diff -Nru ghostscript-9.25~dfsg+1/debian/changelog ghostscript-9.25~dfsg+1/debian/changelog --- ghostscript-9.25~dfsg+1/debian/changelog 2018-09-27 14:00:37.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/changelog 2018-10-30 13:51:42.000000000 +0000 @@ -1,3 +1,19 @@ +ghostscript (9.25~dfsg+1-0ubuntu0.14.04.2) trusty-security; urgency=medium + + * SECURITY UPDATE: Multiple security issues + - debian/patches/0218*.patch: multiple cherry-picked upstream commits + to fix security issues. Thanks to Jonas Smedegaard for cherry-picking + these for Debian's 9.25~dfsg-3 package. + - debian/symbols.common: added new symbol. + - CVE-2018-17961 + - CVE-2018-18073 + - CVE-2018-18284 + * Fix LeadingEdge regression introduced in 9.22. (LP: #1800062) + - debian/patches/lp1800062.patch: fix cups get/put_params LeadingEdge + logic in cups/gdevcups.c. + + -- Marc Deslauriers Tue, 30 Oct 2018 09:05:40 -0400 + ghostscript (9.25~dfsg+1-0ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: updated to 9.25 to fix multiple security issues diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180917~7c3e7ee.patch ghostscript-9.25~dfsg+1/debian/patches/020180917~7c3e7ee.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180917~7c3e7ee.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180917~7c3e7ee.patch 2018-10-18 20:07:42.000000000 +0000 @@ -0,0 +1,129 @@ +Description: Implement .currentoutputdevice operator + The currentdevice operator returns the device + currently installed in the graphics state. + This can be the output/page device, + but also could be a forwarding device (bbox device), + compositor (pdf14) or subclass device (erasepage optimisation, + First/Last page etc). + . + In certain circumstances (for example during a setpagedevice) + we want to be sure we're retrieving the *actual* output/page device. + . + The new .currentoutputdevice operator uses the spec_op device method + to traverse any chain of devices + and retrieve the final device in the chain, + which should always be the output/page device. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=7c3e7ee +Author: Chris Liddell +Forwarded: yes +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2211,7 +2211,7 @@ + /.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams +- /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath ++ /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -877,7 +877,13 @@ + % Stack: mark + SETPDDEBUG { (Constructing.) = pstack flush } if + +- currentdevice .devicename 2 index /OutputDevice get eq ++ % Non-obvious: we need to check the name of the output device, to tell ++ % whether we're going to have to replace the entire device chain (which ++ % may be only one device, or may be multiple devices. ++ % If we're not replacing the entire change, we have to use the device in ++ % the graphics state, so the configuration of the entire device chain is ++ % correctly set. ++ .currentoutputdevice .devicename 2 index /OutputDevice get eq + { currentdevice } + { 1 index /OutputDevice get finddevice } + ifelse +--- a/base/gdevdflt.c ++++ b/base/gdevdflt.c +@@ -1044,6 +1044,11 @@ + dev_param_req_t *request = (dev_param_req_t *)data; + return gx_default_get_param(pdev, request->Param, request->list); + } ++ case gxdso_current_output_device: ++ { ++ *(gx_device **)data = pdev; ++ return 0; ++ } + } + return_error(gs_error_undefined); + } +--- a/base/gxdevsop.h ++++ b/base/gxdevsop.h +@@ -327,6 +327,10 @@ + gxdso_JPEG_passthrough_data, + gxdso_JPEG_passthrough_end, + gxdso_supports_iccpostrender, ++ /* Retrieve the last device in a device chain ++ (either forwarding or subclass devices). ++ */ ++ gxdso_current_output_device, + /* Add new gxdso_ keys above this. */ + gxdso_pattern__LAST + }; +--- a/psi/zdevice.c ++++ b/psi/zdevice.c +@@ -57,6 +57,7 @@ + } + + /* - currentdevice */ ++/* Returns the current device in the graphics state */ + int + zcurrentdevice(i_ctx_t *i_ctx_p) + { +@@ -71,6 +72,34 @@ + return 0; + } + ++/* - .currentoutputdevice */ ++/* Returns the *output* device - which will often ++ be the same as above, but not always: if a compositor ++ or other forwarding device, or subclassing device is ++ in force, that will be referenced by the graphics state ++ rather than the output device. ++ This is equivalent of currentdevice device, but returns ++ the *device* object, rather than the dictionary describing ++ the device and device state. ++ */ ++static int ++zcurrentoutputdevice(i_ctx_t *i_ctx_p) ++{ ++ os_ptr op = osp; ++ gx_device *odev = NULL, *dev = gs_currentdevice(igs); ++ gs_ref_memory_t *mem = (gs_ref_memory_t *) dev->memory; ++ int code = dev_proc(dev, dev_spec_op)(dev, ++ gxdso_current_output_device, (void *)&odev, 0); ++ if (code < 0) ++ return code; ++ ++ push(1); ++ make_tav(op, t_device, ++ (mem == 0 ? avm_foreign : imemory_space(mem)) | a_all, ++ pdevice, odev); ++ return 0; ++} ++ + /* .devicename */ + static int + zdevicename(i_ctx_t *i_ctx_p) +@@ -614,6 +643,7 @@ + { + {"1.copydevice2", zcopydevice2}, + {"0currentdevice", zcurrentdevice}, ++ {"0.currentoutputdevice", zcurrentoutputdevice}, + {"1.devicename", zdevicename}, + {"0.doneshowpage", zdoneshowpage}, + {"0flushpage", zflushpage}, diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180918~c1657e3.patch ghostscript-9.25~dfsg+1/debian/patches/020180918~c1657e3.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180918~c1657e3.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180918~c1657e3.patch 2018-10-18 21:06:23.000000000 +0000 @@ -0,0 +1,36 @@ +Description: Change "executeonly" to throw typecheck on gstatetype and devicetype objects + PS doesn't really have a "devicetype", + but it is not listed as an acceptable argument type to "executeonly", + so we probably should not accept it. + . + "gstate executeonly" throws typecheck in Acrobat, + so we should do the same. + . + Tested the other "access related" functions + (noaccess, readonly, rcheck, wcheck, xcheck) + and all of these accept "gstate" as an argument, + even though the PLRM says they should not. + Also our initialization code does things with wcheck and readonly + on devices and gstates. + . + So, this fix is only for "executeonly". +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=c1657e3 +Author: Nancy Durgin +Forwarded: yes +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/psi/ztype.c ++++ b/psi/ztype.c +@@ -174,9 +174,10 @@ + zexecuteonly(i_ctx_t *i_ctx_p) + { + os_ptr op = osp; ++ ref_type rtype = r_type(op); + + check_op(1); +- if (r_has_type(op, t_dictionary)) ++ if (rtype == t_dictionary || rtype == t_astruct || rtype == t_device) + return_error(gs_error_typecheck); + return access_check(i_ctx_p, a_execute, true); + } diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180918~c76bf1c.patch ghostscript-9.25~dfsg+1/debian/patches/020180918~c76bf1c.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180918~c76bf1c.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180918~c76bf1c.patch 2018-10-18 13:00:02.000000000 +0000 @@ -0,0 +1,31 @@ +Description: Undefine some additional internal operators. + .type, .writecvs, .setSMask, .currentSMask + . + These don't seem to be referenced anywhere + outside of the initialization code, + which binds their usages. Passes cluster if they are removed. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=c76bf1c +Author: Chris Liddell +Forwarded: yes +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2212,6 +2212,7 @@ + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice ++ /.type /.writecvs /.setSMask /.currentSMask + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +@@ -2230,7 +2231,7 @@ + % test files/utilities, or engineers expressed a desire to keep them visible. + % + %/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11 +- %/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors ++ %/.buildfont32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors + %/currentdevice /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget + %/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9 + %/.tempfile /.numicc_components /.set_outputintent /.max /.min /.vmreclaim /.getpath /.setglobal diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180919~18e8a06.patch ghostscript-9.25~dfsg+1/debian/patches/020180919~18e8a06.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180919~18e8a06.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180919~18e8a06.patch 2018-10-18 21:07:57.000000000 +0000 @@ -0,0 +1,35 @@ +Description: Fix handling of .needinput if used from interpreter + .needinput is meant as an internal function, + but it is exposed to the user. + I couldn't see an easy way to undefine it. + . + But if user calls it, + it returns gs_error_Fatal in a place that the code wasn't expecting, + and basically puts things in an undefined state. + This change returns a Fatal error at this point, instead. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=18e8a06 +Author: Nancy Durgin +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699793 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/psi/imain.c ++++ b/psi/imain.c +@@ -606,8 +606,15 @@ + pexit_code, perror_object); + if (code != gs_error_NeedInput) + return code; +- return gs_main_run_string_end(minst, user_errors, ++ ++ code = gs_main_run_string_end(minst, user_errors, + pexit_code, perror_object); ++ /* Not okay for user to use .needinput ++ * This treats it as a fatal error. ++ */ ++ if (code == gs_error_NeedInput) ++ return_error(gs_error_Fatal); ++ return code; + } + + /* Set up for a suspendable run_string. */ diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180920~78ed0a8.patch ghostscript-9.25~dfsg+1/debian/patches/020180920~78ed0a8.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180920~78ed0a8.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180920~78ed0a8.patch 2018-10-18 21:08:33.000000000 +0000 @@ -0,0 +1,20 @@ +Description: Ensure all errors are included from initialization + Previously only Level 1 errors were added during init. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=78ed0a8 +Author: Chris Liddell +Forwarded: yes +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -1110,8 +1110,7 @@ + .setglobal + } bind def + ErrorNames +- { dup .registererror /VMerror eq {exit} if +- } forall ++ { .registererror} forall + errordict begin + % The handlers for interrupt and timeout are special; there is no + % 'current object', so they push their own name. diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180920~8ed08cb.patch ghostscript-9.25~dfsg+1/debian/patches/020180920~8ed08cb.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180920~8ed08cb.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180920~8ed08cb.patch 2018-10-18 21:11:26.000000000 +0000 @@ -0,0 +1,56 @@ +Description: setundercolorremoval memory corruption + What is happening is that we are not properly reference counting + a structure. + . + For setblackgeneration and setundercolorremoval + we need to use a continuation procedure, + which samples the supplied PostScript function + and then stores the sample map. + . + As part of this we create an internal structure to hold the map, + and we make this the current undercolorremoval/blackgeneration entry + in the graphics state. + We *also* push a reference to it onto the exec stack, + so that the continuation procedure can use it from there. + However we don't increment the reference count. + . + When we execute the 'grestore' in the function + we reset the values in the graphics state, + and because the reference count is one + we count it down and then discard the structure. + . + When we then throw an error + we try to copy data off the exec stack into an array, + when we hit the reference to the freed strcuture + we potentially are pointing to invalid memory, + leading to a seg fault. + . + To fix this, + increment the reference count of the object + when we put it on the exec stack, + and decrement it when we remove it from the exec stack. