packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync some patches from community

Browse Source
This commit is contained in:
hugel 2025-04-17 14:45:35 +08:00
parent 9a623c323c
commit ae4b352a77
4 changed files with 264 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
backport-Fix-memory-leak-in-pdfwrite-device.patch Normal file
View File

@ -0,0 +1,45 @@
From 90f0f92bf6bf9c346cd3f74adaa42a7c8a3702cb Mon Sep 17 00:00:00 2001
From: Nancy Durgin <nancy.durgin@artifex.com>
Date: Wed, 22 Jul 2020 12:24:05 -0700
Subject: [PATCH] Fix memory leak in pdfwrite device
This appears to only be a memory leak for non-garbage-collected interpreters
such as pdfi.
sclose() calls s_disable() which sets s->cbuf to 0.
But it also calls client callbacks that might do things with cbuf first, so
it will crash if we free it before calling sclose().
Side-effects galore! :(
Anyway, we save the pointer before doing the sclose() so we can
properly free it afterwards.
---
devices/vector/gdevpdfu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/devices/vector/gdevpdfu.c b/devices/vector/gdevpdfu.c
index 2b2af1d32..f58999444 100644
--- a/devices/vector/gdevpdfu.c
+++ b/devices/vector/gdevpdfu.c
@@ -1186,6 +1186,7 @@ stream_to_none(gx_device_pdf * pdev)
}
if (pdev->compression_at_page_start == pdf_compress_Flate) { /* Terminate the filters. */
stream *fs = s->strm;
+ byte *buf;
if (!pdev->binary_ok) {
sclose(s); /* Terminate the ASCII85 filter. */
@@ -1194,8 +1195,9 @@ stream_to_none(gx_device_pdf * pdev)
pdev->strm = s = fs;
fs = s->strm;
}
+ buf = s->cbuf; /* Save because sclose may zero it out (causing memory leak) */
sclose(s); /* Next terminate the compression filter */
- gs_free_object(pdev->pdf_memory, s->cbuf, "zlib buffer");
+ gs_free_object(pdev->pdf_memory, buf, "zlib buffer");
gs_free_object(pdev->pdf_memory, s, "zlib stream");
pdev->strm = fs;
}
--
2.33.0

67
backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch Normal file
View File

@ -0,0 +1,67 @@
From 776cf430dd1a96a7da33c0d33af9a6dd42bffec0 Mon Sep 17 00:00:00 2001
From: Julian Smith <jules@op59.net>
Date: Mon, 25 May 2020 11:59:52 +0100
Subject: [PATCH] Fix memory leak on error in bitmap_paint() and its callers.
Previously, bitmap_paint() would free its 'gs_image_enum * pen' arg, but caller
image_PaintProc() could also attempt to free this in one error path.
So have changed bitmap_paint() to only free what it allocates - call
gs_image_cleanup() instead of gs_image_cleanup_and_free_enum(); and patched
its two callers, mask_PaintProc() and image_PaintProc(), to add calls to
gs_free_object(pen).
Fixes leak in:
MEMENTO_FAILAT=15601 ./ghostpdl/membin/gpcl6 -sDEVICE=pbmraw -o /dev/null tests_private/pcl/pcl5cfts/fts.0954
---
base/gsptype1.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/base/gsptype1.c b/base/gsptype1.c
index 57c856596..e7f41eac2 100644
--- a/base/gsptype1.c
+++ b/base/gsptype1.c
@@ -808,10 +808,10 @@ static int bitmap_paint(gs_image_enum * pen, gs_data_image_t * pim,
static int
mask_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
{
+ int code;
const pixmap_info *ppmap = gs_getpattern(pcolor)->client_data;
const gs_depth_bitmap *pbitmap = &(ppmap->bitmap);
- gs_image_enum *pen =
- gs_image_enum_alloc(gs_gstate_memory(pgs), "mask_PaintProc");
+ gs_image_enum *pen = gs_image_enum_alloc(gs_gstate_memory(pgs), "mask_PaintProc");
gs_image1_t mask;
if (pen == 0)
@@ -820,7 +820,9 @@ mask_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
mask.Width = pbitmap->size.x;
mask.Height = pbitmap->size.y;
gs_image_init(pen, &mask, false, false, pgs);
- return bitmap_paint(pen, (gs_data_image_t *) & mask, pbitmap, pgs);
+ code = bitmap_paint(pen, (gs_data_image_t *) & mask, pbitmap, pgs);
+ gs_free_object(gs_gstate_memory(pgs), pen, "mask_PaintProc");
+ return code;
}
static int
image_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
@@ -896,6 +898,7 @@ image_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
(gs_data_image_t *)&image,
pgs )) >= 0 &&
(code = bitmap_paint(pen, (gs_data_image_t *) & image, pbitmap, pgs)) >= 0) {
+ gs_free_object(gs_gstate_memory(pgs), pen, "image_PaintProc");
return gs_grestore(pgs);
}
/* Failed above, need to undo the gsave */
@@ -922,7 +925,7 @@ bitmap_paint(gs_image_enum * pen, gs_data_image_t * pim,
else
for (n = pim->Height; n > 0 && code >= 0; dp += raster, --n)
code = gs_image_next(pen, dp, nbytes, &used);
- code1 = gs_image_cleanup_and_free_enum(pen, pgs);
+ code1 = gs_image_cleanup(pen, pgs);
if (code >= 0 && code1 < 0)
code = code1;
return code;
--
2.33.0

