current/SOURCES/ghostscript-9.20-cve-2016-7976.patch

From fee19fa8d4f6f351e5a76f5801884880249d6a45 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 5 Oct 2016 09:55:55 +0100
Subject: [PATCH] Bug 697178: Add a file permissions callback

For the rare occasions when the graphics library directly opens a file
(currently for reading), this allows us to apply any restrictions on
file access normally applied in the interpteter.
---
 base/gsicc_manage.c | 10 ++++++----
 base/gslibctx.c     | 12 +++++++++++-
 base/gslibctx.h     |  7 +++++++
 psi/imain.c         |  2 ++
 psi/int.mak         |  2 +-
 psi/zfile.c         | 19 +++++++++++++++++++
 psi/zfile.h         |  7 +++++++
 7 files changed, 53 insertions(+), 6 deletions(-)

diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c
index 931c2a6..e9c09c3 100644
--- a/base/gsicc_manage.c
+++ b/base/gsicc_manage.c
@@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc,
     }
 
     /* First just try it like it is */
-    str = sfopen(pname, "r", mem_gc);
-    if (str != NULL) {
-        *strp = str;
-        return 0;
+    if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
+        str = sfopen(pname, "r", mem_gc);
+        if (str != NULL) {
+            *strp = str;
+            return 0;
+        }
     }
 
     /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
diff --git a/base/gslibctx.c b/base/gslibctx.c
index fa4432a..f2c13e3 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -183,7 +183,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
         mem->gs_lib_ctx = NULL;
         return -1;
     }
-    
+    pio->client_check_file_permission = NULL;
     gp_get_realtime(pio->real_time_0);
 
     /* Set scanconverter to 1 (default) */
@@ -336,3 +336,13 @@ void errflush(const gs_memory_t *mem)
         fflush(mem->gs_lib_ctx->fstderr);
     /* else nothing to flush */
 }
+
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+    int code = 0;
+    if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
+        code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
+    }
+    return code;
+}
diff --git a/base/gslibctx.h b/base/gslibctx.h
index 84ec205..55eb4a6 100644
--- a/base/gslibctx.h
+++ b/base/gslibctx.h
@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server;
 #  define gs_font_dir_DEFINED
 typedef struct gs_font_dir_s gs_font_dir;
 #endif
+
+typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
 typedef struct gs_lib_ctx_s
 {
     gs_memory_t *memory;  /* mem->gs_lib_ctx->memory == mem */
@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s
     struct gx_io_device_s **io_device_table;
     int io_device_table_count;
     int io_device_table_size;
+    client_check_file_permission_t client_check_file_permission;
     /* Define the default value of AccurateScreens that affects setscreen
        and setcolorscreen. */
     bool screen_accurate_screens;
@@ -132,6 +136,9 @@ int
 gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str,
                         int *list_str_len);
 
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
 #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout)
 #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr)
 
diff --git a/psi/imain.c b/psi/imain.c
index 9a9bb5d..6874128 100644
--- a/psi/imain.c
+++ b/psi/imain.c
@@ -57,6 +57,7 @@
 #include "ivmspace.h"
 #include "idisp.h"              /* for setting display device callback */
 #include "iplugin.h"
+#include "zfile.h"
 
 #ifdef PACIFY_VALGRIND
 #include "valgrind.h"
@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst)
                                            "the_gs_name_table");
             if (code < 0)
                 return code;
+            mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
         }
         code = obj_init(&minst->i_ctx_p, &idmem);  /* requires name_init */
         if (code < 0)
diff --git a/psi/int.mak b/psi/int.mak
index 4654afc..bb30d51 100644
--- a/psi/int.mak
+++ b/psi/int.mak
@@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\
  $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
  $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
  $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\
+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\
  $(INT_MAK) $(MAKEDIRS)
        $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
 
diff --git a/psi/zfile.c b/psi/zfile.c
index b6caea2..fd94f67 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len,
     return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
 }
 
+/* z_check_file_permissions: see zfile.h for explanation
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+    i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
+    gs_parsed_file_name_t pname;
+    const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
+    int code = gs_parse_file_name(&pname, fname, len, imemory);
+    if (code < 0)
+        return code;
+
+    if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
+        return gs_error_invalidfileaccess;
+        
+    code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
+    return code;
+}
+
 /* <name_string> <access_string> file <file> */
 int                             /* exported for zsysvm.c */
 zfile(i_ctx_t *i_ctx_p)
diff --git a/psi/zfile.h b/psi/zfile.h
index fdf1373..a9399c7 100644
--- a/psi/zfile.h
+++ b/psi/zfile.h
@@ -22,4 +22,11 @@
 int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
            const char *file_access, stream **ps, gs_memory_t *mem);
 
+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
+ * to allow applying the above permissions checks when opening file(s) from
+ * the graphics library
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname,
+                                 const int len, const char *permission);
 #endif
-- 
2.7.4