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=8ed08cb +Author: Ken Sharp +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699797 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -687,6 +687,7 @@ + ++esp; + make_struct(esp, imemory_space((gs_ref_memory_t *) pgs->memory), + pmap); ++ rc_increment(pmap); + push_op_estack(finish_proc); + push_op_estack(zfor_samples); + return o_push_estack; +@@ -699,6 +700,7 @@ + int i; + gx_transfer_map *pmap = r_ptr(esp, gx_transfer_map); + ++ rc_decrement_only(pmap, "zcolor_remap_one_store"); + if (ref_stack_count(&o_stack) < transfer_map_size) + return_error(gs_error_stackunderflow); + for (i = 0; i < transfer_map_size; i++) { diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180920~90e8f8d.patch ghostscript-9.25~dfsg+1/debian/patches/020180920~90e8f8d.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180920~90e8f8d.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180920~90e8f8d.patch 2018-10-18 21:13:45.000000000 +0000 @@ -0,0 +1,96 @@ +Description: copydevice fails after stack device copies invalidated + This isn't anything to do with .fill_identity_cmap. + A simpler example is: + . + .distillerdevice + nulldevice + copydevice + . + The problem is that when we execute nulldevice + we need to invalidate any copies, + stored on the operand stack, + of the device that was current before the nulldevice was installed. + . + We do that by setting the pdevice member of the device structure to NULL. + However the fact that a device can be invalidated + has clearly passed by a number of developers in the intervening years, + and a number of places in the code do check + the type of the operand is a device, + but they don't check to see if the device has been invalidated. + . + Add validation checks where required. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=90e8f8d +Author: Ken Sharp +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699796 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/psi/idisp.c ++++ b/psi/idisp.c +@@ -81,6 +81,10 @@ + * setting callback, then reopen it. + */ + check_read_type(op[-1], t_device); ++ if (op[-1].value.pdevice == NULL) ++ /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */ ++ return_error(gs_error_undefined); ++ + dev = op[-1].value.pdevice; + + was_open = dev->is_open; +--- a/psi/zdevice.c ++++ b/psi/zdevice.c +@@ -46,6 +46,10 @@ + + check_read_type(op[-1], t_device); + check_type(*op, t_boolean); ++ if (op[-1].value.pdevice == NULL) ++ /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */ ++ return_error(gs_error_undefined); ++ + code = gs_copydevice2(&new_dev, op[-1].value.pdevice, op->value.boolval, + imemory); + if (code < 0) +@@ -108,6 +112,10 @@ + const char *dname; + + check_read_type(*op, t_device); ++ if (op->value.pdevice == NULL) ++ /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */ ++ return_error(gs_error_undefined); ++ + dname = op->value.pdevice->dname; + make_const_string(op, avm_foreign | a_readonly, strlen(dname), + (const byte *)dname); +@@ -157,6 +165,10 @@ + + check_read_type(op[-7], t_device); + dev = op[-7].value.pdevice; ++ if (dev == NULL) ++ /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */ ++ return_error(gs_error_undefined); ++ + check_int_leu(op[-6], dev->width); + rect.p.x = op[-6].value.intval; + check_int_leu(op[-5], dev->height); +@@ -274,6 +286,9 @@ + } + rkeys = *op; + dev = op[-1].value.pdevice; ++ if (op[-1].value.pdevice == NULL) ++ /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */ ++ return_error(gs_error_undefined); + pop(1); + stack_param_list_write(&list, &o_stack, &rkeys, iimemory); + code = gs_get_device_or_hardware_params(dev, (gs_param_list *) & list, +@@ -440,6 +455,9 @@ + check_type_only(*prequire_all, t_boolean); + check_write_type_only(*pdev, t_device); + dev = pdev->value.pdevice; ++ if (dev == NULL) ++ /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */ ++ return_error(gs_error_undefined); + code = stack_param_list_read(&list, &o_stack, 0, ppolicy, + prequire_all->value.boolval, iimemory); + if (code < 0) diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180920~b0222e5.patch ghostscript-9.25~dfsg+1/debian/patches/020180920~b0222e5.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180920~b0222e5.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180920~b0222e5.patch 2018-10-18 10:38:21.000000000 +0000 @@ -0,0 +1,50 @@ +Description: add operand checking to .setnativefontmapbuilt + .setnativefontmapbuilt .forceputs a value into systemdict - + it is intended to be a boolean, + but in this case was being called with a compound object (a dictionary). + Such an object, in local VM, being forced into systemdict + would then confuse the garbager, + since it could be restored away with the reference remaining. + . + This adds operand checking, + so .setnativefontmapbuilt will simply ignore + anything other than a boolean value, + and also removes the definition of .setnativefontmapbuilt after use, + since it is only used in two, closely related places. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=b0222e5 +Author: Chris Liddell +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699795 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -372,9 +372,13 @@ + % of strings: what the system thinks is the ps name, + % and the access path. + /.setnativefontmapbuilt { % set whether we've been run +- systemdict exch /.nativefontmapbuilt exch .forceput ++ dup type /booleantype eq { ++ systemdict exch /.nativefontmapbuilt exch .forceput ++ } ++ {pop} ++ ifelse + } .bind executeonly def +-systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt ++systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec + /.buildnativefontmap { % - .buildnativefontmap + systemdict /.nativefontmapbuilt .knownget not + { //false} if +@@ -415,9 +419,10 @@ + } forall + } if + % record that we've been run +- //true .setnativefontmapbuilt ++ //true //.setnativefontmapbuilt exec + } ifelse + } bind def ++currentdict /.setnativefontmapbuilt .forceundef + + % Create the dictionary that registers the .buildfont procedure + % (called by definefont) for each FontType. diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~2118711.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~2118711.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~2118711.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~2118711.patch 2018-10-18 21:14:22.000000000 +0000 @@ -0,0 +1,20 @@ +Description: add object type check for AES key + Make sure the key string is a string. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=2118711 +Author: Chris Liddell +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699802 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/psi/zfaes.c ++++ b/psi/zfaes.c +@@ -45,7 +45,7 @@ + check_dict_read(*op); + if (dict_find_string(op, "Key", &sop) <= 0) + return_error(gs_error_rangecheck); +- ++ check_type(*sop, t_string); + s_aes_set_key(&state, sop->value.const_bytes, r_size(sop)); + + /* extract the padding flag, which defaults to true for compatibility */ diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~379be67.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~379be67.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~379be67.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~379be67.patch 2018-10-18 21:15:13.000000000 +0000 @@ -0,0 +1,24 @@ +Description: Add parameter type checking on .bigstring + If the parameter is not an integer, this would leave 65400 on the stack. + Also, if there is no argument, signal stackunderflow. + Seen with the PS sequence of bug 699794. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=379be67 +Author: Ray Johnston +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699794 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_ll3.ps ++++ b/Resource/Init/gs_ll3.ps +@@ -146,6 +146,10 @@ + } bind def + + /.bigstring { % .bigstring ++ count 1 lt { /.bigstring /stackunderflow signalerror } if ++ dup type /integertype ne { ++ /.bigstring /typecheck signalerror ++ } if + dup 65400 gt { .bytestring } { string } ifelse + } bind def + diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~7ee525f.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~7ee525f.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~7ee525f.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~7ee525f.patch 2018-10-18 21:16:33.000000000 +0000 @@ -0,0 +1,28 @@ +Description: zparse_dsc_comments can crash with invalid dsc_state + Although zparse_dsc_comments() does check the types of its operands, + it wasn't checking the return value from dict_find_string properly. + It was effectively assuming + that the dictionary parameter was the *correct* dictionary + and would contain the key/value pair it needed. + . + Here we check to see if the key has not been found + and throw an error if so. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=7ee525f +Author: Ken Sharp +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699801 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/psi/zdscpars.c ++++ b/psi/zdscpars.c +@@ -457,6 +457,9 @@ + code = dict_find_string(opDict, dsc_dict_name, &pvalue); + if (code < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ + dsc_state = r_ptr(pvalue, dsc_data_t); + /* + * Pick up the comment string to be parsed. diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~95aa78b.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~95aa78b.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~95aa78b.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~95aa78b.patch 2018-10-18 20:10:54.000000000 +0000 @@ -0,0 +1,89 @@ +Description: Catch errors in setpagesize, .setpagesize and setpagedevice and cleanup + Bug 699794 showed that attempt to change page size in SAFER mode + when the nulldevice was the currentdevice + would leave 'false' on the stack. + Run .setdevice in stopped and clean up, + and also clean up .setpagesize +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=95aa78b +Author: Ray Johnston +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699794 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -610,7 +610,14 @@ + .dicttomark setpagedevice + /WaitTimeout exch mark /JobTimeout 5 2 roll .dicttomark setsystemparams + } bind def +-/.setpagesize { 2 array astore /PageSize .dict1 setpagedevice } bind def ++/.setpagesize ++ { 2 copy 2 array astore /PageSize .dict1 { setpagedevice } stopped { ++ pop % the setpagedevice dict ++ /setpagesize $error /errorname get signalerror ++ } { ++ pop pop % success -- pop the arguments ++ } ifelse ++ } bind def + /setduplexmode { /Duplex .dict1 setpagedevice } bind def + /setmargins + { exch 2 array astore /Margins .dict1 setpagedevice +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -919,10 +919,15 @@ + % Stack: mark ... + SETPDDEBUG { (Installing.) = pstack flush } if + +- pop ++ pop + % .setdevice clears the current page device! + .currentpagedevice pop exch +- .setdevice pop ++ { .setdevice } stopped { ++ cleartomark exch pop ++ /setpagedevice $error /errorname get ++ signalerror ++ } if ++ pop + .setpagedevice + + % Implement UseCIEColor directly if this is a LL3 system. +--- a/Resource/Init/gs_statd.ps ++++ b/Resource/Init/gs_statd.ps +@@ -39,7 +39,13 @@ + % These procedures are also accessed as data structures during initialization, + % so the page dimensions must be the first two elements of the procedure. + +-/.setpagesize { /statusdict .systemvar begin .setpagesize end } bind def ++/.setpagesize { ++ /statusdict .systemvar begin ++ { .setpagesize } stopped { ++ /setpagesize $error /errorname get signalerror ++ } if ++ end ++} bind def + + % Page sizes defined by Adobe documentation + % Note: these executable arrays should all begin with two +@@ -261,9 +267,17 @@ + % The Adobe documentation only defines setpagetype + % (a Level 1 operator) as accepting the values 0 and 1, + % so we do too. +- {/letter /note} 1 index get +- //systemdict /userdict get exch get cvx exec +- /pagetype exch def ++ dup type /integertype ne { ++ /setpage /typecheck signalerror ++ } { ++ dup 0 ne 1 index 1 ne or { ++ /setpage /rangecheck signalerror ++ } { ++ {/letter /note} 1 index get ++ //systemdict /userdict get exch get cvx exec ++ } ifelse ++ /pagetype exch def ++ } ifelse + end + } bind def + diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~9d6ac20.