0) { - stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); - check_op(stack_depth_adjust); -- pop(stack_depth_adjust); -+ ref_stack_pop(&o_stack, stack_depth_adjust); - } - else { - check_ostack(O_STACK_PAD - stack_depth_adjust); -- push(O_STACK_PAD - stack_depth_adjust); -+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); - for (i=0;i