From 377f7663089032ffd4220fcb2cae5c8f1deb1500 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Mon, 5 Oct 2009 13:00:15 +0000 Subject: [PATCH] Sync to F-11. --- .cvsignore | 1 + ghostscript-CVE-2009-0196.patch | 19 - ghostscript-CVE-2009-0583,0584.patch | 997 --------------------------- ghostscript-CVE-2009-0792.patch | 166 ----- ghostscript-bitcmyk.patch | 35 - ghostscript-gs-executable.patch | 145 ++-- ghostscript-jbig2dec-nullderef.patch | 34 +- ghostscript.spec | 51 +- sources | 2 +- 9 files changed, 120 insertions(+), 1330 deletions(-) delete mode 100644 ghostscript-CVE-2009-0196.patch delete mode 100644 ghostscript-CVE-2009-0583,0584.patch delete mode 100644 ghostscript-CVE-2009-0792.patch delete mode 100644 ghostscript-bitcmyk.patch diff --git a/.cvsignore b/.cvsignore index e066f4b..05086c7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -24,3 +24,4 @@ ghostscript-8.61.tar.bz2 ghostscript-8.62.tar.bz2 ghostscript-8.63.tar.bz2 ghostscript-8.64.tar.bz2 +ghostscript-8.70.tar.bz2 diff --git a/ghostscript-CVE-2009-0196.patch b/ghostscript-CVE-2009-0196.patch deleted file mode 100644 index 5ee8d86..0000000 --- a/ghostscript-CVE-2009-0196.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c ---- ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 2007-12-11 08:29:58.000000000 +0000 -+++ ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c 2009-04-15 16:27:43.000000000 +0100 -@@ -699,6 +699,15 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - exrunlength = params->SDNUMEXSYMS; - else - code = jbig2_arith_int_decode(IAEX, as, &exrunlength); -+ if (exrunlength > params->SDNUMEXSYMS - j) { -+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, -+ "runlength too large in export symbol table (%d > %d - %d)\n", -+ exrunlength, params->SDNUMEXSYMS, j); -+ jbig2_sd_release(ctx, SDEXSYMS); -+ /* skip to the cleanup code and return SDEXSYMS = NULL */ -+ SDEXSYMS = NULL; -+ break; -+ } - for(k = 0; k < exrunlength; k++) - if (exflag) { - SDEXSYMS->glyphs[j++] = (i < m) ? diff --git a/ghostscript-CVE-2009-0583,0584.patch b/ghostscript-CVE-2009-0583,0584.patch deleted file mode 100644 index 4471433..0000000 --- a/ghostscript-CVE-2009-0583,0584.patch +++ /dev/null @@ -1,997 +0,0 @@ -diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0583,0584 ghostscript-8.64/icclib/icc.c ---- ghostscript-8.64/icclib/icc.c.CVE-2009-0583,0584 2008-05-09 05:12:01.000000000 +0100 -+++ ghostscript-8.64/icclib/icc.c 2009-07-30 13:29:08.853734640 +0100 -@@ -152,6 +152,8 @@ - * Various bug fixes and enhancements. - */ - -+#include -+#include - #include - #include - #include -@@ -313,8 +315,11 @@ size_t count - icmFileMem *p = (icmFileMem *)pp; - size_t len; - -+ if (count > 0 && size > SIZE_MAX / count) -+ return 0; -+ - len = size * count; -- if ((p->cur + len) >= p->end) { /* Too much */ -+ if (len > (p->end - p->cur)) { /* Too much */ - if (size > 0) - count = (p->end - p->cur)/size; - else -@@ -1634,6 +1639,8 @@ static int icmUInt8Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUInt8Array_write malloc() failed"); - return icp->errc = 2; -@@ -1698,7 +1705,7 @@ static int icmUInt8Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { -+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { - sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed"); - return icp->errc = 2; - } -@@ -1749,6 +1756,10 @@ static unsigned int icmUInt16Array_get_s - icmUInt16Array *p = (icmUInt16Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 2) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->size * 2; /* 2 bytes for each UInt16 */ - return len; - } -@@ -1821,6 +1832,8 @@ static int icmUInt16Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUInt16Array_write malloc() failed"); - return icp->errc = 2; -@@ -1885,7 +1898,7 @@ static int icmUInt16Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { -+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { - sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed"); - return icp->errc = 2; - } -@@ -1936,6 +1949,10 @@ static unsigned int icmUInt32Array_get_s - icmUInt32Array *p = (icmUInt32Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 4) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->size * 