139
backport-Fix-memory-leaks-in-tiffsep.patch Normal file
View File

@ -0,0 +1,139 @@
From ba2fdf5517af3bcd8a613fda84c532307d1e7024 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Fri, 29 May 2020 17:22:40 +0100
Subject: [PATCH] Fix memory leaks in tiffsep.
Calling TIFFCleanup doesn't close the underlying tiffio. Call
TIFFClose instead.
Now the tiff io close handler is actually called, be careful
not to close the underlying file twice.
Finally, actually remember to close the comp file.
---
base/gstiffio.c | 20 +++++++++++---------
devices/gdevtifs.c | 2 +-
devices/gdevtsep.c | 8 +++-----
3 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/base/gstiffio.c b/base/gstiffio.c
index ff67dc5e5..2ea8c54bd 100644
--- a/base/gstiffio.c
+++ b/base/gstiffio.c
@@ -105,11 +105,13 @@ gs_tifsCloseProc(thandle_t fd)
{
tifs_io_private *tiffio = (tifs_io_private *)fd;
gx_device_printer *pdev = tiffio->pdev;
- int code = gp_fclose(tiffio->f);
-
+
+ /* We don't close tiffio->f as this will be closed later by the
+ * device. */
+
gs_free(pdev->memory, tiffio, sizeof(tifs_io_private), 1, "gs_tifsCloseProc");
- return code;
+ return 0;
}
static uint64_t
@@ -122,12 +124,12 @@ gs_tifsSizeProc(thandle_t fd)
if (curpos < 0) {
return(0);
}
-
+
if (gp_fseek(tiffio->f, (gs_offset_t)0, SEEK_END) < 0) {
return(0);
}
length = (uint64_t)gp_ftell(tiffio->f);
-
+
if (gp_fseek(tiffio->f, curpos, SEEK_SET) < 0) {
return(0);
}
@@ -152,7 +154,7 @@ tiff_from_filep(gx_device_printer *dev, const char *name, gp_file *filep, int b
mode[modelen++] = '8';
mode[modelen] = (char)0;
-
+
tiffio = (tifs_io_private *)gs_malloc(dev->memory, sizeof(tifs_io_private), 1, "tiff_from_filep");
if (!tiffio) {
return NULL;
@@ -173,7 +175,7 @@ static void
gs_tifsWarningHandlerEx(thandle_t client_data, const char* module, const char* fmt, va_list ap)
{
tifs_io_private *tiffio = (tifs_io_private *)client_data;
- gx_device_printer *pdev = tiffio->pdev;
+ gx_device_printer *pdev = tiffio->pdev;
int count;
char buf[TIFF_PRINT_BUF_LENGTH];
@@ -190,7 +192,7 @@ static void
gs_tifsErrorHandlerEx(thandle_t client_data, const char* module, const char* fmt, va_list ap)
{
tifs_io_private *tiffio = (tifs_io_private *)client_data;
- gx_device_printer *pdev = tiffio->pdev;
+ gx_device_printer *pdev = tiffio->pdev;
const char *max_size_error = "Maximum TIFF file size exceeded";
int count;
char buf[TIFF_PRINT_BUF_LENGTH];
@@ -242,7 +244,7 @@ TIFFOpen(const char* name, const char* mode)
{
(void)name;
(void)mode;
-
+
return(NULL);
}
diff --git a/devices/gdevtifs.c b/devices/gdevtifs.c
index de30a934b..6b5ff41a4 100644
--- a/devices/gdevtifs.c
+++ b/devices/gdevtifs.c
@@ -74,7 +74,7 @@ tiff_close(gx_device * pdev)
gx_device_tiff *const tfdev = (gx_device_tiff *)pdev;
if (tfdev->tif)
- TIFFCleanup(tfdev->tif);
+ TIFFClose(tfdev->tif);
if (tfdev->icclink != NULL)
{
diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
index 5142d0d0c..2b14c4e90 100644
--- a/devices/gdevtsep.c
+++ b/devices/gdevtsep.c
@@ -1813,7 +1813,7 @@ tiffsep_close_sep_file(tiffsep_device *tfdev, const char *fn, int comp_num)
int code;
if (tfdev->tiff[comp_num]) {
- TIFFCleanup(tfdev->tiff[comp_num]);
+ TIFFClose(tfdev->tiff[comp_num]);
tfdev->tiff[comp_num] = NULL;
}
@@ -1832,7 +1832,7 @@ tiffsep_close_comp_file(tiffsep_device *tfdev, const char *fn)
int code;
if (tfdev->tiff_comp) {
- TIFFCleanup(tfdev->tiff_comp);
+ TIFFClose(tfdev->tiff_comp);
tfdev->tiff_comp = NULL;
}
@@ -2577,9 +2577,7 @@ cleanup:
}
}
TIFFWriteDirectory(tfdev->tiff_comp);
- if (fmt) {
- code = tiffsep_close_comp_file(tfdev, pdev->fname);
- }
+ code = tiffsep_close_comp_file(tfdev, pdev->fname);
if (code1 < 0) {
code = code1;
}
--
2.33.0

14
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.52
Release: 22
Release: 23
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -68,6 +68,9 @@ Patch49: backport-CVE-2025-27830.patch
Patch50: backport-CVE-2025-27832.patch
Patch51: backport-CVE-2025-27835.patch
Patch52: backport-CVE-2025-27836.patch
Patch53: backport-Fix-memory-leak-in-pdfwrite-device.patch
Patch54: backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
Patch55: backport-Fix-memory-leaks-in-tiffsep.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -228,6 +231,15 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Thu Apr 17 2025 hugel <gengqihu2@h-partners.com> - 9.52-23
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:Sync some patches from community
backport-Fix-memory-leak-in-pdfwrite-device.patch
backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
backport-Fix-memory-leaks-in-tiffsep.patch
* Tue Apr 01 2025 Funda Wang <fundawang@yeah.net> - 9.52-22
- Type:CVE
- ID:NA