packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ghostscript/backport-CVE-2024-29508.patch
zhangxianting fd84dd645b fix CVE-2024-29508
2024-08-16 11:06:22 +08:00

337 lines
14 KiB
Diff
Raw Blame History

From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:53:44 +0000
Subject: [PATCH 4/7] Bug 707510 - review printing of pointers
https://bugs.ghostscript.com/show_bug.cgi?id=707510
http://www.ghostscript.com/cgi-bin/findgit.cgi?ff1013a0ab485b66783b70145e342a82c670906a
This is for item 4 of the report, which is addressed by the change in
gdevpdtb.c. That change uses a fixed name for fonts which have no name
instead of using the pointer to the address of the font.
The remaining changes are all due to reviewing the use of PRI_INTPTR.
In general we only use that for debugging purposes but there were a few
places which were printing pointers arbitrarily, even in a release build.
We really don't want to do that so I've modified the places which were
printing pointer unconditionally so that they only do so if DEBUG is
set at compile time, or a specific debug flag is set.
---
base/gsfont.c | 2 +-
base/gsicc_cache.c | 6 +++---
base/gsmalloc.c | 2 +-
base/gxclmem.c | 3 +--
base/gxcpath.c | 4 ++++
base/gxpath.c | 6 ++++++
base/szlibc.c | 2 ++
devices/gdevupd.c | 5 +++++
devices/vector/gdevpdtb.c | 2 +-
psi/ialloc.c | 2 +-
psi/igc.c | 4 ++--
psi/igcstr.c | 4 ++--
psi/iinit.c | 4 ++++
psi/imainarg.c | 3 ++-
psi/isave.c | 2 +-
psi/iutil.c | 4 ++++
16 files changed, 40 insertions(+), 15 deletions(-)
diff --git a/base/gsfont.c b/base/gsfont.c
index d987ba2..84867c4 100644
--- a/base/gsfont.c
+++ b/base/gsfont.c
@@ -771,7 +771,7 @@ gs_purge_font(gs_font * pfont)
else if (pdir->scaled_fonts == pfont)
pdir->scaled_fonts = next;
else { /* Shouldn't happen! */
- lprintf1("purged font 0x%lx not found\n", (ulong) pfont);
+ if_debug1m('u', pfont->memory, "purged font 0x%lx not found\n", (ulong) pfont);
}
/* Purge the font from the scaled font cache. */
diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c
index 713c4ba..19a796b 100644
--- a/base/gsicc_cache.c
+++ b/base/gsicc_cache.c
@@ -149,7 +149,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr)
while (link_cache->head != NULL) {
if (link_cache->head->ref_count != 0) {
- emprintf2(mem, "link at 0x%p being removed, but has ref_count = %d\n",
+ if_debug2m(gs_debug_flag_icc, mem, "link at 0x%p being removed, but has ref_count = %d\n",
link_cache->head, link_cache->head->ref_count);
link_cache->head->ref_count = 0; /* force removal */
}
@@ -530,7 +530,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache,
/* that was building it failed to be able to complete building it */
/* this is probably a fatal error. MV ??? */
if (curr->valid == false) {
- emprintf1(curr->memory, "link 0x%p lock released, but still not valid.\n", curr); /* Breakpoint here */
+ if_debug1m(gs_debug_flag_icc, curr->memory, "link 0x%p lock released, but still not valid.\n", curr); /* Breakpoint here */
}
gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */
}
@@ -557,7 +557,7 @@ gsicc_remove_link(gsicc_link_t *link, const gs_memory_t *memory)
/* NOTE: link->ref_count must be 0: assert ? */
gx_monitor_enter(icc_link_cache->lock);
if (link->ref_count != 0) {
- emprintf2(memory, "link at 0x%p being removed, but has ref_count = %d\n", link, link->ref_count);
+ if_debug2m(gs_debug_flag_icc, memory, "link at 0x%p being removed, but has ref_count = %d\n", link, link->ref_count);
}
curr = icc_link_cache->head;
prev = NULL;
diff --git a/base/gsmalloc.c b/base/gsmalloc.c
index bb4e701..cb4bc13 100644
--- a/base/gsmalloc.c
+++ b/base/gsmalloc.c
@@ -419,7 +419,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new
client_name_t cname)
{
if (gs_heap_object_type(mem, data) != &st_bytes)
- lprintf2("%s: resizing non-string 0x%lx!\n",
