rpms/ghostscript/F-12 ghostscript-CVE-2010-1628.patch, NONE, 1.1 ghostscript.spec, 1.208, 1.209

Tim Waugh twaugh at fedoraproject.org
Fri Jul 16 12:51:28 UTC 2010 

Author: twaugh

Update of /cvs/pkgs/rpms/ghostscript/F-12
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv16681

Modified Files:
	ghostscript.spec 
Added Files:
	ghostscript-CVE-2010-1628.patch 
Log Message:
* Fri Jul 16 2010 Tim Waugh <twaugh at redhat.com> 8.71-7
- Applied patch to fix CVE-2010-1628 (memory corruption at PS stack
  overflow, bug #592492).


ghostscript-CVE-2010-1628.patch:
 ialloc.c  |   19 +++++++++++--------
 idosave.h |   19 ++++++++++++++++++-
 isave.c   |   21 ++-------------------
 3 files changed, 31 insertions(+), 28 deletions(-)

--- NEW FILE ghostscript-CVE-2010-1628.patch ---
diff -up ghostscript-8.70/psi/ialloc.c.CVE-2010-1628 ghostscript-8.70/psi/ialloc.c
--- ghostscript-8.70/psi/ialloc.c.CVE-2010-1628	2008-08-28 23:48:19.000000000 +0100
+++ ghostscript-8.70/psi/ialloc.c	2010-07-16 12:15:45.230948203 +0100
@@ -185,7 +185,14 @@ gs_alloc_ref_array(gs_ref_memory_t * mem
 	 */
 	chunk_t *pcc = mem->pcc;
 	ref *end;
+	alloc_change_t *cp = 0;
+        int code = 0;
 
+	if ((gs_memory_t *)mem != mem->stable_memory) {
+	    code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &cp);
+	    if (code < 0)
+		return code;
+	}
 	obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1,
 				    ref, &st_refs, cname);
 	if (obj == 0)
@@ -210,14 +217,10 @@ gs_alloc_ref_array(gs_ref_memory_t * mem
 	    chunk_locate_ptr(obj, &cl);
 	    cl.cp->has_refs = true;
 	}
-	if ((gs_memory_t *)mem != mem->stable_memory) {
-	    ref_packed **ppr = 0;
-	    int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr);
-	    if (code < 0)
-		return code;
-            if (ppr)
-	        *ppr = (ref_packed *)obj;
-	}
+	if (cp) {
+            mem->changes = cp;
+            cp->where = (ref_packed *)obj;
+        }
     }
     make_array(parr, attrs | mem->space, num_refs, obj);
     return 0;
diff -up ghostscript-8.70/psi/idosave.h.CVE-2010-1628 ghostscript-8.70/psi/idosave.h
--- ghostscript-8.70/psi/idosave.h.CVE-2010-1628	2008-08-28 23:48:19.000000000 +0100
+++ ghostscript-8.70/psi/idosave.h	2010-07-16 12:15:45.238073609 +0100
@@ -18,6 +18,22 @@
 #  define idosave_INCLUDED
 
 /*
+ * Structure for saved change chain for save/restore.  Because of the
+ * garbage collector, we need to distinguish the cases where the change
+ * is in a static object, a dynamic ref, or a dynamic struct.
+ */
+typedef struct alloc_change_s alloc_change_t;
+struct alloc_change_s {
+    alloc_change_t *next;
+    ref_packed *where;
+    ref contents;
+#define AC_OFFSET_STATIC (-2)	/* static object */
+#define AC_OFFSET_REF (-1)	/* dynamic ref */
+#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
+    short offset;		/* if >= 0, offset within struct */
+};
+
+/*
  * Save a change that must be undone by restore.  We have to pass the
  * pointer to the containing object to alloc_save_change for two reasons:
  *
@@ -29,6 +45,7 @@
  * relocate the pointer to it from the change record during garbage
  * collection.
  */
+
 int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont,
 		      ref_packed *ptr, client_name_t cname);
 int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont,
@@ -36,6 +53,6 @@ int alloc_save_change_in(gs_ref_memory_t
 /* Remove an AC_OFFSET_ALLOCATED element. */
 void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname);
 /* Allocate a structure for recording an allocation event. */
-int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr);
+int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp);
 