4; /* 4 bytes for each UInt32 */ - return len; - } -@@ -2008,6 +2025,8 @@ static int icmUInt32Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUInt32Array_write malloc() failed"); - return icp->errc = 2; -@@ -2072,7 +2091,7 @@ static int icmUInt32Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { -+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { - sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed"); - return icp->errc = 2; - } -@@ -2123,6 +2142,10 @@ static unsigned int icmUInt64Array_get_s - icmUInt64Array *p = (icmUInt64Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 8) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->size * 8; /* 8 bytes for each UInt64 */ - return len; - } -@@ -2195,6 +2218,8 @@ static int icmUInt64Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUInt64Array_write malloc() failed"); - return icp->errc = 2; -@@ -2259,7 +2284,7 @@ static int icmUInt64Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (icmUint64 *) icp->al->malloc(icp->al, p->size * sizeof(icmUint64))) == NULL) { -+ if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) { - sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed"); - return icp->errc = 2; - } -@@ -2310,6 +2335,10 @@ static unsigned int icmU16Fixed16Array_g - icmU16Fixed16Array *p = (icmU16Fixed16Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 4) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->size * 4; /* 4 byte for each U16Fixed16 */ - return len; - } -@@ -2382,6 +2411,8 @@ static int icmU16Fixed16Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed"); - return icp->errc = 2; -@@ -2446,7 +2477,7 @@ static int icmU16Fixed16Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { -+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { - sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed"); - return icp->errc = 2; - } -@@ -2497,6 +2528,10 @@ static unsigned int icmS15Fixed16Array_g - icmS15Fixed16Array *p = (icmS15Fixed16Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 4) { -+ p->icp->errc = 1; -+ return (unsigned int) - 1; -+ } - len += p->size * 4; /* 4 byte for each S15Fixed16 */ - return len; - } -@@ -2569,6 +2604,8 @@ static int icmS15Fixed16Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed"); - return icp->errc = 2; -@@ -2633,7 +2670,7 @@ static int icmS15Fixed16Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { -+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { - sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed"); - return icp->errc = 2; - } -@@ -2726,6 +2763,10 @@ static unsigned int icmXYZArray_get_size - icmXYZArray *p = (icmXYZArray *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 12) { -+ p->icp->errc = 1; -+ return (unsigned int) - 1; -+ } - len += p->size * 12; /* 12 bytes for each XYZ */ - return len; - } -@@ -2798,6 +2839,8 @@ static int icmXYZArray_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmXYZArray_write malloc() failed"); - return icp->errc = 2; -@@ -2865,7 +2908,7 @@ static int icmXYZArray_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (icmXYZNumber *) icp->al->malloc(icp->al, p->size * sizeof(icmXYZNumber))) == NULL) { -+ if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) { - sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed"); - return icp->errc = 2; - } -@@ -3001,7 +3044,7 @@ static int icmTable_setup_bwd( - int nf; /* Next free slot */ - if (rt->rlists[j] == NULL) { /* No allocation */ - as = 5; /* Start with space for 5 */ -- if ((rt->rlists[j] = (int *) icp->al->malloc(icp->al, sizeof(int) * as)) == NULL) { -+ if ((rt->rlists[j] = (int *) icp->al->calloc(icp->al, sizeof(int), as)) == NULL) { - return 2; - } - rt->rlists[j][0] = as; -@@ -3141,6 +3184,10 @@ static unsigned int icmCurve_get_size( - icmCurve *p = (icmCurve *)pp; - unsigned int len = 0; - len += 12; /* 12 bytes for tag, padding and count */ -+ if (p->size > (UINT_MAX - len) / 2) { -+ p->icp->errc = 1; -+ return (unsigned int) - 1; -+ } - len += p->size * 2; /* 2 bytes for each UInt16 */ - return len; - } -@@ -3238,6 +3285,8 @@ static int icmCurve_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmCurve_write malloc() failed"); - return icp->errc = 2; -@@ -3347,7 +3396,7 @@ static