current/SOURCES/ghostscript-9.20-cve-2017-11714.patch

From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 6 Jul 2017 14:54:02 +0100
Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object

In the token reader, we pass the scanner state structure around as a
t_struct ref on the Postscript operand stack.

But we explicitly free the scanner state when we're done, which leaves a
dangling reference on the operand stack and, unless that reference gets
overwritten before the next garbager run, we can end up with the garbager
trying to deal with an already freed object - that can cause a crash, or
memory corruption.
---
 psi/ztoken.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/psi/ztoken.c b/psi/ztoken.c
index 4dba7c5..af1ceeb 100644
--- a/psi/ztoken.c
+++ b/psi/ztoken.c
@@ -107,6 +107,12 @@ token_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
     int code;
     ref token;
 
+    /* Since we might free pstate below, and we're dealing with
+     * gc memory referenced by the stack, we need to explicitly
+     * remove the reference to pstate from the stack, otherwise
+     * the garbager will fall over
+     */
+    make_null(osp);
     /* Note that gs_scan_token may change osp! */
     pop(1);                     /* remove the file or scanner state */
 again:
@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p)
 static int
 tokenexec_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
 {
-    os_ptr op;
+    os_ptr op = osp;
     int code;
+    /* Since we might free pstate below, and we're dealing with
+     * gc memory referenced by the stack, we need to explicitly
+     * remove the reference to pstate from the stack, otherwise
+     * the garbager will fall over
+     */
+    make_null(osp);
     /* Note that gs_scan_token may change osp! */
     pop(1);
 again:
-- 
2.9.1

1	From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001
2	From: Chris Liddell <chris.liddell@artifex.com>
3	Date: Thu, 6 Jul 2017 14:54:02 +0100
4	Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object
5
6	In the token reader, we pass the scanner state structure around as a
7	t_struct ref on the Postscript operand stack.
8
9	But we explicitly free the scanner state when we're done, which leaves a
10	dangling reference on the operand stack and, unless that reference gets
11	overwritten before the next garbager run, we can end up with the garbager
12	trying to deal with an already freed object - that can cause a crash, or
13	memory corruption.
14	---
15	psi/ztoken.c \| 14 +++++++++++++-
16	1 file changed, 13 insertions(+), 1 deletion(-)
17
18	diff --git a/psi/ztoken.c b/psi/ztoken.c
19	index 4dba7c5..af1ceeb 100644
20	--- a/psi/ztoken.c
21	+++ b/psi/ztoken.c
22	@@ -107,6 +107,12 @@ token_continue(i_ctx_t i_ctx_p, scanner_state pstate, bool save)
23	int code;
24	ref token;
25
26	+ /* Since we might free pstate below, and we're dealing with
27	+ * gc memory referenced by the stack, we need to explicitly
28	+ * remove the reference to pstate from the stack, otherwise
29	+ * the garbager will fall over
30	+ */
31	+ make_null(osp);
32	/* Note that gs_scan_token may change osp! */
33	pop(1); /* remove the file or scanner state */
34	again:
35	@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p)
36	static int
37	tokenexec_continue(i_ctx_t i_ctx_p, scanner_state pstate, bool save)
38	{
39	- os_ptr op;
40	+ os_ptr op = osp;
41	int code;
42	+ /* Since we might free pstate below, and we're dealing with
43	+ * gc memory referenced by the stack, we need to explicitly
44	+ * remove the reference to pstate from the stack, otherwise
45	+ * the garbager will fall over
46	+ */
47	+ make_null(osp);
48	/* Note that gs_scan_token may change osp! */
49	pop(1);
50	again:
51	--
52	2.9.1
53