 #endif /* idosave_INCLUDED */
diff -up ghostscript-8.70/psi/isave.c.CVE-2010-1628 ghostscript-8.70/psi/isave.c
--- ghostscript-8.70/psi/isave.c.CVE-2010-1628	2008-08-28 23:48:19.000000000 +0100
+++ ghostscript-8.70/psi/isave.c	2010-07-16 12:15:45.245073557 +0100
@@ -156,22 +156,6 @@ print_save(const char *str, uint spacen,
 /* A link to igcref.c . */
 ptr_proc_reloc(igc_reloc_ref_ptr_nocheck, ref_packed);
 
-/*
- * Structure for saved change chain for save/restore.  Because of the
- * garbage collector, we need to distinguish the cases where the change
- * is in a static object, a dynamic ref, or a dynamic struct.
- */
-typedef struct alloc_change_s alloc_change_t;
-struct alloc_change_s {
-    alloc_change_t *next;
-    ref_packed *where;
-    ref contents;
-#define AC_OFFSET_STATIC (-2)	/* static object */
-#define AC_OFFSET_REF (-1)	/* dynamic ref */
-#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
-    short offset;		/* if >= 0, offset within struct */
-};
-
 static 
 CLEAR_MARKS_PROC(change_clear_marks)
 {
@@ -519,7 +503,7 @@ alloc_save_change(gs_dual_memory_t * dme
 
 /* Allocate a structure for recording an allocation event. */
 int
-alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr)
+alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp)
 {
     register alloc_change_t *cp;
 
@@ -533,8 +517,7 @@ alloc_save_change_alloc(gs_ref_memory_t 
     cp->where = 0;
     cp->offset = AC_OFFSET_ALLOCATED;
     make_null(&cp->contents);
-    mem->changes = cp;
-    *ppr = &cp->where;
+    *pcp = cp;
     return 1;
 }
 


Index: ghostscript.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ghostscript/F-12/ghostscript.spec,v
retrieving revision 1.208
retrieving revision 1.209
diff -u -p -r1.208 -r1.209
--- ghostscript.spec	16 Mar 2010 13:29:23 -0000	1.208
+++ ghostscript.spec	16 Jul 2010 12:51:28 -0000	1.209
@@ -5,7 +5,7 @@ Summary: A PostScript interpreter and re
 Name: ghostscript
 Version: %{gs_ver}
 
-Release: 6%{?dist}
+Release: 7%{?dist}
 
 # Included CMap data is Redistributable, no modification permitted,
 # see http://bugzilla.redhat.com/487510
@@ -35,6 +35,7 @@ Patch16: ghostscript-cups-realloc-color-
 Patch17: ghostscript-tif-fail-close.patch
 Patch18: ghostscript-tiff-default-strip-size.patch
 Patch19: ghostscript-tiff-fixes.patch
+Patch20: ghostscript-CVE-2010-1628.patch
 
 Requires: urw-fonts >= 1.1, ghostscript-fonts
 BuildRequires: xz
@@ -164,6 +165,10 @@ rm -rf libpng zlib jpeg jasper
 # Backported some more TIFF fixes (bug #573970).
 %patch19 -p1 -b .tiff-fixes
 
+# Applied patch to fix CVE-2010-1628 (memory corruption at PS stack
+# overflow, bug #592492).
+%patch20 -p1 -b .CVE-2010-1628
+
 # Convert manual pages to UTF-8
 from8859_1() {
 	iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -352,6 +357,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so
 
 %changelog
+* Fri Jul 16 2010 Tim Waugh <twaugh at redhat.com> 8.71-7
+- Applied patch to fix CVE-2010-1628 (memory corruption at PS stack
+  overflow, bug #592492).
+
 * Tue Mar 16 2010 Tim Waugh <twaugh at redhat.com> 8.71-6
 - Backported some more TIFF fixes (bug #573970).
 - Use upstream fix for TIFF default strip size (bug #571520).

More information about the scm-commits mailing list