source: trunk/server/common/patches/ghostscript-CVE-2010-1628.patch @ 1640

Last change on this file since 1640 was 1587, checked in by geofft, 12 years ago
Patch Ghostscript overflow error, see GS bug #691295 (CVE-2010-1628)
File size: 4.1 KB
  • gs/psi/idosave.h

     
    1818#  define idosave_INCLUDED
    1919
    2020/*
     21 * Structure for saved change chain for save/restore.  Because of the
     22 * garbage collector, we need to distinguish the cases where the change
     23 * is in a static object, a dynamic ref, or a dynamic struct.
     24 */
     25typedef struct alloc_change_s alloc_change_t;
     26struct alloc_change_s {
     27    alloc_change_t *next;
     28    ref_packed *where;
     29    ref contents;
     30#define AC_OFFSET_STATIC (-2)   /* static object */
     31#define AC_OFFSET_REF (-1)      /* dynamic ref */
     32#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
     33    short offset;               /* if >= 0, offset within struct */
     34};
     35
     36/*
    2137 * Save a change that must be undone by restore.  We have to pass the
    2238 * pointer to the containing object to alloc_save_change for two reasons:
    2339 *
     
    2945 * relocate the pointer to it from the change record during garbage
    3046 * collection.
    3147 */
     48
    3249int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont,
    3350                      ref_packed *ptr, client_name_t cname);
    3451int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont,
     
    3653/* Remove an AC_OFFSET_ALLOCATED element. */
    3754void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname);
    3855/* Allocate a structure for recording an allocation event. */
    39 int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr);
     56int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp);
    4057
    4158#endif /* idosave_INCLUDED */
  • gs/psi/isave.c

     
    156156/* A link to igcref.c . */
    157157ptr_proc_reloc(igc_reloc_ref_ptr_nocheck, ref_packed);
    158158
    159 /*
    160  * Structure for saved change chain for save/restore.  Because of the
    161  * garbage collector, we need to distinguish the cases where the change
    162  * is in a static object, a dynamic ref, or a dynamic struct.
    163  */
    164 typedef struct alloc_change_s alloc_change_t;
    165 struct alloc_change_s {
    166     alloc_change_t *next;
    167     ref_packed *where;
    168     ref contents;
    169 #define AC_OFFSET_STATIC (-2)   /* static object */
    170 #define AC_OFFSET_REF (-1)      /* dynamic ref */
    171 #define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
    172     short offset;               /* if >= 0, offset within struct */
    173 };
    174 
    175159static
    176160CLEAR_MARKS_PROC(change_clear_marks)
    177161{
     
    519503
    520504/* Allocate a structure for recording an allocation event. */
    521505int
    522 alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr)
     506alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp)
    523507{
    524508    register alloc_change_t *cp;
    525509
     
    533517    cp->where = 0;
    534518    cp->offset = AC_OFFSET_ALLOCATED;
    535519    make_null(&cp->contents);
    536     mem->changes = cp;
    537     *ppr = &cp->where;
     520    *pcp = cp;
    538521    return 1;
    539522}
    540523
  • gs/psi/ialloc.c

     
    185185         */
    186186        chunk_t *pcc = mem->pcc;
    187187        ref *end;
     188        alloc_change_t *cp = 0;
     189        int code = 0;
    188190
     191        if ((gs_memory_t *)mem != mem->stable_memory) {
     192            code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &cp);
     193            if (code < 0)
     194                return code;
     195        }
    189196        obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1,
    190197                                    ref, &st_refs, cname);
    191198        if (obj == 0)
     
    210217            chunk_locate_ptr(obj, &cl);
    211218            cl.cp->has_refs = true;
    212219        }
    213         if ((gs_memory_t *)mem != mem->stable_memory) {
    214             ref_packed **ppr = 0;
    215             int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr);
    216             if (code < 0)
    217                 return code;
    218             if (ppr)
    219                 *ppr = (ref_packed *)obj;
    220         }
     220        if (cp) {
     221            mem->changes = cp;
     222            cp->where = (ref_packed *)obj;
     223        }
    221224    }
    222225    make_array(parr, attrs | mem->space, num_refs, obj);
    223226    return 0;
Note: See TracBrowser for help on using the repository browser.