aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/ghostscript-CVE-2013-5653.patch
blob: 622266b1769e5339323fad3f8015abf6c03c5d89 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
The following patch was adapted for GNU Ghostscript
by Mark H Weaver <mhw@netris.org> based on:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8

From ab109aaeb3ddba59518b036fb288402a65cf7ce8 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Sat, 5 Mar 2016 14:56:03 -0800
Subject: [PATCH] Bug 694724: Have filenameforall and getenv honor SAFER

---
 Resource/Init/gs_init.ps |  2 ++
 psi/zfile.c              | 36 ++++++++++++++++++++----------------
 2 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index fa33d88..99888ac 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2018,6 +2018,7 @@ readonly def
 
 /.locksafe {
   .locksafe_userparams
+  systemdict /getenv {pop //false} put
   % setpagedevice has the side effect of clearing the page, but
   % we will just document that. Using setpagedevice keeps the device
   % properties and pagedevice .LockSafetyParams in agreement even
@@ -2036,6 +2037,7 @@ readonly def
 %%
 /.locksafeglobal {
   .locksafe_userparams
+  systemdict /getenv {pop //false} put
   % setpagedevice has the side effect of clearing the page, but
   % we will just document that. Using setpagedevice keeps the device
   % properties and pagedevice .LockSafetyParams in agreement even
diff --git a/psi/zfile.c b/psi/zfile.c
index 320ecd5..0b9f299 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p)
 
     if (len < devlen)
         return_error(e_rangecheck);     /* not even room for device len */
-    memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
-    code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
-                len - devlen);
-    if (code == ~(uint) 0) {    /* all done */
-        esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
-        return o_pop_estack;
-    } else if (code > len)      /* overran string */
-        return_error(e_rangecheck);
-    else {
-        push(1);
-        ref_assign(op, pscratch);
-        r_set_size(op, code + devlen);
-        push_op_estack(file_continue);  /* come again */
-        *++esp = pscratch[2];   /* proc */
-        return o_push_estack;
-    }
+
+    do {
+        memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
+        code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
+                    len - devlen);
+        if (code == ~(uint) 0) {    /* all done */
+            esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
+            return o_pop_estack;
+        } else if (code > len)      /* overran string */
+            return_error(e_rangecheck);
+        else if (iodev != iodev_default(imemory)
+              || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
+            push(1);
+            ref_assign(op, pscratch);
+            r_set_size(op, code + devlen);
+            push_op_estack(file_continue);  /* come again */
+            *++esp = pscratch[2];   /* proc */
+            return o_push_estack;
+        }
+    } while(1);
 }
 /* Cleanup procedure for enumerating files */
 static int
-- 
2.9.1