+ if_debug2m('a', mem, "%s: resizing non-string 0x%lx!\n",
client_name_string(cname), (ulong) data);
return gs_heap_resize_object(mem, data, new_num, cname);
}
diff --git a/base/gxclmem.c b/base/gxclmem.c
index acd695c..70b9100 100644
--- a/base/gxclmem.c
+++ b/base/gxclmem.c
@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete)
/* leaks if other users of the memfile don't 'fclose with delete=true */
if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) {
/* TODO: do the cleanup rather than just giving an error */
- emprintf1(f->memory,
- "Attempt to delete a memfile still open for read: %p\n",
+ if_debug1(':', "Attempt to delete a memfile still open for read: %p\n",
f);
return_error(gs_error_invalidfileaccess);
} else {
diff --git a/base/gxcpath.c b/base/gxcpath.c
index 1ae5ca1..8771288 100644
--- a/base/gxcpath.c
+++ b/base/gxcpath.c
@@ -172,8 +172,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath,
{
if (shared) {
if (shared->path.segments == &shared->path.local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path 0x%lx!\n",
(ulong) shared);
+#endif
return_error(gs_error_Fatal);
}
*pcpath = *shared;
@@ -230,8 +232,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath,
if (shared) {
if ((shared->path.segments == &shared->path.local_segments) &&
!safely_nested) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of clip path 0x%lx!\n",
(ulong) shared);
+#endif
return_error(gs_error_Fatal);
}
pcpath->path = shared->path;
diff --git a/base/gxpath.c b/base/gxpath.c
index ef8c9e4..56836c9 100644
--- a/base/gxpath.c
+++ b/base/gxpath.c
@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path 0x%lx!\n",
(ulong) shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem,
ppath->procs = &default_path_procs;
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path 0x%lx!\n",
(ulong) shared);
+#endif
gs_free_object(mem, ppath, cname);
return 0;
}
@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared,
{
if (shared) {
if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
lprintf1("Attempt to share (local) segments of path 0x%lx!\n",
(ulong) shared);
+#endif
return_error(gs_error_Fatal);
}
*ppath = *shared;
diff --git a/base/szlibc.c b/base/szlibc.c
index c262498..2f95a48 100644
--- a/base/szlibc.c
+++ b/base/szlibc.c
@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data)
gs_free_object(mem, data, "s_zlib_free(data)");
for (; ; block = block->next) {
if (block == 0) {
+#ifdef DEBUG
lprintf1("Freeing unrecorded data 0x%lx!\n", (ulong)data);
+#endif
return;
}
if (block->data == data)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index 5aad839..365dc8f 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1048,8 +1048,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out)
*/
if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) {
#if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS)
+#ifdef DEBUG
errprintf(pdev->memory, "CALL-REJECTED upd_print_page(0x%05lx,0x%05lx)\n",
(long) udev,(long) out);
+#else
+ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+ (long) udev,(long) out);
+#endif
#endif
return_error(gs_error_undefined);
}
diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c
index 9caa640..68ba516 100644
--- a/devices/vector/gdevpdtb.c
+++ b/devices/vector/gdevpdtb.c
@@ -359,7 +359,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, pdf_base_font_t **ppbfont,
font_name.size -= SUBSET_PREFIX_SIZE;
}
} else {
- gs_sprintf(fnbuf, ".F%lx", (ulong)copied);
+ gs_sprintf(fnbuf, "Anonymous");
font_name.data = (byte *)fnbuf;
font_name.size = strlen(fnbuf);
}
diff --git a/psi/ialloc.c b/psi/ialloc.c
index e8dd4ad..51dd89b 100644
--- a/psi/ialloc.c
+++ b/psi/ialloc.c
@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, ref * parr, client_name_t cname)
size = num_refs * sizeof(ref);
