meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 20 Aug 2020 17:19:09 +0100
Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions

Firstly, in gx_device_delete_output_file the iodev pointer was being passed
to the delete_method incorrectly (passing a pointer to that pointer). Thus
when we attempted to use that to confirm permission to delete the file, it
crashed. Credit to Ken for finding that.

Secondly, due to the way pdfwrite works, when running with an output file per
page, it creates the current output file immediately it has completed writing
the previous one. Thus, it has to delete that partial file on exit.

Previously, the output file was not added to the "control" permission list,
so an attempt to delete it would result in an error. So add the output file
to the "control" as well as "write" list.

CVE: CVE-2021-3781

Upstream-Status: Backport:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 base/gsdevice.c |  2 +-
 base/gslibctx.c | 20 ++++++++++++++------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/base/gsdevice.c b/base/gsdevice.c
index 913119495..ac78af93f 100644
--- a/base/gsdevice.c
+++ b/base/gsdevice.c
@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname)
         parsed.len = strlen(parsed.fname);
     }
     if (parsed.iodev)
-        code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname);
+        code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname);
     else
         code = gs_note_error(gs_error_invalidfileaccess);
 
diff --git a/base/gslibctx.c b/base/gslibctx.c
index d726c58b5..ff8fc895e 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
     char *fp, f[gp_file_name_sizeof];
     const int pipe = 124; /* ASCII code for '|' */
     const int len = strlen(fname);
-    int i;
+    int i, code;
 
     /* Be sure the string copy will fit */
     if (len >= gp_file_name_sizeof)
@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
     rewrite_percent_specifiers(f);
     for (i = 0; i < len; i++) {
         if (f[i] == pipe) {
-           int code;
-
            fp = &f[i + 1];
            /* Because we potentially have to check file permissions at two levels
               for the output file (gx_device_open_output_file and the low level
@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
            if (code < 0)
                return code;
            break;
+           code = gs_add_control_path(mem, gs_permit_file_control, f);
+           if (code < 0)
+               return code;
         }
         if (!IS_WHITESPACE(f[i]))
             break;
     }
+    code = gs_add_control_path(mem, gs_permit_file_control, fp);
+    if (code < 0)
+        return code;
     return gs_add_control_path(mem, gs_permit_file_writing, fp);
 }
 
@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
     char *fp, f[gp_file_name_sizeof];
     const int pipe = 124; /* ASCII code for '|' */
     const int len = strlen(fname);
-    int i;
+    int i, code;
 
     /* Be sure the string copy will fit */
     if (len >= gp_file_name_sizeof)
@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
     /* Try to rewrite any %d (or similar) in the string */
     for (i = 0; i < len; i++) {
         if (f[i] == pipe) {
-           int code;
-
            fp = &f[i + 1];
            /* Because we potentially have to check file permissions at two levels
               for the output file (gx_device_open_output_file and the low level
@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
               the pipe_fopen(), the leading '|' has been stripped.
             */
            code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+           if (code < 0)
+               return code;
+           code = gs_remove_control_path(mem, gs_permit_file_control, f);
            if (code < 0)
                return code;
            break;
@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
         if (!IS_WHITESPACE(f[i]))
             break;
     }
+    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+    if (code < 0)
+        return code;
     return gs_remove_control_path(mem, gs_permit_file_writing, fp);
 }
 
-- 
2.25.1