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~9d6ac20.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~9d6ac20.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~9d6ac20.patch 2018-10-18 21:18:04.000000000 +0000 @@ -0,0 +1,188 @@ +Description: Catch errors and cleanup stack on statusdict page size definitions + This was also found with the sequence from Bug 699794, + if .setpagesize fails, + we need to clean up the two integers (page width, height) + then signal the error. + Since some definitions "load" another (e.g. b5 loads isob5) + the command name in the error won't be correct for those, + but it will be close. + If anybody cares, we could fix it. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=9d6ac20 +Author: Ray Johnston +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699794 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_statd.ps ++++ b/Resource/Init/gs_statd.ps +@@ -50,15 +50,15 @@ + % Page sizes defined by Adobe documentation + % Note: these executable arrays should all begin with two + % integers which are the width and height (see gs_setpd.ps). +- /11x17 {792 1224 //.setpagesize exec} bind def % 11x17 portrait +- /a3 {842 1191 //.setpagesize exec} bind def +- /a4 {595 842 //.setpagesize exec} bind def ++ /11x17 {792 1224 //.setpagesize stopped { pop pop /11x17 $error /errorname get signalerror } if } bind def % 11x17 portrait ++ /a3 {842 1191 //.setpagesize stopped { pop pop /a3 $error /errorname get signalerror } if } bind def ++ /a4 {595 842 //.setpagesize stopped { pop pop /a4 $error /errorname get signalerror } if } bind def + % a4small should be a4 with an ImagingBBox of [25 25 570 817]. + /a4small /a4 load def + % b5 see below. +- /ledger {1224 792 //.setpagesize exec} bind def % 11x17 landscape +- /legal {612 1008 //.setpagesize exec} bind def +- /letter {612 792 //.setpagesize exec} bind def ++ /ledger {1224 792 //.setpagesize stopped { pop pop /ledger $error /errorname get signalerror } if } bind def % 11x17 landscape ++ /legal {612 1008 //.setpagesize stopped { pop pop /legal $error /errorname get signalerror } if } bind def ++ /letter {612 792 //.setpagesize stopped { pop pop /letter $error /errorname get signalerror } if } bind def + % lettersmall should be letter with an ImagingBBox of [25 25 587 767]. + /lettersmall /letter load def + % note should be letter (or some other size) with the ImagingBBox +@@ -68,68 +68,68 @@ + + % Other page sizes + % ISO standard paper sizes +- /a0 {2384 3370 //.setpagesize exec} bind def +- /a1 {1684 2384 //.setpagesize exec} bind def +- /a2 {1191 1684 //.setpagesize exec} bind def +-% /a3 {842 1191 //.setpagesize exec} bind def % defined by Adobe +-% /a4 {595 842 //.setpagesize exec} bind def % defined by Adobe +- /a5 {420 595 //.setpagesize exec} bind def +- /a6 {297 420 //.setpagesize exec} bind def +- /a7 {210 297 //.setpagesize exec} bind def +- /a8 {148 210 //.setpagesize exec} bind def +- /a9 {105 148 //.setpagesize exec} bind def +- /a10 {73 105 //.setpagesize exec} bind def ++ /a0 {2384 3370 //.setpagesize stopped { pop pop /a0 $error /errorname get signalerror } if } bind def ++ /a1 {1684 2384 //.setpagesize stopped { pop pop /a1 $error /errorname get signalerror } if } bind def ++ /a2 {1191 1684 //.setpagesize stopped { pop pop /a2 $error /errorname get signalerror } if } bind def ++% /a3 {842 1191 //.setpagesize stopped { pop pop /a3 $error /errorname get signalerror } if } bind def % defined by Adobe ++% /a4 {595 842 //.setpagesize stopped { pop pop /a4 $error /errorname get signalerror } if } bind def % defined by Adobe ++ /a5 {420 595 //.setpagesize stopped { pop pop /a5 $error /errorname get signalerror } if } bind def ++ /a6 {297 420 //.setpagesize stopped { pop pop /a6 $error /errorname get signalerror } if } bind def ++ /a7 {210 297 //.setpagesize stopped { pop pop /a7 $error /errorname get signalerror } if } bind def ++ /a8 {148 210 //.setpagesize stopped { pop pop /a8 $error /errorname get signalerror } if } bind def ++ /a9 {105 148 //.setpagesize stopped { pop pop /a9 $error /errorname get signalerror } if } bind def ++ /a10 {73 105 //.setpagesize stopped { pop pop /a10 $error /errorname get signalerror } if } bind def + % ISO and JIS B sizes are different.... +- /isob0 {2835 4008 //.setpagesize exec} bind def ++ /isob0 {2835 4008 //.setpagesize stopped { pop pop /isob0 $error /errorname get signalerror } if } bind def + /b0 /isob0 load def +- /isob1 {2004 2835 //.setpagesize exec} bind def ++ /isob1 {2004 2835 //.setpagesize stopped { pop pop /isob1 $error /errorname get signalerror } if } bind def + /b1 /isob1 load def +- /isob2 {1417 2004 //.setpagesize exec} bind def ++ /isob2 {1417 2004 //.setpagesize stopped { pop pop /isob2 $error /errorname get signalerror } if } bind def + /b2 /isob2 load def +- /isob3 {1001 1417 //.setpagesize exec} bind def ++ /isob3 {1001 1417 //.setpagesize stopped { pop pop /isob3 $error /errorname get signalerror } if } bind def + /b3 /isob3 load def +- /isob4 {709 1001 //.setpagesize exec} bind def ++ /isob4 {709 1001 //.setpagesize stopped { pop pop /isob4 $error /errorname get signalerror } if } bind def + /b4 /isob4 load def +- /isob5 {499 709 //.setpagesize exec} bind def ++ /isob5 {499 709 //.setpagesize stopped { pop pop /isob5 $error /errorname get signalerror } if } bind def + /b5 /isob5 load def +- /isob6 {354 499 //.setpagesize exec} bind def ++ /isob6 {354 499 //.setpagesize stopped { pop pop /isob6 $error /errorname get signalerror } if } bind def + /b6 /isob6 load def +- /jisb0 {2920 4127 //.setpagesize exec} bind def +- /jisb1 {2064 2920 //.setpagesize exec} bind def +- /jisb2 {1460 2064 //.setpagesize exec} bind def +- /jisb3 {1032 1460 //.setpagesize exec} bind def +- /jisb4 {729 1032 //.setpagesize exec} bind def +- /jisb5 {516 729 //.setpagesize exec} bind def +- /jisb6 {363 516 //.setpagesize exec} bind def +- /c0 {2599 3677 //.setpagesize exec} bind def +- /c1 {1837 2599 //.setpagesize exec} bind def +- /c2 {1298 1837 //.setpagesize exec} bind def +- /c3 {918 1298 //.setpagesize exec} bind def +- /c4 {649 918 //.setpagesize exec} bind def +- /c5 {459 649 //.setpagesize exec} bind def +- /c6 {323 459 //.setpagesize exec} bind def ++ /jisb0 {2920 4127 //.setpagesize stopped { pop pop /jisb0 $error /errorname get signalerror } if } bind def ++ /jisb1 {2064 2920 //.setpagesize stopped { pop pop /jisb1 $error /errorname get signalerror } if } bind def ++ /jisb2 {1460 2064 //.setpagesize stopped { pop pop /jisb2 $error /errorname get signalerror } if } bind def ++ /jisb3 {1032 1460 //.setpagesize stopped { pop pop /jisb3 $error /errorname get signalerror } if } bind def ++ /jisb4 {729 1032 //.setpagesize stopped { pop pop /jisb4 $error /errorname get signalerror } if } bind def ++ /jisb5 {516 729 //.setpagesize stopped { pop pop /jisb5 $error /errorname get signalerror } if } bind def ++ /jisb6 {363 516 //.setpagesize stopped { pop pop /jisb6 $error /errorname get signalerror } if } bind def ++ /c0 {2599 3677 //.setpagesize stopped { pop pop /c0 $error /errorname get signalerror } if } bind def ++ /c1 {1837 2599 //.setpagesize stopped { pop pop /c1 $error /errorname get signalerror } if } bind def ++ /c2 {1298 1837 //.setpagesize stopped { pop pop /c2 $error /errorname get signalerror } if } bind def ++ /c3 {918 1298 //.setpagesize stopped { pop pop /c3 $error /errorname get signalerror } if } bind def ++ /c4 {649 918 //.setpagesize stopped { pop pop /c4 $error /errorname get signalerror } if } bind def ++ /c5 {459 649 //.setpagesize stopped { pop pop /c5 $error /errorname get signalerror } if } bind def ++ /c6 {323 459 //.setpagesize stopped { pop pop /c6 $error /errorname get signalerror } if } bind def + % U.S. CAD standard paper sizes +- /archE {2592 3456 //.setpagesize exec} bind def +- /archD {1728 2592 //.setpagesize exec} bind def +- /archC {1296 1728 //.setpagesize exec} bind def +- /archB {864 1296 //.setpagesize exec} bind def +- /archA {648 864 //.setpagesize exec} bind def ++ /archE {2592 3456 //.setpagesize stopped { pop pop /archE $error /errorname get signalerror } if } bind def ++ /archD {1728 2592 //.setpagesize stopped { pop pop /archD $error /errorname get signalerror } if } bind def ++ /archC {1296 1728 //.setpagesize stopped { pop pop /archC $error /errorname get signalerror } if } bind def ++ /archB {864 1296 //.setpagesize stopped { pop pop /archB $error /errorname get signalerror } if } bind def ++ /archA {648 864 //.setpagesize stopped { pop pop /archA $error /errorname get signalerror } if } bind def + % Other paper sizes +- /flsa {612 936 //.setpagesize exec} bind def % U.S. foolscap +- /flse {612 936 //.setpagesize exec} bind def % European foolscap +- /halfletter {396 612 //.setpagesize exec} bind def ++ /flsa {612 936 //.setpagesize stopped { pop pop /flsa $error /errorname get signalerror } if } bind def % U.S. foolscap ++ /flse {612 936 //.setpagesize stopped { pop pop /flse $error /errorname get signalerror } if } bind def % European foolscap ++ /halfletter {396 612 //.setpagesize stopped { pop pop /halfletter $error /errorname get signalerror } if } bind def + % minimum of a4 and letter (a4 width, letter length) +- /pa4 {595 792 //.setpagesize exec} bind def ++ /pa4 {595 792 //.setpagesize stopped { pop pop /pa4 $error /errorname get signalerror } if } bind def + % Japanese postcard size, 100mm x 148mm +- /hagaki {283 420 //.setpagesize exec} bind def ++ /hagaki {283 420 //.setpagesize stopped { pop pop /hagaki $error /errorname get signalerror } if } bind def + % U.S. ANSI/ASME Y14.1 paper sizes + /ANSI_A //letter def + /ANSI_B //11x17 def + /tabloid //11x17 def +- /ANSI_C {1224 1585 //.setpagesize exec} bind def +- /ANSI_D {1585 2448 //.setpagesize exec} bind def +- /ANSI_E {2448 3168 //.setpagesize exec} bind def +- /ANSI_F {2016 2880 //.setpagesize exec} bind def ++ /ANSI_C {1224 1585 //.setpagesize stopped { pop pop /ANSI_C $error /errorname get signalerror } if } bind def ++ /ANSI_D {1585 2448 //.setpagesize stopped { pop pop /ANSI_D $error /errorname get signalerror } if } bind def ++ /ANSI_E {2448 3168 //.setpagesize stopped { pop pop /ANSI_E $error /errorname get signalerror } if } bind def ++ /ANSI_F {2016 2880 //.setpagesize stopped { pop pop /ANSI_F $error /errorname get signalerror } if } bind def + %END SIZES + currentdict end + dup /.setpagesize .undef +@@ -164,19 +164,19 @@ + + % Tray and format selection + +- /11x17tray {/11x17 .uservar exec} bind def +- /a3tray {/a3 .uservar exec} bind def +- /a4tray {/a4 .uservar exec} bind def +- /a5tray {/a5 .uservar exec} bind def +- /a6tray {/a6 .uservar exec} bind def +- /b4tray {/b4 .uservar exec} bind def +- /b5tray {/b5 .uservar exec} bind def +- /flsatray {/flsa .uservar exec} bind def +- /flsetray {/flse .uservar exec} bind def +- /halflettertray {/halfletter .uservar exec} bind def +- /ledgertray {/ledger .uservar exec} bind def +- /legaltray {/legal .uservar exec} bind def +- /lettertray {/letter .uservar exec} bind def ++ /11x17tray {/11x17 .uservar stopped { pop pop /11x17tray $error /errorname get signalerror } if } bind def ++ /a3tray {/a3 .uservar stopped { pop pop /a3tray $error /errorname get signalerror } if } bind def ++ /a4tray {/a4 .uservar stopped { pop pop /a4tray $error /errorname get signalerror } if } bind def ++ /a5tray {/a5 .uservar stopped { pop pop /a5tray $error /errorname get signalerror } if } bind def ++ /a6tray {/a6 .uservar stopped { pop pop /a6tray $error /errorname get signalerror } if } bind def ++ /b4tray {/b4 .uservar stopped { pop pop /b4tray $error /errorname get signalerror } if } bind def ++ /b5tray {/b5 .uservar stopped { pop pop /b5tray $error /errorname get signalerror } if } bind def ++ /flsatray {/flsa .uservar stopped { pop pop /flsatray $error /errorname get signalerror } if } bind def ++ /flsetray {/flse .uservar stopped { pop pop /flsetray $error /errorname get signalerror } if } bind def ++ /halflettertray {/halfletter .uservar stopped { pop pop /halflettertray $error /errorname get signalerror } if } bind def ++ /ledgertray {/ledger .uservar stopped { pop pop /ledgertray $error /errorname get signalerror } if } bind def ++ /legaltray {/legal .uservar stopped { pop pop /legaltray $error /errorname get signalerror } if } bind def ++ /lettertray {/letter .uservar stopped { pop pop /lettertray $error /errorname get signalerror } if } bind def + + % Per-job parameters + diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~c29ec2f.