[jackhill/guix/guix.git] / gnu / packages / patches / ghostscript-CVE-2017-8291.patch

Fix CVE-2017-8291:

https://bugs.ghostscript.com/show_bug.cgi?id=697799
https://bugs.ghostscript.com/show_bug.cgi?id=697808 (duplicate)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291

Patches copied from upstream source repository:

https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad

From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 27 Apr 2017 13:03:33 +0100
Subject: [PATCH] Bug 697799: have .eqproc check its parameters

The Ghostscript custom operator .eqproc was not check the number or type of
the parameters it was given.
---
 psi/zmisc3.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/psi/zmisc3.c b/psi/zmisc3.c
index 54b304246..37293ff4b 100644
--- a/psi/zmisc3.c
+++ b/psi/zmisc3.c
@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
     ref2_t stack[MAX_DEPTH + 1];
     ref2_t *top = stack;
 
+    if (ref_stack_count(&o_stack) < 2)
+        return_error(gs_error_stackunderflow);
+    if (!r_is_array(op - 1) || !r_is_array(op)) {
+        return_error(gs_error_typecheck);
+    }
+
     make_array(&stack[0].proc1, 0, 1, op - 1);
     make_array(&stack[0].proc2, 0, 1, op);
     for (;;) {
-- 
2.13.0

From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 27 Apr 2017 13:21:31 +0100
Subject: [PATCH] Bug 697799: have .rsdparams check its parameters

The Ghostscript internal operator .rsdparams wasn't checking the number or
type of the operands it was being passed. Do so.
---
 psi/zfrsd.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/psi/zfrsd.c b/psi/zfrsd.c
index 191107d8a..950588d69 100644
--- a/psi/zfrsd.c
+++ b/psi/zfrsd.c
@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
     ref *pFilter;
     ref *pDecodeParms;
     int Intent = 0;
-    bool AsyncRead;
+    bool AsyncRead = false;
     ref empty_array, filter1_array, parms1_array;
     uint i;
-    int code;
+    int code = 0;
+
+    if (ref_stack_count(&o_stack) < 1)
+        return_error(gs_error_stackunderflow);
+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
+        return_error(gs_error_typecheck);
+    }
 
     make_empty_array(&empty_array, a_readonly);
-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
+    if (r_has_type(op, t_dictionary)
+        && dict_find_string(op, "Filter", &pFilter) > 0) {
         if (!r_is_array(pFilter)) {
             if (!r_has_type(pFilter, t_name))
                 return_error(gs_error_typecheck);
@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
                 return_error(gs_error_typecheck);
         }
     }
-    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+    if (r_has_type(op, t_dictionary))
+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
     if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
         return code;
-    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
-        )
-        return code;
+    if (r_has_type(op, t_dictionary))
+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+            return code;
     push(1);
     op[-1] = *pFilter;
     if (pDecodeParms)
-- 
2.13.0

From 57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 3 May 2017 12:05:45 +0100
Subject: [PATCH] Bug 697846: revision to commit 4f83478c88 (.eqproc)

When using the "DELAYBIND" feature, it turns out that .eqproc can be called with
parameters that are not both procedures. In this case, it turns out, the
expectation is for the operator to return 'false', rather than throw an error.
---
 psi/zmisc3.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/psi/zmisc3.c b/psi/zmisc3.c
index 37293ff4b..3f01d39a3 100644
--- a/psi/zmisc3.c
+++ b/psi/zmisc3.c
@@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p)
     return gs_cliprestore(igs);
 }
 
+static inline bool
+eqproc_check_type(ref *r)
+{
+    return r_has_type(r, t_array)
+           || r_has_type(r, t_mixedarray)
+           || r_has_type(r, t_shortarray)
+           || r_has_type(r, t_oparray);
+}
+
 /* <proc1> <proc2> .eqproc <bool> */
 /*
  * Test whether two procedures are equal to depth 10.
@@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p)
 
     if (ref_stack_count(&o_stack) < 2)
         return_error(gs_error_stackunderflow);
-    if (!r_is_array(op - 1) || !r_is_array(op)) {
-        return_error(gs_error_typecheck);
+    if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
+        make_false(op - 1);
+        pop(1);
+        return 0;
     }
 
     make_array(&stack[0].proc1, 0, 1, op - 1);
-- 
2.13.0

From ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 11 May 2017 14:07:48 +0100
Subject: [PATCH] Bug 697892: fix check for op stack underflow.

