source: trunk/server/common/patches/ghostscript-CVE-2010-1628.patch @ 1587

Last change on this file since 1587 was 1587, checked in by geofft, 14 years ago
Patch Ghostscript overflow error, see GS bug #691295 (CVE-2010-1628)
File size: 4.1 KB
RevLine 
[1587]1Index: gs/psi/idosave.h
2===================================================================
3--- gs/psi/idosave.h    (revision 11306)
4+++ gs/psi/idosave.h    (working copy)
5@@ -18,6 +18,22 @@
6 #  define idosave_INCLUDED
7 
8 /*
9+ * Structure for saved change chain for save/restore.  Because of the
10+ * garbage collector, we need to distinguish the cases where the change
11+ * is in a static object, a dynamic ref, or a dynamic struct.
12+ */
13+typedef struct alloc_change_s alloc_change_t;
14+struct alloc_change_s {
15+    alloc_change_t *next;
16+    ref_packed *where;
17+    ref contents;
18+#define AC_OFFSET_STATIC (-2)  /* static object */
19+#define AC_OFFSET_REF (-1)     /* dynamic ref */
20+#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
21+    short offset;              /* if >= 0, offset within struct */
22+};
23+
24+/*
25  * Save a change that must be undone by restore.  We have to pass the
26  * pointer to the containing object to alloc_save_change for two reasons:
27  *
28@@ -29,6 +45,7 @@
29  * relocate the pointer to it from the change record during garbage
30  * collection.
31  */
32+
33 int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont,
34                      ref_packed *ptr, client_name_t cname);
35 int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont,
36@@ -36,6 +53,6 @@
37 /* Remove an AC_OFFSET_ALLOCATED element. */
38 void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname);
39 /* Allocate a structure for recording an allocation event. */
40-int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr);
41+int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp);
42 
43 #endif /* idosave_INCLUDED */
44Index: gs/psi/isave.c
45===================================================================
46--- gs/psi/isave.c      (revision 11306)
47+++ gs/psi/isave.c      (working copy)
48@@ -156,22 +156,6 @@
49 /* A link to igcref.c . */
50 ptr_proc_reloc(igc_reloc_ref_ptr_nocheck, ref_packed);
51 
52-/*
53- * Structure for saved change chain for save/restore.  Because of the
54- * garbage collector, we need to distinguish the cases where the change
55- * is in a static object, a dynamic ref, or a dynamic struct.
56- */
57-typedef struct alloc_change_s alloc_change_t;
58-struct alloc_change_s {
59-    alloc_change_t *next;
60-    ref_packed *where;
61-    ref contents;
62-#define AC_OFFSET_STATIC (-2)  /* static object */
63-#define AC_OFFSET_REF (-1)     /* dynamic ref */
64-#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
65-    short offset;              /* if >= 0, offset within struct */
66-};
67-
68 static
69 CLEAR_MARKS_PROC(change_clear_marks)
70 {
71@@ -519,7 +503,7 @@
72 
73 /* Allocate a structure for recording an allocation event. */
74 int
75-alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr)
76+alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp)
77 {
78     register alloc_change_t *cp;
79 
80@@ -533,8 +517,7 @@
81     cp->where = 0;
82     cp->offset = AC_OFFSET_ALLOCATED;
83     make_null(&cp->contents);
84-    mem->changes = cp;
85-    *ppr = &cp->where;
86+    *pcp = cp;
87     return 1;
88 }
89 
90Index: gs/psi/ialloc.c
91===================================================================
92--- gs/psi/ialloc.c     (revision 11306)
93+++ gs/psi/ialloc.c     (working copy)
94@@ -185,7 +185,14 @@
95         */
96        chunk_t *pcc = mem->pcc;
97        ref *end;
98+       alloc_change_t *cp = 0;
99+        int code = 0;
100 
101+       if ((gs_memory_t *)mem != mem->stable_memory) {
102+           code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &cp);
103+           if (code < 0)
104+               return code;
105+       }
106        obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1,
107                                    ref, &st_refs, cname);
108        if (obj == 0)
109@@ -210,14 +217,10 @@
110            chunk_locate_ptr(obj, &cl);
111            cl.cp->has_refs = true;
112        }
113-       if ((gs_memory_t *)mem != mem->stable_memory) {
114-           ref_packed **ppr = 0;
115-           int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr);
116-           if (code < 0)
117-               return code;
118-            if (ppr)
119-               *ppr = (ref_packed *)obj;
120-       }
121+       if (cp) {
122+            mem->changes = cp;
123+            cp->where = (ref_packed *)obj;
124+        }
125     }
126     make_array(parr, attrs | mem->space, num_refs, obj);
127     return 0;
Note: See TracBrowser for help on using the repository browser.