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~c29ec2f.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~c29ec2f.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~c29ec2f.patch 2018-10-18 21:18:49.000000000 +0000 @@ -0,0 +1,27 @@ +Description: Add parameter checking in setresolution + Found in sequence for bug 699794 +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=c29ec2f +Author: Ray Johnston +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699794 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -631,7 +631,14 @@ + .dicttomark setpagedevice + } bind def + /setresolution +- { dup 2 array astore /HWResolution .dict1 setpagedevice ++ { count 1 lt { /setresolution /stackunderflow signalerror } if ++ dup type dup /integertype eq exch /realtype eq or not ++ { ++ /setresolution /typecheck signalerror ++ } if ++ dup 2 array astore /HWResolution .dict1 { setpagedevice } stopped { ++ pop /setresolution $error /errorname get signalerror ++ } if + } bind def + %END PAGEDEVICE + diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~db606d2.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~db606d2.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~db606d2.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~db606d2.patch 2018-10-18 21:20:23.000000000 +0000 @@ -0,0 +1,46 @@ +Description: device subclass open_device call must return child code + Even with changes to detect and clean up + from errors in setpagedevice (b5) and .bigstring, + the segfault was still possible + because the error return code from the child was being ignored, + and the device is_open was set true + when the child device was NOT open. + Attempt to 'fillpage' on a clist device that is not open + is what caused the SEGV. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=db606d2 +Author: Ray Johnston +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699794 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/base/gdevsclass.c ++++ b/base/gdevsclass.c +@@ -99,13 +99,21 @@ + */ + int default_subclass_open_device(gx_device *dev) + { +- if (dev->child) { +- dev_proc(dev->child, open_device)(dev->child); +- dev->child->is_open = true; +- gx_update_from_subclass(dev); +- } ++ int code = 0; + +- return 0; ++ /* observed with Bug 699794, don't set is_open = true if the open_device failed */ ++ /* and make sure to propagate the return code from the child device to caller. */ ++ /* Only open the child if it was closed and if child open is OK, return 1. */ ++ /* (see gs_opendevice) */ ++ if (dev->child && dev->child->is_open == 0) { ++ code = dev_proc(dev->child, open_device)(dev->child); ++ if (code >= 0) { ++ dev->child->is_open = true; ++ code = 1; /* device had been closed, but now is open */ ++ } ++ gx_update_from_subclass(dev); /* this is probably safe to do even if the open failed */ ++ } ++ return code; + } + + void default_subclass_get_initial_matrix(gx_device *dev, gs_matrix *pmat) diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~f31702b.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~f31702b.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~f31702b.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~f31702b.patch 2018-10-18 20:50:13.000000000 +0000 @@ -0,0 +1,196 @@ +Description: fix DSC comment parsing in pdfwrite + This may affect other DSC parsing utilities. + For some reason double comment (%%) marks are being interpreted + 'sometimes' in gs_init.ps as DSC comments. + This only happens when reading the init files from disk + because the ROM file system strips comments. + . + Passing these to pdfwrite causes it to drop later DSC comments, + such as %%Title: and %%Creator: + which meant the information wasn't being embedded + in the document information dictionary. + . + Fix by converting double %% to single % comments, + document this in the header of gs_init.ps. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=f31702b +Author: Ken Sharp +Forwarded: yes +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -20,6 +20,11 @@ + % %% Replace + % indicate places where the next lines should be replaced by + % the contents of , when creating a single merged init file. ++% ++% For reasons not clear to me, some cases of %% are being treated as ++% DSC comments when (and only when) the resource files are disk based ++% This can kill DSC parsing for pdfwrite at least, so avoid using ++% double % comments in this file. + + % The interpreter can call out to PostScript code. All procedures + % called in this way, and no other procedures defined in these +@@ -136,12 +141,12 @@ + ifelse + .bind def + +-%% This was a debugging switch removed in 9.22, no other software +-%% should have had any regard for it, and even if testing its value +-%% should have checked its existence first. However pstotext, an +-%% ancient and no longer maintained piece of softare, did check +-%% its value unconditionally. So we retain this key in the dictionary +-%% purely for backward compatibility. ++% This was a debugging switch removed in 9.22, no other software ++% should have had any regard for it, and even if testing its value ++% should have checked its existence first. However pstotext, an ++% ancient and no longer maintained piece of softare, did check ++% its value unconditionally. So we retain this key in the dictionary ++% purely for backward compatibility. + /NOBIND false def + + currentdict /BATCH known /BATCH exch def +@@ -2082,12 +2087,12 @@ + //SAFETY /safe //true .forceput % overrides readonly + } .bind executeonly odef + +-%% This is only used during startup. Its required so that +-%% we can detect in setpagdevice that we are in fact in startup +-%% and allocate a *global* instead of local VM. We need it to be +-%% global to satisfy Display PostScript (see start of /setpagdevice +-%% in gs_setpd.ps) +-%% ++% This is only used during startup. Its required so that ++% we can detect in setpagdevice that we are in fact in startup ++% and allocate a *global* instead of local VM. We need it to be ++% global to satisfy Display PostScript (see start of /setpagdevice ++% in gs_setpd.ps) ++% + /.locksafeglobal { + .locksafe_userparams + systemdict /getenv {pop //false} put +@@ -2116,8 +2121,8 @@ + .locksafe + } .bind executeonly odef + +-%% See /.locksafeglobal above. +-%% ++% See /.locksafeglobal above. ++% + /.setsafeglobal { + SAFETY /safe get not { + << +@@ -2155,22 +2160,22 @@ + + /UndefinePostScriptOperators { + +- %% This list is of Display PostScript operators. We believe that Display PostScript +- %% was never fully implemented and the only known user, GNUStep, is no longer +- %% using it. So lets remove it. ++ % This list is of Display PostScript operators. We believe that Display PostScript ++ % was never fully implemented and the only known user, GNUStep, is no longer ++ % using it. So lets remove it. + [ + /condition /currentcontext /detach /.fork /join /.localfork /lock /monitor /notify + /wait /yield /.currentscreenphase /.setscreenphase /.image2 /eoviewclip /initviewclip + /viewclip /viewclippath /defineusername +- %% NeXT DPS extensions ++ % NeXT DPS extensions + /currentalpha /setalpha /.alphaimage /composite /compositerect /dissolve /sizeimagebox /.sizeimageparams + ] + {systemdict exch .forceundef} forall + +- %% This list is of operators which no longer appear to be used, and which we do not believe +- %% to have any real use. For now we will undefine the operstors so they cannot easily be used +- %% but can be easily restored (just delete the name from the list in the array). In future +- %% we may remove the operator and the code implementation entirely. ++ % This list is of operators which no longer appear to be used, and which we do not believe ++ % to have any real use. For now we will undefine the operstors so they cannot easily be used ++ % but can be easily restored (just delete the name from the list in the array). In future ++ % we may remove the operator and the code implementation entirely. + [ + /.bitadd /.charboxpath /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter + /.execfile /.filenamesplit /.file_name_parent +@@ -2179,15 +2184,15 @@ + /.currentlimitclamp /.dotorientation /.setaccuratecurves /.setcurvejoin /.setdashadapt /.setdotorientation + /.setlimitclamp /.currentscreenlevels /.dashpath /.pathbbox /.identeq /.identne /.tokenexec /.forgetsave /.pantonecallback + +- %% Used by our own test suite files +- %%/.setdotlength % Bug687720.ps ++ % Used by our own test suite files ++ %/.setdotlength % Bug687720.ps + ] + {systemdict exch .forceundef} forall + +- %% This list of operators are used internally by various parts of the Ghostscript startup code. +- %% Since each operator is a potential security vulnerability, and any operator listed here +- %% is not required once the initialisation is complete and functions are bound, we undefine +- %% the ones that aren't needed at runtime. ++ % This list of operators are used internally by various parts of the Ghostscript startup code. ++ % Since each operator is a potential security vulnerability, and any operator listed here ++ % is not required once the initialisation is complete and functions are bound, we undefine ++ % the ones that aren't needed at runtime. + [ + /.callinstall /.callbeginpage /.callendpage + /.currentstackprotect /.setstackprotect /.errorexec /.finderrorobject /.installsystemnames /.bosobject /.fontbbox +@@ -2242,12 +2247,12 @@ + } .bind executeonly def % must be bound and hidden for .forceundef + + /UndefinePDFOperators { +- %% This list of operators are used internally by various parts of the Ghostscript PDF interpreter. +- %% Since each operator is a potential security vulnerability, and any operator listed here +- %% is not required once the initislisation is complete and functions are bound, we undefine +- %% the ones that aren't needed at runtime. +- %% This function is only called if DELAYBIND is true. It is a copy of the code at the end of pdf_main.ps +- %% and must be maintained in parallel with it. ++ % This list of operators are used internally by various parts of the Ghostscript PDF interpreter. ++ % Since each operator is a potential security vulnerability, and any operator listed here ++ % is not required once the initislisation is complete and functions are bound, we undefine ++ % the ones that aren't needed at runtime. ++ % This function is only called if DELAYBIND is true. It is a copy of the code at the end of pdf_main.ps ++ % and must be maintained in parallel with it. + [ + /.pdfawidthshow /.pdfwidthshow /.currentblackptcomp /.setblackptcomp + /.setfillcolor /.setfillcolorspace /.setstrokecolor /.setstrokecolorspace /.currentrenderingintent /.setrenderingintent +@@ -2356,13 +2361,13 @@ + + (END GLOBAL) VMDEBUG + +-%% .savelocalstate is part of Display PostScript (if included). Part of the