In the original fix, I used the wrong method to check for stack underflow, this
is using the correct method.
---
 psi/zfrsd.c  | 3 +--
 psi/zmisc3.c | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/psi/zfrsd.c b/psi/zfrsd.c
index 950588d69..9c035b96d 100644
--- a/psi/zfrsd.c
+++ b/psi/zfrsd.c
@@ -54,8 +54,7 @@ zrsdparams(i_ctx_t *i_ctx_p)
     uint i;
     int code = 0;
 
-    if (ref_stack_count(&o_stack) < 1)
-        return_error(gs_error_stackunderflow);
+    check_op(1);
     if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
         return_error(gs_error_typecheck);
     }
diff --git a/psi/zmisc3.c b/psi/zmisc3.c
index 3f01d39a3..43803b55b 100644
--- a/psi/zmisc3.c
+++ b/psi/zmisc3.c
@@ -65,8 +65,7 @@ zeqproc(i_ctx_t *i_ctx_p)
     ref2_t stack[MAX_DEPTH + 1];
     ref2_t *top = stack;
 
-    if (ref_stack_count(&o_stack) < 2)
-        return_error(gs_error_stackunderflow);
+    check_op(2);
     if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
         make_false(op - 1);
         pop(1);
-- 
2.13.0
Commit	Line	Data
a01f1575 LF	1	Fix CVE-2017-8291:
a01f1575 LF	2
d6158fe7 LF	3	https://bugs.ghostscript.com/show_bug.cgi?id=697799
	4	https://bugs.ghostscript.com/show_bug.cgi?id=697808 (duplicate)
	5	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291
a01f1575	6
d6158fe7	7	Patches copied from upstream source repository:
a01f1575	8
d6158fe7 LF	9	https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3
	10	https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d
	11	https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e
	12	https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad
	13
	14	From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
	15	From: Chris Liddell <chris.liddell@artifex.com>
	16	Date: Thu, 27 Apr 2017 13:03:33 +0100
	17	Subject: [PATCH] Bug 697799: have .eqproc check its parameters
	18
	19	The Ghostscript custom operator .eqproc was not check the number or type of
	20	the parameters it was given.
	21	---
	22	psi/zmisc3.c \| 6 ++++++
	23	1 file changed, 6 insertions(+)
	24
	25	diff --git a/psi/zmisc3.c b/psi/zmisc3.c
	26	index 54b304246..37293ff4b 100644
	27	--- a/psi/zmisc3.c
	28	+++ b/psi/zmisc3.c
	29	@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
	30	ref2_t stack[MAX_DEPTH + 1];
	31	ref2_t *top = stack;
	32
	33	+ if (ref_stack_count(&o_stack) < 2)
	34	+ return_error(gs_error_stackunderflow);
	35	+ if (!r_is_array(op - 1) \|\| !r_is_array(op)) {
	36	+ return_error(gs_error_typecheck);
	37	+ }
	38	+
	39	make_array(&stack[0].proc1, 0, 1, op - 1);
	40	make_array(&stack[0].proc2, 0, 1, op);
	41	for (;;) {
	42	--
	43	2.13.0
	44
	45	From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
	46	From: Chris Liddell <chris.liddell@artifex.com>
	47	Date: Thu, 27 Apr 2017 13:21:31 +0100
	48	Subject: [PATCH] Bug 697799: have .rsdparams check its parameters
	49
	50	The Ghostscript internal operator .rsdparams wasn't checking the number or
	51	type of the operands it was being passed. Do so.
	52	---
	53	psi/zfrsd.c \| 22 +++++++++++++++-------
	54	1 file changed, 15 insertions(+), 7 deletions(-)
a01f1575 LF	55
a01f1575 LF	56	diff --git a/psi/zfrsd.c b/psi/zfrsd.c
d6158fe7	57	index 191107d8a..950588d69 100644
a01f1575 LF	58	--- a/psi/zfrsd.c
	59	+++ b/psi/zfrsd.c
	60	@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
	61	ref *pFilter;
	62	ref *pDecodeParms;
	63	int Intent = 0;
	64	- bool AsyncRead;
	65	+ bool AsyncRead = false;
	66	ref empty_array, filter1_array, parms1_array;
	67	uint i;
	68	- int code;
	69	+ int code = 0;
	70	+
	71	+ if (ref_stack_count(&o_stack) < 1)
d6158fe7	72	+ return_error(gs_error_stackunderflow);
a01f1575	73	+ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
d6158fe7	74	+ return_error(gs_error_typecheck);
a01f1575 LF	75	+ }
	76
	77	make_empty_array(&empty_array, a_readonly);
	78	- if (dict_find_string(op, "Filter", &pFilter) > 0) {
	79	+ if (r_has_type(op, t_dictionary)
	80	+ && dict_find_string(op, "Filter", &pFilter) > 0) {
