File CVE-2024-33869.patch of Package ghostscript

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-33869.patch of Package ghostscript

--- base/gpmisc.c.bsc1219357.patched.CVE-2023-36664.patched.CVE-2024-33870.patched	2024-06-28 14:37:32.710786933 +0200
+++ base/gpmisc.c	2024-06-28 15:06:44.242886198 +0200
@@ -1059,6 +1059,27 @@ gp_validate_path_len(const gs_memory_t *
         rlen = len;
     }
     else {
+        char *test = (char *)path, *test1;
+        uint tlen = len, slen;
+
+        /* Look for any pipe (%pipe% or '|' specifications between path separators
+         * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
+         */
+        while (tlen > 0) {
+            if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
+                code = gs_note_error(gs_error_invalidfileaccess);
+                goto exit;
+            }
+            test1 = test;
+            slen = search_separator((const char **)&test, path + len, test1, 1);
+            if(slen == 0)
+                break;
+            test += slen;
+            tlen -= test - test1;
+            if (test >= path + len)
+                break;
+        }
+
         rlen = len+1;
         bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
         if (bufferfull == NULL)
@@ -1126,8 +1147,8 @@ gp_validate_path_len(const gs_memory_t *
 
             continue;
         }
-        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
-            buffer = bufferfull + cdirstrl + dirsepstrl;
+        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+            && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
             continue;
         }
         break;

Places

File CVE-2024-33869.patch of Package ghostscript

Places