Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-15-SP1:Update
ghostscript
CVE-2023-36664.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-36664.patch of Package ghostscript
--- base/gpmisc.c.orig 2020-03-19 09:21:42.000000000 +0100 +++ base/gpmisc.c 2023-06-29 11:46:31.303189291 +0200 @@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t * && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { prefix_len = 0; } - rlen = len+1; - bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path"); - if (bufferfull == NULL) - return gs_error_VMerror; - buffer = bufferfull + prefix_len; - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) - return gs_error_invalidfileaccess; - buffer[rlen] = 0; + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); + if (buffer == NULL) + return gs_error_VMerror; + memcpy(buffer, path, len); + buffer[len] = 0; + rlen = len; + } + else { + rlen = len+1; + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); + if (bufferfull == NULL) + return gs_error_VMerror; + buffer = bufferfull + prefix_len; + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) + return gs_error_invalidfileaccess; + buffer[rlen] = 0; + } while (1) { switch (mode[0]) { --- base/gslibctx.c.orig 2021-09-10 09:25:42.058108741 +0200 +++ base/gslibctx.c 2023-06-29 12:27:19.647950630 +0200 @@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_ return gs_error_rangecheck; } - rlen = len+1; - buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); - if (buffer == NULL) - return gs_error_VMerror; - - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) - return gs_error_invalidfileaccess; - buffer[rlen] = 0; + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; + memcpy(buffer, path, len); + buffer[len] = 0; + rlen = len; + } + else { + rlen = len + 1; + + buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; + + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) + return gs_error_invalidfileaccess; + buffer[rlen] = 0; + } n = control->num; for (i = 0; i < n; i++) @@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memo return gs_error_rangecheck; } - rlen = len+1; - buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); - if (buffer == NULL) - return gs_error_VMerror; - - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) - return gs_error_invalidfileaccess; - buffer[rlen] = 0; + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; + memcpy(buffer, path, len); + buffer[len] = 0; + rlen = len; + } + else { + rlen = len+1; + + buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; + + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) + return gs_error_invalidfileaccess; + buffer[rlen] = 0; + } n = control->num; for (i = 0; i < n; i++) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