	81	if (!r_is_array(pFilter)) {
	82	if (!r_has_type(pFilter, t_name))
d6158fe7	83	return_error(gs_error_typecheck);
a01f1575	84	@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
d6158fe7	85	return_error(gs_error_typecheck);
a01f1575 LF	86	}
	87	}
	88	- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
	89	+ if (r_has_type(op, t_dictionary))
	90	+ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
d6158fe7	91	if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
a01f1575 LF	92	return code;
	93	- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
	94	- )
	95	- return code;
	96	+ if (r_has_type(op, t_dictionary))
	97	+ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
	98	+ return code;
	99	push(1);
	100	op[-1] = *pFilter;
	101	if (pDecodeParms)
d6158fe7 LF	102	--
	103	2.13.0
	104
	105	From 57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e Mon Sep 17 00:00:00 2001
	106	From: Chris Liddell <chris.liddell@artifex.com>
	107	Date: Wed, 3 May 2017 12:05:45 +0100
	108	Subject: [PATCH] Bug 697846: revision to commit 4f83478c88 (.eqproc)
	109
	110	When using the "DELAYBIND" feature, it turns out that .eqproc can be called with
	111	parameters that are not both procedures. In this case, it turns out, the
	112	expectation is for the operator to return 'false', rather than throw an error.
	113	---
	114	psi/zmisc3.c \| 15 +++++++++++++--
	115	1 file changed, 13 insertions(+), 2 deletions(-)
	116
a01f1575	117	diff --git a/psi/zmisc3.c b/psi/zmisc3.c
d6158fe7	118	index 37293ff4b..3f01d39a3 100644
a01f1575 LF	119	--- a/psi/zmisc3.c
a01f1575 LF	120	+++ b/psi/zmisc3.c
d6158fe7 LF	121	@@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p)
	122	return gs_cliprestore(igs);
	123	}
a01f1575	124
d6158fe7 LF	125	+static inline bool
	126	+eqproc_check_type(ref *r)
	127	+{
	128	+ return r_has_type(r, t_array)
	129	+ \|\| r_has_type(r, t_mixedarray)
	130	+ \|\| r_has_type(r, t_shortarray)
	131	+ \|\| r_has_type(r, t_oparray);
	132	+}
a01f1575	133	+
d6158fe7 LF	134	/* <proc1> <proc2> .eqproc <bool> */
	135	/*
	136	* Test whether two procedures are equal to depth 10.
	137	@@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p)
	138
	139	if (ref_stack_count(&o_stack) < 2)
	140	return_error(gs_error_stackunderflow);
	141	- if (!r_is_array(op - 1) \|\| !r_is_array(op)) {
	142	- return_error(gs_error_typecheck);
	143	+ if (!eqproc_check_type(op -1) \|\| !eqproc_check_type(op)) {
	144	+ make_false(op - 1);
	145	+ pop(1);
	146	+ return 0;
	147	}
	148
a01f1575	149	make_array(&stack[0].proc1, 0, 1, op - 1);
d6158fe7 LF	150	--
	151	2.13.0
	152
	153	From ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad Mon Sep 17 00:00:00 2001
	154	From: Chris Liddell <chris.liddell@artifex.com>
	155	Date: Thu, 11 May 2017 14:07:48 +0100
	156	Subject: [PATCH] Bug 697892: fix check for op stack underflow.
	157
	158	In the original fix, I used the wrong method to check for stack underflow, this
	159	is using the correct method.
	160	---
	161	psi/zfrsd.c \| 3 +--
	162	psi/zmisc3.c \| 3 +--
	163	2 files changed, 2 insertions(+), 4 deletions(-)
	164
	165	diff --git a/psi/zfrsd.c b/psi/zfrsd.c
	166	index 950588d69..9c035b96d 100644
	167	--- a/psi/zfrsd.c
	168	+++ b/psi/zfrsd.c
	169	@@ -54,8 +54,7 @@ zrsdparams(i_ctx_t *i_ctx_p)
	170	uint i;
	171	int code = 0;
	172
	173	- if (ref_stack_count(&o_stack) < 1)
	174	- return_error(gs_error_stackunderflow);
	175	+ check_op(1);
	176	if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
	177	return_error(gs_error_typecheck);
	178	}
	179	diff --git a/psi/zmisc3.c b/psi/zmisc3.c
	180	index 3f01d39a3..43803b55b 100644
	181	--- a/psi/zmisc3.c
	182	+++ b/psi/zmisc3.c
	183	@@ -65,8 +65,7 @@ zeqproc(i_ctx_t *i_ctx_p)
	184	ref2_t stack[MAX_DEPTH + 1];
	185	ref2_t *top = stack;
	186
	187	- if (ref_stack_count(&o_stack) < 2)
	188	- return_error(gs_error_stackunderflow);
	189	+ check_op(2);
	190	if (!eqproc_check_type(op -1) \|\| !eqproc_check_type(op)) {
	191	make_false(op - 1);
	192	pop(1);
	193	--
	194	2.13.0
	195