function of +-%% the .savelocalstate routine is to store the 'initial saved gstate' (savedinitialgstate) +-%% in systemdict. The code in dps1.c, gstate_check_space, disallows writing or creating +-%% gstates in global VM in certain conditions. If we execute setpagedevice before we +-%% reach this point, we must ensure that we do so using /..StartupGlobal so that +-%% the dictionary is defined in global VM, because the gstate contains a pointer to the +-%% device dictionary, and if that is allocated in local VM we will fail the gstate check. ++% .savelocalstate is part of Display PostScript (if included). Part of the function of ++% the .savelocalstate routine is to store the 'initial saved gstate' (savedinitialgstate) ++% in systemdict. The code in dps1.c, gstate_check_space, disallows writing or creating ++% gstates in global VM in certain conditions. If we execute setpagedevice before we ++% reach this point, we must ensure that we do so using /..StartupGlobal so that ++% the dictionary is defined in global VM, because the gstate contains a pointer to the ++% device dictionary, and if that is allocated in local VM we will fail the gstate check. + /.savelocalstate where { + % If we might create new contexts, save away copies of all dictionaries + % referenced from systemdict that are stored in local VM, +@@ -2397,8 +2402,8 @@ + currentdict /.wheredict .undef + currentdict /.renderingintentdict .undef + +-%% If we are using DELAYBIND we have to defer the undefinition +-%% until .bindnow. ++% If we are using DELAYBIND we have to defer the undefinition ++% until .bindnow. + DELAYBIND not { + SAFER { + //systemdict /SAFERUndefinePostScriptOperators get exec +@@ -2426,7 +2431,7 @@ + systemdict /superexec .undef + } if + +-%% Can't remove this one until the last minute :-) ++% Can't remove this one until the last minute :-) + DELAYBIND not { + systemdict /.undef .undef + } if diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180921~fac7eb1.patch ghostscript-9.25~dfsg+1/debian/patches/020180921~fac7eb1.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180921~fac7eb1.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180921~fac7eb1.patch 2018-10-18 21:22:00.000000000 +0000 @@ -0,0 +1,335 @@ +Description: Check all uses of dict_find* to ensure 0 return properly handled + dict_find and friends have the surprising quirk + of returning < 0 for an error and > 0 for no error. + But they can also return 0 + which means 'not found' without it being an error. + . + From bug 699801, + if the code assumes the usual case where 0 is a success + then an attempt might be made to use the empty dictionary slot + returned by dict_find*, + which can lead to seg faults, + and certainly won't have the expected result. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=fac7eb1 +Author: Ken Sharp +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699801 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/psi/icontext.c ++++ b/psi/icontext.c +@@ -162,7 +162,7 @@ + uint size; + ref *system_dict = &pcst->dict_stack.system_dict; + +- if (dict_find_string(system_dict, "userparams", &puserparams) >= 0) ++ if (dict_find_string(system_dict, "userparams", &puserparams) > 0) + size = dict_length(puserparams); + else + size = 300; +@@ -286,7 +286,7 @@ + /* We need i_ctx_p for access to the d_stack. */ + i_ctx_t *i_ctx_p = pcst; + +- if (dict_find_string(systemdict, "userparams", &puserparams) < 0) ++ if (dict_find_string(systemdict, "userparams", &puserparams) <= 0) + return_error(gs_error_Fatal); + pcst->userparams = *puserparams; + } +--- a/psi/zcid.c ++++ b/psi/zcid.c +@@ -72,11 +72,13 @@ + } else + return false; /* Must not happen. */ + for (;n--; i++) { ++ int code; ++ + if (array_get(mem, DecodingArray, i, &char_code1) < 0 || + !r_has_type(&char_code1, t_integer)) + return false; /* Must not happen. */ +- if (dict_find(TT_cmap, &char_code1, &glyph_index) >= 0 && +- r_has_type(glyph_index, t_integer)) { ++ code = dict_find(TT_cmap, &char_code1, &glyph_index); ++ if (code > 0 && r_has_type(glyph_index, t_integer)) { + *c = glyph_index->value.intval; + found = true; + if (*c != 0) +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -1826,6 +1826,9 @@ + + if ((code = dict_find_string(systemdict, ".xlatmap", &pref)) < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ + if (r_type(pref) != t_string) + return_error(gs_error_typecheck); + *xlatmap = (char *)pref->value.bytes; +@@ -1881,11 +1884,11 @@ + ref *FAPIconfig, *options, *server_options; + i_ctx_t *i_ctx_p = (i_ctx_t *) I->client_ctx_p; + +- if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) >= 0 ++ if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) > 0 + && r_has_type(FAPIconfig, t_dictionary)) { +- if (dict_find_string(FAPIconfig, "ServerOptions", &options) >= 0 ++ if (dict_find_string(FAPIconfig, "ServerOptions", &options) > 0 + && r_has_type(options, t_dictionary)) { +- if (dict_find_string(options, (char *)subtype, &server_options) >= ++ if (dict_find_string(options, (char *)subtype, &server_options) > + 0 && r_has_type(server_options, t_string)) { + *server_param = (byte *) server_options->value.const_bytes; + *server_param_size = r_size(server_options); +@@ -2070,7 +2073,7 @@ + pdata = (font_data *) pfont->client_data; + I = pbfont->FAPI; + +- if (dict_find_string((op - 1), "SubfontId", &v) >= 0 ++ if (dict_find_string((op - 1), "SubfontId", &v) > 0 + && r_has_type(v, t_integer)) + subfont = v->value.intval; + else +@@ -2277,8 +2280,8 @@ + if (pbfont->FontType == ft_CID_TrueType && font_file_path) { + ref *pdr2, *fidr, *dummy; + pdr2 = pfont_dict(gs_rootfont(igs)); +- if (dict_find_string(pdr2, "FontInfo", &fidr) && +- dict_find_string(fidr, "GlyphNames2Unicode", &dummy)) ++ if (dict_find_string(pdr2, "FontInfo", &fidr) > 0 && ++ dict_find_string(fidr, "GlyphNames2Unicode", &dummy) > 0) + { + unsigned char uc[4] = {0}; + unsigned int cc = 0; +@@ -2417,13 +2420,13 @@ + + fdict = pfont_dict(gs_rootfont(igs)); + code = dict_find_string(fdict, "CMap", &CMapDict); +- if (code >= 0 && r_has_type(CMapDict, t_dictionary)) { ++ if (code > 0 && r_has_type(CMapDict, t_dictionary)) { + code = dict_find_string(CMapDict, "WMode", &WMode); +- if (code >= 0 && r_has_type(WMode, t_integer)) { ++ if (code > 0 && r_has_type(WMode, t_integer)) { + wmode = WMode->value.intval; + } + code = dict_find_string(CMapDict, "CMapName", &CMapName); +- if (code >= 0 && r_has_type(CMapName, t_name)) { ++ if (code > 0 && r_has_type(CMapName, t_name)) { + name_string_ref(imemory, CMapName, &CMapNameStr); + cmapnm = (char *)CMapNameStr.value.bytes; + cmapnmlen = r_size(&CMapNameStr); +@@ -2432,10 +2435,10 @@ + /* We only have to lookup the char code if we're *not* using an identity ordering + with the exception of Identity-UTF16 which is a different beast altogether */ + if (unicode_cp || (cmapnmlen > 0 && !strncmp(cmapnm, utfcmap, cmapnmlen > utfcmaplen ? utfcmaplen : cmapnmlen)) +- || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) >= 0 ++ || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) > 0 + && r_has_type(CIDSystemInfo, t_dictionary) + && dict_find_string(CIDSystemInfo, "Ordering", +- &Ordering) >= 0 ++ &Ordering) > 0 + && r_has_type(Ordering, t_string) + && strncmp((const char *)Ordering->value.bytes, + "Identity", 8) != 0)) { +@@ -2463,7 +2466,7 @@ + ref cc32; + ref *gid; + make_int(&cc32, 32); +- if (dict_find(TT_cmap, &cc32, &gid) >= 0) ++ if (dict_find(TT_cmap, &cc32, &gid) > 0) + c = gid->value.intval; + } + cr->char_codes[0] = c; +@@ -2536,7 +2539,7 @@ + if (dict_find_string(pdr, "CharStrings", &CharStrings) <= 0 + || !r_has_type(CharStrings, t_dictionary)) + return_error(gs_error_invalidfont); +- if ((dict_find(CharStrings, &char_name, &glyph_index) < 0) ++ if ((dict_find(CharStrings, &char_name, &glyph_index) <= 0) + || r_has_type(glyph_index, t_null)) { + #ifdef DEBUG + ref *pvalue; +@@ -2955,7 +2958,7 @@ + if (code < 0) + return code; + +- if (dict_find_string(op, "SubfontId", &v) >= 0 ++ if (dict_find_string(op, "SubfontId", &v) > 0 + && r_has_type(v, t_integer)) + subfont = v->value.intval; + else +@@ -2968,7 +2971,7 @@ + /* If the font dictionary contains a FAPIPlugInReq key, the the PS world wants us + * to try to use a specific FAPI plugin, so find it, and try it.... + */ +- if (dict_find_string(op, "FAPIPlugInReq", &v) >= 0 && r_type(v) == t_name) { ++ if (dict_find_string(op, "FAPIPlugInReq", &v) > 0 && r_type(v) == t_name) { + + name_string_ref(imemory, v, &reqstr); + +--- a/psi/zfcid0.c ++++ b/psi/zfcid0.c +@@ -410,13 +410,25 @@ + * from a file, GlyphData will be an integer, and DataSource will be + * a (reusable) stream. + */ +- if (code < 0 || +- (code = cid_font_data_param(op, &common, &GlyphDirectory)) < 0 || +- (code = dict_find_string(op, "FDArray", &prfda)) < 0 || +- (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 || +- (code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes)) < 0 +- ) ++ if (code < 0) + return code; ++ code = cid_font_data_param(op, &common, &GlyphDirectory); ++ if (code < 0) ++ return code; ++ code = dict_find_string(op, "FDArray", &prfda); ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ code = dict_find_string(op, "CIDFontName", &pCIDFontName); ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes); ++ if (code < 0) ++ return code; ++ + /* + * Since build_gs_simple_font may resize the dictionary and cause + * pointers to become invalid, save CIDFontName +@@ -426,17 +438,24 @@ + /* Standard CIDFont, require GlyphData and CIDMapOffset. */ + ref *pGlyphData; + +- if ((code = dict_find_string(op, "GlyphData", &pGlyphData)) < 0 || +- (code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1, +- max_uint, &CIDMapOffset)) < 0) ++ code = dict_find_string(op, "GlyphData", &pGlyphData); ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1, max_uint, &CIDMapOffset); ++ if (code < 0) + return code; + GlyphData = *pGlyphData; + if (r_has_type(&GlyphData, t_integer)) { + ref *pds; + stream *ignore_s; + +- if ((code = dict_find_string(op, "DataSource", &pds)) < 0) ++ code = dict_find_string(op, "DataSource", &pds); ++ if (code < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); + check_read_file(i_ctx_p, ignore_s, pds); + DataSource = *pds; + } else { +--- a/psi/zfcid1.c ++++ b/psi/zfcid1.c +@@ -347,11 +347,17 @@ + ref rcidmap, ignore_gdir, file, *pfile, cfnstr, *pCIDFontName, CIDFontName, *t; + ulong loca_glyph_pos[2][2]; + int code = cid_font_data_param(op, &common, &ignore_gdir); ++ if (code < 0) ++ return code; + +- if (code < 0 || +- (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 || +- (code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount)) < 0 +- ) ++ code = dict_find_string(op, "CIDFontName", &pCIDFontName); ++ if (code <= 0) { ++ if (code == 0) ++ return_error(gs_error_undefined); ++ return code; ++ } ++ code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount); ++ if (code < 0) + return code; + /* + * Since build_gs_simple_font may resize the dictionary and cause +--- a/psi/zicc.c ++++ b/psi/zicc.c +@@ -261,6 +261,8 @@ + code = dict_find_string(op, "N", &pnval); + if (code < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); + ncomps = pnval->value.intval; + + /* verify the DataSource entry. Creat profile from stream */ +@@ -491,6 +493,8 @@ + code = dict_find_string(op, "N", &pnval); + if (code < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); + ncomps = pnval->value.intval; + /* verify the DataSource entry. Create profile from stream */ + if (dict_find_string(op, "DataSource", &pstrmval) <= 0) +--- a/psi/zpdf_r6.c ++++ b/psi/zpdf_r6.c +@@ -145,21 +145,36 @@ + return_error(gs_error_typecheck); + + code = dict_find_string(CryptDict, "O", &Oref); +- if (code < 0 || !r_has_type(Oref, t_string)) { ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ if (!r_has_type(Oref, t_string)) + return_error(gs_error_typecheck); +- } ++ + code = dict_find_string(CryptDict, "OE", &OEref); +- if (code < 0 || !r_has_type(OEref, t_string)) { ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ if (!r_has_type(OEref, t_string)) + return_error(gs_error_typecheck); +- } ++ + code = dict_find_string(CryptDict, "U", &Uref); +- if (code < 0 || !r_has_type(Uref, t_string)) { ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ if (!r_has_type(Uref, t_string)) + return_error(gs_error_typecheck); +- } ++ + code = dict_find_string(CryptDict, "UE", &UEref); +- if (code < 0 || !r_has_type(UEref, t_string)) { ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ if (!r_has_type(UEref, t_string)) + return_error(gs_error_typecheck); +- } + + pop(2); + op = osp; +--- a/psi/ztoken.c ++++ b/psi/ztoken.c +@@ -356,7 +356,7 @@ + int code = dict_find_string(upref, pnso->pname, &ppcproc); + + /* Update the options only if the parameter has changed. */ +- if (code >= 0) { ++ if (code > 0) { + if (r_has_type(ppcproc, t_null)) + options &= ~pnso->option; + else diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180923~863b370.patch ghostscript-9.25~dfsg+1/debian/patches/020180923~863b370.