break;
default:
- lprintf3("Unknown type 0x%x in free_ref_array(%u,0x%lx)!",
+ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,0x%lx)!",
r_type(parr), num_refs, (ulong) obj);
return;
}
diff --git a/psi/igc.c b/psi/igc.c
index 95778c8..9193e1d 100644
--- a/psi/igc.c
+++ b/psi/igc.c
@@ -1060,7 +1060,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_state_t * pstate)
if (cp == 0) { /* We were tracing outside collectible */
/* storage. This can't happen. */
- lprintf1("mark stack overflowed while outside collectible space at 0x%lx!\n",
+ if_debug1('6', "mark stack overflowed while outside collectible space at 0x%lx!\n",
(ulong) cptr);
gs_abort(pstate->heap);
}
@@ -1289,7 +1289,7 @@ igc_reloc_struct_ptr(const void /*obj_header_t */ *obj, gc_state_t * gcst)
if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj <cp->ctop) {
if (back > (cp->ctop - cp->cbase) >> obj_back_shift) {
- lprintf2("Invalid back pointer %u at 0x%lx!\n",
+ if_debug2('6', "Invalid back pointer %u at 0x%lx!\n",
back, (ulong) obj);
gs_abort(NULL);
}
diff --git a/psi/igcstr.c b/psi/igcstr.c
index f38c33a..a90dcc7 100644
--- a/psi/igcstr.c
+++ b/psi/igcstr.c
@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
return false;
#ifdef DEBUG
if (ptr - HDR_ID_OFFSET < cp->ctop) {
- lprintf4("String pointer 0x%lx[%u] outside [0x%lx..0x%lx)\n",
+ if_debug4('6', "String pointer 0x%lx[%u] outside [0x%lx..0x%lx)\n",
(ulong) ptr - HDR_ID_OFFSET, size, (ulong) cp->ctop, (ulong) cp->climit);
return false;
} else if (ptr + size > cp->climit) { /*
@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst)
while (ptr - HDR_ID_OFFSET == scp->climit && scp->outer != 0)
scp = scp->outer;
if (ptr - HDR_ID_OFFSET + size > scp->climit) {
- lprintf4("String pointer 0x%lx[%u] outside [0x%lx..0x%lx)\n",
+ if_debug4('6', "String pointer 0x%lx[%u] outside [0x%lx..0x%lx)\n",
(ulong) ptr - HDR_ID_OFFSET, size,
(ulong) scp->ctop, (ulong) scp->climit);
return false;
diff --git a/psi/iinit.c b/psi/iinit.c
index 25fe0a1..bc206be 100644
--- a/psi/iinit.c
+++ b/psi/iinit.c
@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p)
if (def->proc != 0) {
code = def->proc(i_ctx_p);
if (code < 0) {
+#ifdef DEBUG
lprintf2("op_init proc 0x%lx returned error %d!\n",
(ulong)def->proc, code);
+#else
+ lprintf("op_init proc returned error !\n");
+#endif
return code;
}
}
diff --git a/psi/imainarg.c b/psi/imainarg.c
index c5d74ca..1016e7f 100644
--- a/psi/imainarg.c
+++ b/psi/imainarg.c
@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instance * minst, int argc, char *argv[])
if (gs_debug[':'] && !have_dumped_args) {
int i;
- dmprintf1(minst->heap, "%% Args passed to instance 0x%p: ", minst);
+ if (gs_debug_c(gs_debug_flag_init_details))
+ dmprintf1(minst->heap, "%% Args passed to instance 0x%p: ", minst);
for (i=1; i<argc; i++)
dmprintf1(minst->heap, "%s ", argv[i]);
dmprintf(minst->heap, "\n");
diff --git a/psi/isave.c b/psi/isave.c
index b1d0c7f..d1d69b3 100644
--- a/psi/isave.c
+++ b/psi/isave.c
@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *mem, const ref * pcont,
else if (r_is_struct(pcont))
cp->offset = (byte *) where - (byte *) pcont->value.pstruct;
else {
- lprintf3("Bad type %u for save! pcont = 0x%lx, where = 0x%lx\n",
+ if_debug3('u', "Bad type %u for save! pcont = 0x%lx, where = 0x%lx\n",
r_type(pcont), (ulong) pcont, (ulong) where);
gs_abort((const gs_memory_t *)mem);
}
diff --git a/psi/iutil.c b/psi/iutil.c
index 55d0e52..7685a00 100644
--- a/psi/iutil.c
+++ b/psi/iutil.c
@@ -531,7 +531,11 @@ other:
break;
}
/* Internal operator, no name. */
+#if DEBUG
gs_sprintf(buf, "@0x%lx", (ulong) op->value.opproc);
+#else
+ gs_sprintf(buf, "@anonymous_operator", (ulong) op->value.opproc);
+#endif
break;
}
case t_real:
--
2.43.0
Reference in New Issue View Git Blame Copy Permalink