diff options
Diffstat (limited to 'poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch')
| -rw-r--r-- | poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch | 177 |
1 files changed, 0 insertions, 177 deletions
diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch deleted file mode 100644 index b2c1ade4b..000000000 --- a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch +++ /dev/null @@ -1,177 +0,0 @@ -From c8c77690199b677f70093824382f0881e643e17b Mon Sep 17 00:00:00 2001 -From: Chris Liddell <chris.liddell@artifex.com> -Date: Wed, 5 Dec 2018 12:22:13 +0000 -Subject: [PATCH 1/7] Sanitize op stack for error conditions - -We save the stacks to an array and store the array for the error handler to -access. - -For SAFER, we traverse the array, and deep copy any op arrays (procedures). As -we make these copies, we check for operators that do *not* exist in systemdict, -when we find one, we replace the operator with a name object (of the form -"/--opname--"). - -CVE: CVE-2019-6116 -Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] - -Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> ---- - psi/int.mak | 3 +- - psi/interp.c | 8 ++++++ - psi/istack.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - psi/istack.h | 3 ++ - 4 files changed, 91 insertions(+), 1 deletion(-) - -diff --git a/psi/int.mak b/psi/int.mak -index 6ab5bf0..6b349cb 100644 ---- a/psi/int.mak -+++ b/psi/int.mak -@@ -204,7 +204,8 @@ $(PSOBJ)iparam.$(OBJ) : $(PSSRC)iparam.c $(GH)\ - $(PSOBJ)istack.$(OBJ) : $(PSSRC)istack.c $(GH) $(memory__h)\ - $(ierrors_h) $(gsstruct_h) $(gsutil_h)\ - $(ialloc_h) $(istack_h) $(istkparm_h) $(istruct_h) $(iutil_h) $(ivmspace_h)\ -- $(store_h) $(INT_MAK) $(MAKEDIRS) -+ $(store_h) $(icstate_h) $(iname_h) $(dstack_h) $(idict_h) \ -+ $(INT_MAK) $(MAKEDIRS) - $(PSCC) $(PSO_)istack.$(OBJ) $(C_) $(PSSRC)istack.c - - $(PSOBJ)iutil.$(OBJ) : $(PSSRC)iutil.c $(GH) $(math__h) $(memory__h) $(string__h)\ -diff --git a/psi/interp.c b/psi/interp.c -index 6dc0dda..aa5779c 100644 ---- a/psi/interp.c -+++ b/psi/interp.c -@@ -761,6 +761,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) - uint size = ref_stack_count(pstack) - skip; - uint save_space = ialloc_space(idmemory); - int code, i; -+ ref *safety, *safe; - - if (size > 65535) - size = 65535; -@@ -778,6 +779,13 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) - make_null(&arr->value.refs[i]); - } - } -+ if (pstack == &o_stack && dict_find_string(systemdict, "SAFETY", &safety) > 0 && -+ dict_find_string(safety, "safe", &safe) > 0 && r_has_type(safe, t_boolean) && -+ safe->value.boolval == true) { -+ code = ref_stack_array_sanitize(i_ctx_p, arr, arr); -+ if (code < 0) -+ return code; -+ } - ialloc_set_space(idmemory, save_space); - return code; - } -diff --git a/psi/istack.c b/psi/istack.c -index 8fe151f..f1a3e51 100644 ---- a/psi/istack.c -+++ b/psi/istack.c -@@ -27,6 +27,10 @@ - #include "iutil.h" - #include "ivmspace.h" /* for local/global test */ - #include "store.h" -+#include "icstate.h" -+#include "iname.h" -+#include "dstack.h" -+#include "idict.h" - - /* Forward references */ - static void init_block(ref_stack_t *pstack, const ref *pblock_array, -@@ -294,6 +298,80 @@ ref_stack_store_check(const ref_stack_t *pstack, ref *parray, uint count, - return 0; - } - -+int -+ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr) -+{ -+ int i, code; -+ ref obj, arr2; -+ ref *pobj2; -+ gs_memory_t *mem = (gs_memory_t *)idmemory->current; -+ -+ if (!r_is_array(sarr) || !r_has_type(darr, t_array)) -+ return_error(gs_error_typecheck); -+ -+ for (i = 0; i < r_size(sarr); i++) { -+ code = array_get(mem, sarr, i, &obj); -+ if (code < 0) -+ make_null(&obj); -+ switch(r_type(&obj)) { -+ case t_operator: -+ { -+ int index = op_index(&obj); -+ -+ if (index > 0 && index < op_def_count) { -+ const byte *data = (const byte *)(op_index_def(index)->oname + 1); -+ if (dict_find_string(systemdict, (const char *)data, &pobj2) <= 0) { -+ byte *s = gs_alloc_bytes(mem, strlen((char *)data) + 5, "ref_stack_array_sanitize"); -+ if (s) { -+ s[0] = '\0'; -+ strcpy((char *)s, "--"); -+ strcpy((char *)s + 2, (char *)data); -+ strcpy((char *)s + strlen((char *)data) + 2, "--"); -+ } -+ else { -+ s = (byte *)data; -+ } -+ code = name_ref(imemory, s, strlen((char *)s), &obj, 1); -+ if (code < 0) make_null(&obj); -+ if (s != data) -+ gs_free_object(mem, s, "ref_stack_array_sanitize"); -+ } -+ } -+ else { -+ make_null(&obj); -+ } -+ ref_assign(darr->value.refs + i, &obj); -+ break; -+ } -+ case t_array: -+ case t_shortarray: -+ case t_mixedarray: -+ { -+ int attrs = r_type_attrs(&obj) & (a_write | a_read | a_execute | a_executable); -+ /* We only want to copy executable arrays */ -+ if (attrs & (a_execute | a_executable)) { -+ code = ialloc_ref_array(&arr2, attrs, r_size(&obj), "ref_stack_array_sanitize"); -+ if (code < 0) { -+ make_null(&arr2); -+ } -+ else { -+ code = ref_stack_array_sanitize(i_ctx_p, &obj, &arr2); -+ } -+ ref_assign(darr->value.refs + i, &arr2); -+ } -+ else { -+ ref_assign(darr->value.refs + i, &obj); -+ } -+ break; -+ } -+ default: -+ ref_assign(darr->value.refs + i, &obj); -+ } -+ } -+ return 0; -+} -+ -+ - /* - * Store the top 'count' elements of a stack, starting 'skip' elements below - * the top, into an array, with or without store/undo checking. age=-1 for -diff --git a/psi/istack.h b/psi/istack.h -index 051dcbe..54be405 100644 ---- a/psi/istack.h -+++ b/psi/istack.h -@@ -129,6 +129,9 @@ int ref_stack_store(const ref_stack_t *pstack, ref *parray, uint count, - uint skip, int age, bool check, - gs_dual_memory_t *idmem, client_name_t cname); - -+int -+ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr); -+ - /* - * Pop the top N elements off a stack. - * The number must not exceed the number of elements in use. --- -2.18.1 - |