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180923~863b370.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180923~863b370.patch 2018-10-18 21:24:09.000000000 +0000 @@ -0,0 +1,44 @@ +Description: permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + Bug 699807 + "-dCompatibilityLevel=2.0` prevents all metadata from being set" + . + PDF 2.0 has deprecated The Document Info dictionary, + so we prevented pdfmarks from modifying the data in it, + as a prelude to removing it potentially + when later versions of the PDF spec are approved. + . + However, as the report says, + the Creation Date and Modification Date are still required + for documents with PieceInfo (only), + so for now we will permit those two values (only) to be set. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=863b370 +Author: Ken Sharp +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699807 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/devices/vector/gdevpdfm.c ++++ b/devices/vector/gdevpdfm.c +@@ -1970,9 +1970,6 @@ + int code = 0, i; + gs_memory_t *mem = pdev->pdf_memory; + +- if (pdev->CompatibilityLevel >= 2.0) +- return 0; +- + if (count & 1) + return_error(gs_error_rangecheck); + for (i = 0; code >= 0 && i < count; i += 2) { +@@ -1984,6 +1981,11 @@ + + vsize = 0x0badf00d; /* Quiet compiler. */ + ++ if (pdev->CompatibilityLevel >= 2.0) { ++ if (!pdf_key_eq(pairs + i, "/ModDate") && !pdf_key_eq(pairs + i, "/CreationDate")) ++ continue; ++ } ++ + if (pdev->PDFA !=0) { + const gs_param_string *p = pairs + i + 1; + if (p->size > 9 && memcmp(p->data, "(\\376\\377", 9) == 0) { diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180925~0bfd539.patch ghostscript-9.25~dfsg+1/debian/patches/020180925~0bfd539.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180925~0bfd539.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180925~0bfd539.patch 2018-10-18 21:25:00.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Avoid overrunning non terminated string buffer. + Don't call strlen on something that doesn't have a terminator. + Use the stored length instead. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=0bfd539 +Author: Robin Watts +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699809 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/base/gsicc_manage.c ++++ b/base/gsicc_manage.c +@@ -3010,7 +3010,7 @@ + pval->persistent = true; + } else { + pval->data = (byte *)pgs->icc_manager->srcgtag_profile->name; +- pval->size = strlen((const char *)pval->data); ++ pval->size = pgs->icc_manager->srcgtag_profile->name_length; + pval->persistent = false; + } + } diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180925~52a37b6.patch ghostscript-9.25~dfsg+1/debian/patches/020180925~52a37b6.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180925~52a37b6.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180925~52a37b6.patch 2018-10-18 21:26:08.000000000 +0000 @@ -0,0 +1,36 @@ +Description: Prevent SEGV in gs_setdevice_no_erase. + Prevent SEGV if gsicc_init_iccmanager fails. + . + Error created using :- + MEMENTO_FAILAT=350 ./membin/gpcl6 -sDEVICE=pbmraw -dMaxBitmap=2000 + -o /dev/null ./tests_private/pcl/pcl5cfts/fts.0070 +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=52a37b6 +Author: Shailesh Mistry +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697545 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -498,7 +498,9 @@ + if (libctx->io_device_table != NULL) { + cmm_dev_profile_t *dev_profile; + if (pgs->icc_manager->lab_profile == NULL) { /* pick one not set externally */ +- gsicc_init_iccmanager(pgs); ++ code = gsicc_init_iccmanager(pgs); ++ if (code < 0) ++ return(code); + } + /* Also, if the device profile is not yet set then take care of that + before we start filling pages, if we can */ +@@ -720,7 +722,8 @@ + + if ((code = gs_setdevice_no_erase(pgs, ndev)) < 0) + gs_free_object(pgs->memory, ndev, "gs_copydevice(device)"); +- gs_currentdevice_inline(pgs)->LockSafetyParams = saveLockSafety; ++ if (pgs->device != NULL) ++ pgs->device->LockSafetyParams = saveLockSafety; + } + return code; + } diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180925~efe6d83.patch ghostscript-9.25~dfsg+1/debian/patches/020180925~efe6d83.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180925~efe6d83.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180925~efe6d83.patch 2018-10-18 21:27:10.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Fix uninitialised value for render_cond. + gsicc_get_srcprofile doesn't return a render_cond value in all cases. + This leads to an undefined value being read, + and this can lead to a SEGV. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=efe6d83 +Author: Robin Watts +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699809 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/base/gsicc_cache.c ++++ b/base/gsicc_cache.c +@@ -644,6 +644,7 @@ + { + (*profile) = NULL; + (*render_cond).rendering_intent = gsPERCEPTUAL; ++ (*render_cond).cmm = gsCMM_DEFAULT; + switch (graphics_type_tag & ~GS_DEVICE_ENCODES_TAGS) { + case GS_UNKNOWN_TAG: + case GS_UNTOUCHED_TAG: diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180925~f8ccc7d.patch ghostscript-9.25~dfsg+1/debian/patches/020180925~f8ccc7d.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180925~f8ccc7d.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180925~f8ccc7d.patch 2018-10-18 20:50:20.000000000 +0000 @@ -0,0 +1,51 @@ +Description: Hide the .needinput operator + This removes the .needinput operator from systemdict, + ensuring it can only be used in the initialization code, + and not called erroneously from random Postscript. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=f8ccc7d +Author: Chris Liddell +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699793 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -836,12 +836,26 @@ + /.runstring { + 0 0 .systemvmstring .systemvmSFD cvx { .runexec } execute0 + } bind def ++ + % Define the procedure that the C code uses to set up for executing + % a string that may be received in pieces. ++% ++% Immediate evaluation doesn't work on operators (like .needinput) ++% so calling .runstringbegin will throw an undefined error if we ++% undefined .needinput so it cannot be accessed outside the init ++% code. But, we can store the operator in an array, use immediate ++% evaluation on the array to get the operator, then undefined the ++% array (and because they are both of the same name, the operator ++% get undefined too). ++% This prevents random Postscript from erroneously calling .needinput ++% and forcing the interpreter into an invalid state. ++/.needinput ++1 .systemvmarray dup 0 /.needinput load put ++def + /.runstringbegin { +- 1 .systemvmarray dup 0 /.needinput load put cvx % { .needinput } in systemvm ++ 1 .systemvmarray dup 0 //.needinput 0 get put cvx % { .needinput } in systemvm + 0 0 .systemvmstring .systemvmSFD cvx .runexec +-} bind def ++} bind executeonly def + + % Define a special version of runlibfile that aborts on errors. + /runlibfile0 +@@ -2216,7 +2230,7 @@ + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice +- /.type /.writecvs /.setSMask /.currentSMask ++ /.type /.writecvs /.setSMask /.currentSMask /.needinput + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180927~9565f4c.patch ghostscript-9.25~dfsg+1/debian/patches/020180927~9565f4c.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180927~9565f4c.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180927~9565f4c.patch 2018-10-18 21:28:21.000000000 +0000 @@ -0,0 +1,23 @@ +Description: filenameforall calls bad iodev with insufficent scratch + This was a regression introduced with commit + 65a9046ded8e9edd5d33bc812a9e94ae29607a1e + . + I hadn't realised the cleanup procedure was expected to be called + in the case of both the success *and* error conditions. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=9565f4c +Author: Ken Sharp +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699813 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -438,7 +438,6 @@ + esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ + return o_pop_estack; + } else if (code > len) { /* overran string */ +- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ + return_error(gs_error_rangecheck); + } + else if (iodev != iodev_default(imemory) diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020180929~a54c9e6.patch ghostscript-9.25~dfsg+1/debian/patches/020180929~a54c9e6.patch --- ghostscript-9.25~dfsg+1/debian/patches/020180929~a54c9e6.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020180929~a54c9e6.patch 2018-10-18 10:38:23.000000000 +0000 @@ -0,0 +1,389 @@ +Description: Improve hiding of security critical custom operators + Make procedures that use .forceput/.forcedef/.forceundef + into operators. + . + The result of this is that errors get reported + against the "top" operator, + rather than the "called" operator within the procedure. + . + For example: + /myproc + { + myop + } bind def + . + If 'myop' throws an error, + the error handler will be passed the 'myop' operator. + Promoting 'myproc' to a operator means + the error handler will be passed 'myproc'. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=a54c9e6 +Author: Chris Liddell +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699816 +Bug-Debian: https://bugs.debian.org/910678 +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2018-17961 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_diskn.ps ++++ b/Resource/Init/gs_diskn.ps +@@ -53,7 +53,7 @@ + exch .setglobal + } + if +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Modify .putdevparams to force regeneration of .searchabledevs list + /.putdevparams { +--- a/Resource/Init/gs_dps.ps ++++ b/Resource/Init/gs_dps.ps +@@ -70,7 +70,7 @@ + % Save a copy of the initial gstate. + //systemdict /savedinitialgstate gstate readonly .forceput + .setglobal +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Initialize local dictionaries and gstate when creating a new context. + % Note that until this completes, we are in the anomalous situation of +--- a/Resource/Init/gs_fntem.ps ++++ b/Resource/Init/gs_fntem.ps +@@ -408,7 +408,7 @@ + exit + } loop + exch setglobal +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + currentdict end /ProcSet defineresource pop + +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -377,8 +377,8 @@ + } + {pop} + ifelse +-} .bind executeonly def +-systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec ++} .bind executeonly odef ++systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt + /.buildnativefontmap { % - .buildnativefontmap + systemdict /.nativefontmapbuilt .knownget not + { //false} if +@@ -419,7 +419,7 @@ + } forall + } if + % record that we've been run +- //true //.setnativefontmapbuilt exec ++ //true .setnativefontmapbuilt + } ifelse + } bind def + currentdict /.setnativefontmapbuilt .forceundef +@@ -1103,7 +1103,7 @@ + + % Check to make sure the font was actually loaded. + dup 3 index .fontknownget +- { dup /PathLoad 4 index //.putgstringcopy exec ++ { dup /PathLoad 4 index .putgstringcopy + 4 1 roll pop pop pop //true exit + } if + +@@ -1115,7 +1115,7 @@ + { % Stack: origfontname fontdirectory path filefontname + 2 index 1 index .fontknownget + { % Yes. Stack: origfontname fontdirectory path filefontname fontdict +- dup 4 -1 roll /PathLoad exch //.putgstringcopy exec ++ dup 4 -1 roll /PathLoad exch .putgstringcopy + % Stack: origfontname fontdirectory filefontname fontdict + 3 -1 roll pop + % Stack: origfontname filefontname fontdict +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -163,10 +163,11 @@ + % Set them again to the new values. From here on, we are safe, + % since a context switch will consult userparams. + .setuserparams +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + /setuserparams { % setuserparams - +- .setuserparams2 ++ {.setuserparams2} stopped ++ {/setuserparams load $error /errorname get signalerror} if + } .bind odef + % Initialize user parameters managed here. + /JobName () .definepsuserparam +@@ -415,7 +416,9 @@ + + % VMReclaim and VMThreshold are user parameters. + /setvmthreshold { % setvmthreshold - +- mark /VMThreshold 2 .argindex .dicttomark .setuserparams2 pop ++ mark /VMThreshold 2 .argindex .dicttomark {.setuserparams2} stopped ++ {pop /setvmthreshold load $error /errorname get signalerror} ++ {pop} ifelse + } odef + /vmreclaim { % vmreclaim - + dup 0 gt { +@@ -427,7 +430,9 @@ + ifelse + } { + % VMReclaim userparam controls enable/disable GC +- mark /VMReclaim 2 index .dicttomark .setuserparams2 pop ++ mark /VMReclaim 2 index .dicttomark {.setuserparams2} stopped ++ {pop /vmreclaim load $error /errorname get signalerror} ++ {pop} ifelse + } ifelse + } odef + -1 setvmthreshold +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -660,7 +660,7 @@ + { + pop + } ifelse +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Use the DSC processing hook to pass DSC comments to the driver. + % We use a pseudo-parameter named DSC whose value is an array: +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -608,6 +608,20 @@ + % in the dictionary with the policy value, + % and we replace the key in the dictionary with its prior value + % (or remove it if it had no prior value). ++ ++% Making this an operator means we can properly hide ++% the contents - specifically .forceput ++/1Policy ++{ ++ % Roll back the failed request to its previous status. ++ SETPDDEBUG { (Rolling back.) = pstack flush } if ++ 3 index 2 index 3 -1 roll .forceput ++ 4 index 1 index .knownget ++ { 4 index 3 1 roll .forceput } ++ { 3 index exch .undef } ++ ifelse ++} bind executeonly odef ++ + /.policyprocs mark + % These procedures are called with the following on the stack: + % +@@ -631,14 +645,7 @@ + /setpagedevice .systemvar /configurationerror signalerror + } ifelse + } bind +- 1 { % Roll back the failed request to its previous status. +-SETPDDEBUG { (Rolling back.) = pstack flush } if +- 3 index 2 index 3 -1 roll .forceput +- 4 index 1 index .knownget +- { 4 index 3 1 roll .forceput } +- { 3 index exch .undef } +- ifelse +- } .bind executeonly % must be bound and hidden for .forceput ++ 1 /1Policy load + 7 { % For PageSize only, just impose the request. + 1 index /PageSize eq + { pop pop 1 index /PageSize 7 put } +@@ -646,6 +653,8 @@ + ifelse + } bind + .dicttomark readonly def ++currentdict /1Policy undef ++ + /.applypolicies % .applypolicies + % + { 1 index /Policies get 1 index +--- a/Resource/Init/gs_typ32.ps ++++ b/Resource/Init/gs_typ32.ps +@@ -79,15 +79,19 @@ + .dicttomark /ProcSet defineresource pop + + /.cidfonttypes where { pop } { /.cidfonttypes 6 dict def } ifelse +-.cidfonttypes begin +- +-4 % CIDFontType 4 = FontType 32 +-{ dup /FontType 32 .forceput ++/CIDFontType4 ++{ ++ dup /FontType 32 .forceput + dup /CharStrings 20 dict .forceput + 1 index exch .buildfont32 exch pop +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef ++.cidfonttypes begin ++ ++ ++4 /CIDFontType4 load def % CIDFontType 4 = FontType 32 + + end % .cidfonttypes ++currentdict /CIDFontType4 .forceundef + + % Define the BuildGlyph procedure. + % Since Type 32 fonts are indexed by CID, there is no BuildChar procedure. +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -283,7 +283,7 @@ + } if + 2 copy /WeightVector exch .forceput + .setweightvector +-} .bind executeonly def ++} .bind executeonly odef + end + + % Register the font types for definefont. +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -218,7 +218,7 @@ + } ifelse + } ifelse + } ifelse +-} bind executeonly def ++} bind executeonly odef + /PDFScanRules_true << /PDFScanRules //true >> def + /PDFScanRules_null << /PDFScanRules //null >> def + /.pdfrun { % .pdfrun - +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -1158,7 +1158,7 @@ + Q + PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if + PDFfile exch setfileposition +-} bind executeonly def ++} bind executeonly odef + + /.pdfpaintproc { + %% Get the /m from pdfopdict (must be present) +@@ -1189,7 +1189,7 @@ + { + switch_to_text_marking_ops + } if +-}bind executeonly def ++}bind executeonly odef + + /resolvepattern { % resolvepattern + % Don't do the resolvestream now: just capture the data +@@ -2353,7 +2353,7 @@ + }{ + pdfdict /AppearanceNumber 0 .forceput + } ifelse +-}bind executeonly def ++}bind executeonly odef + + /MakeAppearanceName { + pdfdict /AppearanceNumber get +@@ -2382,7 +2382,7 @@ + DoForm + pdfdict /.PreservePDFForm 3 -1 roll .forceput + grestore +-} bind executeonly def ++} bind executeonly odef + + /DoForm { + %% save the current value, if its true we will set it to false later, in order +@@ -2541,7 +2541,7 @@ + end + } if + pdfdict /.PreservePDFForm 3 -1 roll .forceput +-} bind executeonly def ++} bind executeonly odef + + /_dops_save 1 array def + +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -718,7 +718,7 @@ + {pop pop pop} + ifelse + +-} bind executeonly def ++} bind executeonly odef + + currentdict /.DoToUnicode? .forceundef + +@@ -1241,7 +1241,7 @@ + } bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop +-} bind executeonly def ++} bind executeonly odef + /.adjustcharwidth { % .adjustcharwidth + % Enforce the metrics, in glyph space, to the values found in the PDF Font object + % - force wy == 0 (assumed, and not stored in the PDF font) +@@ -2026,7 +2026,7 @@ + } if + /findresource cvx /undefined signalerror + } loop +-} bind executeonly def ++} bind executeonly odef + + /buildCIDType0 { % buildCIDType0 + dup /BaseFont get findCIDFont exch pop +@@ -2211,7 +2211,7 @@ + /Type0 //buildType0 + /Type1 //buildType1 + /MMType1 //buildType1 +- /Type3 //buildType3 ++ /Type3 /buildType3 load + /TrueType //buildTrueType + /CIDFontType0 //buildCIDType0 + /CIDFontType2 //buildCIDType2 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -660,7 +660,7 @@ + } forall + pop + } ifelse +-} bind executeonly def ++} bind executeonly odef + + currentdict /pdf_collection_files .undef + +@@ -2715,7 +2715,7 @@ + .setglobal + /RepairedAnError exch def + /Repaired exch def +-} bind executeonly def ++} bind executeonly odef + + % Display the contents of a page (including annotations). + /showpagecontents { % showpagecontents - +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -193,7 +193,7 @@ + pdfformaterror + } ifelse + } if +-} bind executeonly def ++} bind executeonly odef + + % Save PDF gstate + /qstate { % - qstate +@@ -451,7 +451,7 @@ + %% a gsave, so we haven't copied it to /self, if we don't do that here + %% then transparent annotations cause an invalid access error. + currentdict //nodict eq {/self dup load end 5 dict begin def} if +-} bind executeonly def ++} bind executeonly odef + /AIS { .setalphaisshape } bind executeonly def + /BM { + /.setblendmode where { +@@ -1077,7 +1077,7 @@ + pdfopdict /v {inside_text_v} bind .forceput + pdfopdict /y {inside_text_y} bind .forceput + pdfopdict /re {inside_text_re} bind .forceput +-} bind executeonly def ++} bind executeonly odef + + /switch_to_normal_marking_ops { + pdfopdict /m {normal_m} bind .forceput +@@ -1086,7 +1086,7 @@ + pdfopdict /v {normal_v} bind .forceput + pdfopdict /y {normal_y} bind .forceput + pdfopdict /re {normal_re} bind .forceput +-} bind executeonly def ++} bind executeonly odef + + /BT { + currentdict /TextSaveMatrix known { diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020181003~0269a72.patch ghostscript-9.25~dfsg+1/debian/patches/020181003~0269a72.patch --- ghostscript-9.25~dfsg+1/debian/patches/020181003~0269a72.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020181003~0269a72.patch 2018-10-18 21:29:20.000000000 +0000 @@ -0,0 +1,26 @@ +Description: Prevent SEGV after calling gs_image_class_1_simple. + Prevent SEGV if memory allocation fails + leading to penum being freed but then used again later. + . + Error created using :- + MEMENTO_FAILAT=20913 ./membin/gpcl6 -sDEVICE=pbmraw -dMaxBitmap=2000 + -o /dev/null ./tests_private/pcl/pcl5cfts/fts.0100 +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=0269a72 +Author: Shailesh Mistry +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697545 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/base/gxifast.c ++++ b/base/gxifast.c +@@ -110,9 +110,6 @@ + penum->line = gs_alloc_bytes(penum->memory, + penum->line_size, "image line"); + if (penum->line == 0) { +- gx_default_end_image(penum->dev, +- (gx_image_enum_common_t *) penum, +- false); + return 0; + } + #ifdef PACIFY_VALGRIND diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020181003~d06af15.patch ghostscript-9.25~dfsg+1/debian/patches/020181003~d06af15.patch --- ghostscript-9.25~dfsg+1/debian/patches/020181003~d06af15.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020181003~d06af15.patch 2018-10-18 21:30:52.000000000 +0000 @@ -0,0 +1,32 @@ +Description: don't push userdict in preparation for Type 1 fonts + Apparently, Fontographer fonts require a writable dictionary + on the dict stack. + For some reason lost in mists of time, + we pushed userdict for that purpose - + the problem is, that leaves any random redefinition of operators + in place when we interpret the font file. + . + Instead, we now push an empty, temporary dictionary + for those Fontographer fonts. + As we already explicitly push systemdict + (before the writable dictionary) + that ensures a consistent environment + for the interpretation of Type 1 fonts. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=d06af15 +Author: Chris Liddell +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699857 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -166,7 +166,7 @@ + % However, we can't use any of the other well-known dictionaries + % (such as userdict), since the whole point of pushing systemdict + % is to make sure that nothing important has been redefined. +- /userdict .systemvar begin ++ 32 dict begin + % We can't just use `run', because we want to check for .PFB files. + currentpacking + { //false setpacking .loadfont1 //true setpacking } diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020181004before20181002~1778db6.patch ghostscript-9.25~dfsg+1/debian/patches/020181004before20181002~1778db6.patch --- ghostscript-9.25~dfsg+1/debian/patches/020181004before20181002~1778db6.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020181004before20181002~1778db6.patch 2018-10-18 20:50:25.000000000 +0000 @@ -0,0 +1,162 @@ +Description: add control over hiding error handlers. + With a previous commit changing error handling in SAFER + so the handler gets passed a name object + (rather than executable object), + it is less critical to hide the error handlers. + . + This introduces a -dSAFERERRORS option + to force only use of the default error handlers. + . + It also adds a .setsafererrors Postscript call, + meaning a caller, without -dSAFERERRORS, + can create their own default error handlers + (in errordict, as normal), + and then call .setsafererrors + meaning their own handlers are always called. + . + With -dSAFERERRORS or after a call to .setsafererrors, + .setsafererrors is removed. