ghostscript/CVE-2016-7979.patch

From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 5 Oct 2016 09:10:58 +0000 (+0100)
Subject: DSC parser - validate parameters
X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=875a0095f37626a721c7ff57d606a0f95af03913;hp=aef8f6cfbff9080e4b9c54053bc909875c09a2be

DSC parser - validate parameters

Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it."

Regardless of any security implications, its simply wrong for a PostScript
operator not to validate its parameter(s).

No differences expected.
---

diff --git a/psi/zdscpars.c b/psi/zdscpars.c
index c05e154..9b4b605 100644
--- a/psi/zdscpars.c
+++ b/psi/zdscpars.c
@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
     ref local_ref;
     int code;
     os_ptr const op = osp;
-    dict * const pdict = op->value.pdict;
-    gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
-    dsc_data_t * const data =
-        gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
+    dict *pdict;
+    gs_memory_t *mem;
+    dsc_data_t *data;
 
+    check_read_type(*op, t_dictionary);
+
+    pdict = op->value.pdict;
+    mem = (gs_memory_t *)dict_memory(pdict);
+
+    data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
     if (!data)
         return_error(gs_error_VMerror);
     data->document_level = 0;
Accepting request 435738 from home:jsmeix:branches:Printing Ghostscript security update that fixes (CVE-2013-5653 is already fixed in the 9.20 sources) CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 CVE-2016-7979 (all bsc#1001951) and CVE-2016-8602 (bsc#1004237) OBS-URL: https://build.opensuse.org/request/show/435738 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=72 2016-10-17 14:34:08 +02:00			`From: Ken Sharp <ken.sharp@artifex.com>`
			`Date: Wed, 5 Oct 2016 09:10:58 +0000 (+0100)`
			`Subject: DSC parser - validate parameters`
			`X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=875a0095f37626a721c7ff57d606a0f95af03913;hp=aef8f6cfbff9080e4b9c54053bc909875c09a2be`

			`DSC parser - validate parameters`

			`Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it."`

			`Regardless of any security implications, its simply wrong for a PostScript`
			`operator not to validate its parameter(s).`

			`No differences expected.`
			`---`

			`diff --git a/psi/zdscpars.c b/psi/zdscpars.c`
			`index c05e154..9b4b605 100644`
			`--- a/psi/zdscpars.c`
			`+++ b/psi/zdscpars.c`
			`@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)`
			`ref local_ref;`
			`int code;`
			`os_ptr const op = osp;`
			`- dict * const pdict = op->value.pdict;`
			`- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);`
			`- dsc_data_t * const data =`
			`- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");`
			`+ dict *pdict;`
			`+ gs_memory_t *mem;`
			`+ dsc_data_t *data;`

			`+ check_read_type(*op, t_dictionary);`
			`+`
			`+ pdict = op->value.pdict;`
			`+ mem = (gs_memory_t *)dict_memory(pdict);`
			`+`
			`+ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");`
			`if (!data)`
			`return_error(gs_error_VMerror);`
			`data->document_level = 0;`