1	From fee19fa8d4f6f351e5a76f5801884880249d6a45 Mon Sep 17 00:00:00 2001
2	From: Chris Liddell <chris.liddell@artifex.com>
3	Date: Wed, 5 Oct 2016 09:55:55 +0100
4	Subject: [PATCH] Bug 697178: Add a file permissions callback
5
6	For the rare occasions when the graphics library directly opens a file
7	(currently for reading), this allows us to apply any restrictions on
8	file access normally applied in the interpteter.
9	---
10	base/gsicc_manage.c \| 10 ++++++----
11	base/gslibctx.c \| 12 +++++++++++-
12	base/gslibctx.h \| 7 +++++++
13	psi/imain.c \| 2 ++
14	psi/int.mak \| 2 +-
15	psi/zfile.c \| 19 +++++++++++++++++++
16	psi/zfile.h \| 7 +++++++
17	7 files changed, 53 insertions(+), 6 deletions(-)
18
19	diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c
20	index 931c2a6..e9c09c3 100644
21	--- a/base/gsicc_manage.c
22	+++ b/base/gsicc_manage.c
23	@@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc,
24	}
25
26	/* First just try it like it is */
27	- str = sfopen(pname, "r", mem_gc);
28	- if (str != NULL) {
29	- *strp = str;
30	- return 0;
31	+ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
32	+ str = sfopen(pname, "r", mem_gc);
33	+ if (str != NULL) {
34	+ *strp = str;
35	+ return 0;
36	+ }
37	}
38
39	/* If that fails, try %rom% / / FIXME: Not sure this is needed or correct */
40	diff --git a/base/gslibctx.c b/base/gslibctx.c
41	index fa4432a..f2c13e3 100644
42	--- a/base/gslibctx.c
43	+++ b/base/gslibctx.c
44	@@ -183,7 +183,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
45	mem->gs_lib_ctx = NULL;
46	return -1;
47	}
48	-
49	+ pio->client_check_file_permission = NULL;
50	gp_get_realtime(pio->real_time_0);
51
52	/* Set scanconverter to 1 (default) */
53	@@ -336,3 +336,13 @@ void errflush(const gs_memory_t *mem)
54	fflush(mem->gs_lib_ctx->fstderr);
55	/* else nothing to flush */
56	}
57	+
58	+int
59	+gs_check_file_permission (gs_memory_t mem, const char fname, const int len, const char *permission)
60	+{
61	+ int code = 0;
62	+ if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
63	+ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
64	+ }
65	+ return code;
66	+}
67	diff --git a/base/gslibctx.h b/base/gslibctx.h
68	index 84ec205..55eb4a6 100644
69	--- a/base/gslibctx.h
70	+++ b/base/gslibctx.h
71	@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server;
72	# define gs_font_dir_DEFINED
73	typedef struct gs_font_dir_s gs_font_dir;
74	#endif
75	+
76	+typedef int (client_check_file_permission_t) (gs_memory_t mem, const char fname, const int len, const char permission);
77	+
78	typedef struct gs_lib_ctx_s
79	{
80	gs_memory_t memory; / mem->gs_lib_ctx->memory == mem */
81	@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s
82	struct gx_io_device_s **io_device_table;
83	int io_device_table_count;
84	int io_device_table_size;
85	+ client_check_file_permission_t client_check_file_permission;
86	/* Define the default value of AccurateScreens that affects setscreen
87	and setcolorscreen. */
88	bool screen_accurate_screens;
89	@@ -132,6 +136,9 @@ int
90	gs_lib_ctx_get_default_device_list(const gs_memory_t mem, char* dev_list_str,
91	int *list_str_len);
92
93	+int
94	+gs_check_file_permission (gs_memory_t mem, const char fname, const int len, const char *permission);
95	+
96	#define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout)
97	#define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr)
98
99	diff --git a/psi/imain.c b/psi/imain.c
100	index 9a9bb5d..6874128 100644
101	--- a/psi/imain.c
102	+++ b/psi/imain.c
103	@@ -57,6 +57,7 @@
104	#include "ivmspace.h"
105	#include "idisp.h" /* for setting display device callback */
106	#include "iplugin.h"
107	+#include "zfile.h"
108
109	#ifdef PACIFY_VALGRIND
110	#include "valgrind.h"
111	@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst)
112	"the_gs_name_table");
113	if (code < 0)
114	return code;
115	+ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
116	}
117	code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */
118	if (code < 0)
119	diff --git a/psi/int.mak b/psi/int.mak
120	index 4654afc..bb30d51 100644
121	--- a/psi/int.mak
122	+++ b/psi/int.mak
123	@@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\
124	$(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
125	$(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
126	$(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
127	- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\
128	+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\
129	$(INT_MAK) $(MAKEDIRS)
130	$(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
131
132	diff --git a/psi/zfile.c b/psi/zfile.c
133	index b6caea2..fd94f67 100644
134	--- a/psi/zfile.c
135	+++ b/psi/zfile.c
136	@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t i_ctx_p, const char fname, int len,
137	return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
138	}
139
140	+/* z_check_file_permissions: see zfile.h for explanation
141	+ */
142	+int
143	+z_check_file_permissions(gs_memory_t mem, const char fname, const int len, const char *permission)
144	+{
145	+ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
146	+ gs_parsed_file_name_t pname;
147	+ const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
148	+ int code = gs_parse_file_name(&pname, fname, len, imemory);
149	+ if (code < 0)
150	+ return code;
151	+
152	+ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
153	+ return gs_error_invalidfileaccess;
154	+
155	+ code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
156	+ return code;
157	+}
158	+
159	/* <name_string> <access_string> file <file> */
160	int /* exported for zsysvm.c */
161	zfile(i_ctx_t *i_ctx_p)
162	diff --git a/psi/zfile.h b/psi/zfile.h
163	index fdf1373..a9399c7 100644
164	--- a/psi/zfile.h
165	+++ b/psi/zfile.h
166	@@ -22,4 +22,11 @@
167	int zopen_file(i_ctx_t i_ctx_p, const gs_parsed_file_name_t pfn,
168	const char file_access, stream ps, gs_memory_t mem);
169
170	+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
171	+ * to allow applying the above permissions checks when opening file(s) from
172	+ * the graphics library
173	+ */
174	+int
175	+z_check_file_permissions(gs_memory_t mem, const char fname,
176	+ const int len, const char *permission);
177	#endif
178	--
179	2.7.4
180