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=1778db6 +Author: Chris Liddell +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699832 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -193,6 +193,16 @@ + currentdict /PARANOIDSAFER known or % PARANOIDSAFER is equivalent + } + ifelse def ++ ++/SAFERERRORS ++currentdict /NOSAFERERRORS known ++{ ++ //false ++} ++{ ++ currentdict /SAFERERRORS known ++} ifelse def ++ + currentdict /SHORTERRORS known /SHORTERRORS exch def + currentdict /TTYPAUSE known /TTYPAUSE exch def + currentdict /WRITESYSTEMDICT known /WRITESYSTEMDICT exch def +@@ -1141,12 +1151,23 @@ + } bind def + end % errordict + +-% Put all the default handlers in gserrordict +-gserrordict +-errordict {2 index 3 1 roll put} forall +-noaccess pop +-% remove the non-standard errors from errordict ++gserrordict /unknownerror errordict /unknownerror get put + errordict /unknownerror .undef ++ ++/.SAFERERRORLIST ErrorNames def ++/.setsafererrors ++{ ++% Put all the requested handlers in gserrordict ++ gserrordict ++ //.SAFERERRORLIST ++ {dup errordict exch get 2 index 3 1 roll put} forall ++ noaccess pop ++ systemdict /.setsafeerrors .forceundef ++ systemdict /.SAFERERRORLIST .forceundef ++} bind executeonly odef ++ ++SAFERERRORS {.setsafererrors} if ++ + % Define a stable private copy of handleerror that we will always use under + % JOBSERVER mode. + /.GShandleerror errordict /handleerror get def +@@ -1778,18 +1799,15 @@ + + % Bind all the operators defined as procedures. + /.bindoperators % binds operators in currentdict +- { % Temporarily disable the typecheck error. +- errordict /typecheck 2 copy get +- errordict /typecheck { pop } put % pop the command ++ { + currentdict + { dup type /operatortype eq +- { % This might be a real operator, so bind might cause a typecheck, +- % but we've made the error a no-op temporarily. +- .bind ++ { ++ % This might be a real operator, so bind might cause a typecheck ++ {.bind} .internalstopped pop + } + if pop pop + } forall +- put + } def + DELAYBIND not { .bindoperators } if + +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -662,27 +662,18 @@ + if (gs_errorname(i_ctx_p, code, &error_name) < 0) + return code; /* out-of-range error code! */ + +- /* If LockFilePermissions is true, we only refer to gserrordict, which +- * is not accessible to Postcript jobs ++ /* We refer to gserrordict first, which is not accessible to Postcript jobs ++ * If we're running with SAFERERRORS all the handlers are copied to gserrordict ++ * so we'll always find the default one. If not SAFERERRORS, only gs specific ++ * errors are in gserrordict. + */ +- if (i_ctx_p->LockFilePermissions) { +- if (((dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || +- dict_find(perrordict, &error_name, &epref) <= 0)) +- ) +- return code; /* error name not in errordict??? */ +- } +- else { +- /* +- * For greater Adobe compatibility, only the standard PostScript errors +- * are defined in errordict; the rest are in gserrordict. +- */ +- if (dict_find_string(systemdict, "errordict", &perrordict) <= 0 || +- (dict_find(perrordict, &error_name, &epref) <= 0 && +- (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || +- dict_find(perrordict, &error_name, &epref) <= 0)) +- ) +- return code; /* error name not in errordict??? */ +- } ++ if (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || ++ (dict_find(perrordict, &error_name, &epref) <= 0 && ++ (dict_find_string(systemdict, "errordict", &perrordict) <= 0 || ++ dict_find(perrordict, &error_name, &epref) <= 0)) ++ ) ++ return code; /* error name not in errordict??? */ ++ + doref = *epref; + epref = &doref; + /* Push the error object on the operand stack if appropriate. */ +@@ -695,6 +686,24 @@ + } + *osp = *perror_object; + errorexec_find(i_ctx_p, osp); ++ /* If using SAFER, hand a name object to the error handler, rather than the executable ++ * object/operator itself. ++ */ ++ if (i_ctx_p->LockFilePermissions) { ++ code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr); ++ if (code < 0) { ++ const char *unknownstr = "--unknown--"; ++ rlen = strlen(unknownstr); ++ memcpy(buf, unknownstr, rlen); ++ } ++ else { ++ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; ++ rlen += 4; ++ } ++ code = name_ref(imemory, buf, rlen, osp, 1); ++ if (code < 0) ++ make_null(osp); ++ } + } + goto again; + } diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020181004really20181002~a680739.patch ghostscript-9.25~dfsg+1/debian/patches/020181004really20181002~a680739.patch --- ghostscript-9.25~dfsg+1/debian/patches/020181004really20181002~a680739.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020181004really20181002~a680739.patch 2018-10-18 14:13:35.000000000 +0000 @@ -0,0 +1,99 @@ +Description: For hidden operators, pass a name object to error handler. + In normal operation, + Postscript error handlers are passed the object + which triggered the error: + this is invariably an operator object. + . + The issue arises when an error is triggered by an operator + which is for internal use only, + and that operator is then passed to the error handler, + meaning it becomes visible to the error handler code. + . + By converting to a name object, the error message is still valid, + but we no longer expose internal use only operators. + . + The change in gs_dps1.ps is related to the above: + previously an error in scheck would throw an error against .gcheck, + but as .gcheck is now a hidden operator, + it resulted in a name object being passed to the error handler. + As scheck is a 'real' operator, + it's better to use the real operator, + rather than the name of an internal, hidden one. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=a680739 +Author: Chris Liddell +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699816 +Bug-Debian: https://bugs.debian.org/910678 +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2018-17961 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + For hidden operators, pass a name object to error handler. +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -21,7 +21,7 @@ + % ------ Virtual memory ------ % + + /currentshared /.currentglobal load def +-/scheck /.gcheck load def ++/scheck {.gcheck} bind odef + %****** FOLLOWING IS WRONG ****** + /shareddict currentdict /globaldict .knownget not { 20 dict } if def + +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -678,6 +678,8 @@ + epref = &doref; + /* Push the error object on the operand stack if appropriate. */ + if (!GS_ERROR_IS_INTERRUPT(code)) { ++ byte buf[260], *bufptr; ++ uint rlen; + /* Replace the error object if within an oparray or .errorexec. */ + osp++; + if (osp >= ostop) { +@@ -686,23 +688,36 @@ + } + *osp = *perror_object; + errorexec_find(i_ctx_p, osp); +- /* If using SAFER, hand a name object to the error handler, rather than the executable +- * object/operator itself. +- */ +- if (i_ctx_p->LockFilePermissions) { ++ ++ if (!r_has_type(osp, t_string) && !r_has_type(osp, t_name)) { + code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr); + if (code < 0) { + const char *unknownstr = "--unknown--"; + rlen = strlen(unknownstr); + memcpy(buf, unknownstr, rlen); ++ bufptr = buf; + } + else { +- buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; +- rlen += 4; ++ ref *tobj; ++ bufptr[rlen] = '\0'; ++ /* Only pass a name object if the operator doesn't exist in systemdict ++ * i.e. it's an internal operator we have hidden ++ */ ++ code = dict_find_string(systemdict, (const char *)bufptr, &tobj); ++ if (code < 0) { ++ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; ++ rlen += 4; ++ bufptr = buf; ++ } ++ else { ++ bufptr = NULL; ++ } ++ } ++ if (bufptr) { ++ code = name_ref(imemory, buf, rlen, osp, 1); ++ if (code < 0) ++ make_null(osp); + } +- code = name_ref(imemory, buf, rlen, osp, 1); +- if (code < 0) +- make_null(osp); + } + } + goto again; diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020181009~f1a0787.patch ghostscript-9.25~dfsg+1/debian/patches/020181009~f1a0787.patch --- ghostscript-9.25~dfsg+1/debian/patches/020181009~f1a0787.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020181009~f1a0787.patch 2018-10-18 21:31:47.000000000 +0000 @@ -0,0 +1,27 @@ +Description: Explicitly exclude /unknownerror from the SAFERERRORLIST + Since we remove /unknownerror from errordict, + we want to exclude it + from the list we copy to gserrordict for SAFERERRORS +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=f1a0787 +Author: Chris Liddell +Forwarded: yes +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -1160,7 +1160,13 @@ + % Put all the requested handlers in gserrordict + gserrordict + //.SAFERERRORLIST +- {dup errordict exch get 2 index 3 1 roll put} forall ++ { ++ dup /unknownerror eq ++ {pop} ++ { ++ dup errordict exch get 2 index 3 1 roll put ++ }ifelse ++ }forall + noaccess pop + systemdict /.setsafeerrors .forceundef + systemdict /.SAFERERRORLIST .forceundef diff -Nru ghostscript-9.25~dfsg+1/debian/patches/020181010~34cc326.patch ghostscript-9.25~dfsg+1/debian/patches/020181010~34cc326.patch --- ghostscript-9.25~dfsg+1/debian/patches/020181010~34cc326.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.25~dfsg+1/debian/patches/020181010~34cc326.patch 2018-10-18 20:50:33.000000000 +0000 @@ -0,0 +1,176 @@ +Description: don't include operator arrays in execstack output + When we transfer the contents of the execution stack into the array, + take the extra step of replacing any operator arrays on the stack + with the operator that reference them. + . + This prevents the contents of Postscript defined, + internal only operators (those created with .makeoperator) being exposed + via execstack (and thus, via error handling). + . + This necessitates a change in the resource remapping 'resource', + which contains a procedure + which relies on the contents of the operators arrays being present. + As we already had internal-only variants of countexecstack and execstack + (.countexecstack and .execstack) - + using those, and leaving their operation including the operator arrays + means the procedure continues to work correctly. + . + Both .countexecstack and .execstack are undefined after initialization. + . + Also, when we store the execstack (or part thereof) + for an execstackoverflow error, + make the same oparray/operator substitution as above for execstack. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=34cc326 +Author: Chris Liddell +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=699927 +Bug-Debian: https://bugs.debian.org/910758 +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2018-18073 +Last-Update: 2018-10-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2215,7 +2215,7 @@ + % but can be easily restored (just delete the name from the list in the array). In future + % we may remove the operator and the code implementation entirely. + [ +- /.bitadd /.charboxpath /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter ++ /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter + /.execfile /.filenamesplit /.file_name_parent + /.setdefaultmatrix /.isprocfilter /.unread /.psstringencode + /.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength +@@ -2254,7 +2254,7 @@ + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice +- /.type /.writecvs /.setSMask /.currentSMask /.needinput ++ /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +--- a/Resource/Init/gs_resmp.ps ++++ b/Resource/Init/gs_resmp.ps +@@ -183,7 +183,7 @@ + % We don't check them. + + currentglobal //false setglobal %