int icmCurve_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { -+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { - sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed"); - return icp->errc = 2; - } -@@ -3493,6 +3542,8 @@ static int icmData_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmData_write malloc() failed"); - return icp->errc = 2; -@@ -3745,6 +3796,8 @@ static int icmText_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmText_write malloc() failed"); - return icp->errc = 2; -@@ -4038,6 +4091,8 @@ static int icmDateTimeNumber_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmDateTimeNumber_write malloc() failed"); - return icp->errc = 2; -@@ -4128,11 +4183,15 @@ static icmBase *new_icmDateTimeNumber( - /* icmLut object */ - - /* Utility function - raise one integer to an integer power */ --static unsigned int uipow(unsigned int a, unsigned int b) { -+static int uipow(unsigned int a, unsigned int b, unsigned int *ret) { - unsigned int rv = 1; -- for (; b > 0; b--) -+ for (; b > 0; b--) { -+ if (a > 0 && rv > UINT_MAX / a) -+ return 1; - rv *= a; -- return rv; -+ } -+ *ret = rv; -+ return 0; - } - - /* - - - - - - - - - - - - - - - - */ -@@ -4268,7 +4327,7 @@ double *in /* Input array[outputChan] * - if (p->inputChan <= 8) { - gw = GW; /* Use stack allocation */ - } else { -- if ((gw = (double *) icp->al->malloc(icp->al, (1 << p->inputChan) * sizeof(double))) == NULL) { -+ if ((gw = (double *) icp->al->calloc(icp->al, (1 << p->inputChan), sizeof(double))) == NULL) { - sprintf(icp->err,"icmLut_lookup_clut: malloc() failed"); - return icp->errc = 2; - } -@@ -4819,19 +4878,50 @@ static unsigned int icmLut_get_size( - ) { - icmLut *p = (icmLut *)pp; - unsigned int len = 0; -+ unsigned int pw; - - if (p->ttype == icSigLut8Type) { - len += 48; /* tag and header */ -+ if (p->inputChan > 0 && -+ p->inputEnt > (UINT_MAX - len) / p->inputChan / 1) -+ goto overflow; -+ - len += 1 * (p->inputChan * p->inputEnt); -- len += 1 * (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan, &pw) || -+ (p->outputChan > 0 && -+ pw > (UINT_MAX - len) / p->outputChan / 1)) -+ goto overflow; -+ -+ len += 1 * (p->outputChan * pw); -+ if (p->outputChan > 0 && -+ p->outputEnt > (UINT_MAX - len) / p->outputChan / 1) -+ goto overflow; -+ - len += 1 * (p->outputChan * p->outputEnt); - } else { - len += 52; /* tag and header */ -+ if (p->inputChan > 0 && -+ p->inputEnt > (UINT_MAX - len) / p->inputChan / 2) -+ goto overflow; -+ - len += 2 * (p->inputChan * p->inputEnt); -- len += 2 * (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan, &pw) || -+ (p->outputChan > 0 && -+ pw > (UINT_MAX - len) / p->outputChan / 2)) -+ goto overflow; -+ -+ len += 2 * (p->outputChan * pw); -+ if (p->outputChan > 0 && -+ p->outputEnt > (UINT_MAX - len) / p->outputChan / 2) -+ goto overflow; -+ - len += 2 * (p->outputChan * p->outputEnt); - } - return len; -+ -+ overflow: -+ p->icp->errc = 1; -+ return (unsigned int) -1; - } - - /* read the object, return 0 on success, error code on fail */ -@@ -4844,6 +4934,7 @@ static int icmLut_read( - icc *icp = p->icp; - int rv = 0; - unsigned long i, j, g, size; -+ unsigned int pw; - char *bp, *buf; - - if (len < 4) { -@@ -4904,6 +4995,11 @@ static int icmLut_read( - return icp->errc = 1; - } - -+ if (p->clutPoints > 255) { -+ sprintf(icp->err,"icmLut_read: too many clutPoints"); -+ return icp->errc = 1; -+ } -+ - /* Read 3x3 transform matrix */ - for (j = 0; j < 3; j++) { /* Rows */ - for (i = 0; i < 3; i++) { /* Columns */ -@@ -4921,13 +5017,18 @@ static int icmLut_read( - bp = buf+52; - } - -- if (len < icmLut_get_size((icmBase *)p)) { -+ if (len < icmLut_get_size((icmBase *)p) || icp->errc) { - sprintf(icp->err,"icmLut_read: Tag too small for contents"); - icp->al->free(icp->al, buf); - return icp->errc = 1; - } - - /* Read the input tables */ -+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { -+ sprintf(icp->err,"icmLut_read: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } - size = (p->inputChan * p->inputEnt); - if ((rv = p->allocate((icmBase *)p)) != 0) { - icp->al->free(icp->al, buf); -@@ -4942,7 +5043,14 @@ static int icmLut_read( - } - - /* Read the clut table */ -- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan,&pw) || -+ (p->outputChan > 0 && -+ pw > UINT_MAX / p->outputChan)) { -+ sprintf(icp->err,"icmLut_read: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } -+ size = (p->outputChan * pw); - if ((rv = p->allocate((icmBase *)p)) != 0) { - icp->al->free(icp->al, buf); - return rv; -@@ -4956,6 +5064,11 @@ static int icmLut_read( - } - - /* Read the output tables */ -+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { -+ sprintf(icp->err,"icmLut_read: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } - size = (p->outputChan * p->outputEnt); - if ((rv = p->allocate((icmBase *)p)) != 0) { - icp->al->free(icp->al, buf); -@@ -4995,12 +5108,14 @@ static int icmLut_write( - icmLut *p = (icmLut *)pp; - icc *icp = p->icp; - unsigned long i,j; -- unsigned int len, size; -+ unsigned int len, size, pw; - char *bp, *buf; /* Buffer to write from */ - int rv = 0; - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmLut_write malloc() failed"); - return icp->errc = 2; -@@ -5066,6 +5181,11 @@ static int icmLut_write( - } - - /* Write the input tables */ -+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { -+ sprintf(icp->err,"icmLut_write: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } - size = (p->inputChan * p->inputEnt); - if (p->ttype == icSigLut8Type) { - for (i = 0; i < size; i++, bp += 1) { -@@ -5086,7 +5206,14 @@ static int icmLut_write( - } - - /* Write the clut table */ -- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan,&pw) || -+ (p->outputChan > 0 && -+ pw > UINT_MAX / p->outputChan)) { -+ sprintf(icp->err,"icmLut_write: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } -+ size = (p->outputChan * pw); - if (p->ttype == icSigLut8Type) { - for (i = 0; i < size; i++, bp += 1) { - if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) { -@@ -5106,6 +5233,11 @@ static int icmLut_write( - } - - /* Write the output tables */ -+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { -+ sprintf(icp->err,"icmLut_write: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } - size = (p->outputChan * p->outputEnt); - if (p->ttype == icSigLut8Type) { - for (i = 0; i < size; i++, bp += 1) { -@@ -5177,7 +5309,14 @@ static void icmLut_dump( - if (p->inputChan > MAX_CHAN) { - fprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN); - } else { -- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ unsigned int pw; -+ if (uipow(p->clutPoints,p->inputChan,&pw) || -+ (p->outputChan > 0 && -+ pw > UINT_MAX / p->outputChan)) { -+ fprintf(op,"Would overflow.\n"); -+ return; -+ } -+ size = (p->outputChan * pw); - for (j = 0; j < p->inputChan; j++) - ii[j] = 0; - for (i = 0; i < size;) { -@@ -5216,7 +5355,7 @@ static void icmLut_dump( - static int icmLut_allocate( - icmBase *pp - ) { -- unsigned int i, j, g, size; -+ unsigned int i, j, g, size, pw; - icmLut *p = (icmLut *)pp; - icc *icp = p->icp; - -@@ -5231,6 +5370,10 @@ static int icmLut_allocate( - return icp->errc = 1; - } - -+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { -+ sprintf(icp->err,"icmLut_alloc: too many entries"); -+ return icp->errc = 1; -+ } - size = (p->inputChan * p->inputEnt); - if (size != p->inputTable_size) { - if (p->inputTable != NULL) -@@ -5241,7 +5384,13 @@ static int icmLut_allocate( - } - p->inputTable_size = size; - } -- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan,&pw) || -+ (p->outputChan > 0 && -+ pw > UINT_MAX / p->outputChan)) { -+ sprintf(icp->err,"icmLut_alloc: overflow"); -+ return icp->errc = 1; -+ } -+ size = (p->outputChan * pw); - if (size != p->clutTable_size) { - if (p->clutTable != NULL) - icp->al->free(icp->al, p->clutTable); -@@ -5251,6 +5400,10 @@ static int icmLut_allocate( - } - p->clutTable_size = size; - } -+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { -+ sprintf(icp->err,"icmLut_alloc: overflow"); -+ return icp->errc = 1; -+ } - size = (p->outputChan * p->outputEnt); - if (size != p->outputTable_size) { - if (p->outputTable != NULL) -@@ -5441,6 +5594,8 @@ static int icmMeasurement_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmMeasurement_write malloc() failed"); - return icp->errc = 2; -@@ -5712,13 +5867,20 @@ static unsigned int icmNamedColor_get_si - len += p->nDeviceCoords * 1; /* bytes for each named color */ - } - } else { /* Named Color 2 */ -+ unsigned int col; - len += 8; /* 8 bytes for tag and padding */ - len += 4; /* 4 for vendor specific flags */ - len += 4; /* 4 for count of named colors */ - len += 4; /* 4 for number of device coords */ - len += 32; /* 32 for prefix of color names */ - len += 32; /* 32 for suffix of color names */ -- len += p->count * (32 + 6 + p->nDeviceCoords * 2); /* bytes for each named color */ -+ col = 32 + 6 + p->nDeviceCoords * 2; -+ if (p->nDeviceCoords > (UINT_MAX - (32 + 6)) / 2 || -+ (p->count > 0 && col > (UINT_MAX - len) / p->count)) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } -+ len += p->count * col; /* bytes for each named color */ - } - return len; - } -@@ -5882,6 +6044,8 @@ static int icmNamedColor_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmNamedColor_write malloc() failed"); - return icp->errc = 2; -@@ -6109,9 +6273,22 @@ static unsigned int icmTextDescription_g - ) { - icmTextDescription *p = (icmTextDescription *)pp; - unsigned int len = 0; -+ if (p->size > UINT_MAX - (8 + 4 + 8)) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += 8; /* 8 bytes for tag and padding */ - len += 4 + p->size; /* Ascii string length + ascii string */ -- len += 8 + 2 * p->ucSize; /* Unicode language code + length + string */ -+ len += 8; /* Unicode language code + length */ -+ if (p->ucSize > (UINT_MAX - len) / 2) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } -+ len += 2 * p->ucSize; /* Unicode string */ -+ if (len > (UINT_MAX - (3 + 67))) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += 3 + 67; /* ScriptCode code, length string */ - return len; - } -@@ -6294,6 +6471,8 @@ static int icmTextDescription_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmTextDescription_write malloc() failed"); - return icp->errc = 2; -@@ -6544,7 +6723,7 @@ static int icmTextDescription_allocate( - if (p->ucSize != p->uc_size) { - if (p->ucDesc != NULL) - icp->al->free(icp->al, p->ucDesc); -- if ((p->ucDesc = (ORD16 *) icp->al->malloc(icp->al, p->ucSize * sizeof(ORD16))) == NULL) { -+ if ((p->ucDesc = (ORD16 *) icp->al->calloc(icp->al, p->ucSize, sizeof(ORD16))) == NULL) { - sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed"); - return icp->errc = 2; - } -@@ -6820,6 +6999,12 @@ static int icmProfileSequenceDesc_read( - bp += 8; /* Skip padding */ - - p->count = read_UInt32Number(bp); /* Number of sequence descriptions */ -+ if (p->count > 1000) { -+ sprintf(icp->err,"icmProfileSequenceDesc_read: too many sequence descriptions"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } -+ - bp += 4; - - /* Read all the sequence descriptions */ -@@ -6852,6 +7037,8 @@ static int icmProfileSequenceDesc_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed"); - return icp->errc = 2; -@@ -6922,7 +7109,7 @@ static int icmProfileSequenceDesc_alloca - if (p->count != p->_count) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (icmDescStruct *) icp->al->malloc(icp->al, p->count * sizeof(icmDescStruct))) == NULL) { -+ if ((p->data = (icmDescStruct *) icp->al->calloc(icp->al, p->count, sizeof(icmDescStruct))) == NULL) { - sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed"); - return icp->errc = 2; - } -@@ -7041,6 +7228,8 @@ static int icmSignature_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmSignature_write malloc() failed"); - return icp->errc = 2; -@@ -7156,6 +7345,10 @@ static unsigned int icmScreening_get_siz - icmScreening *p = (icmScreening *)pp; - unsigned int len = 0; - len += 16; /* 16 bytes for tag, padding, flag & channeles */ -+ if (p->channels > (UINT_MAX - len) / 12) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->channels * 12; /* 12 bytes for each channel */ - return len; - } -@@ -7235,6 +7428,8 @@ static int icmScreening_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmScreening_write malloc() failed"); - return icp->errc = 2; -@@ -7315,7 +7510,7 @@ static int icmScreening_allocate( - if (p->channels != p->_channels) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (icmScreeningData *) icp->al->malloc(icp->al, p->channels * sizeof(icmScreeningData))) == NULL) { -+ if ((p->data = (icmScreeningData *) icp->al->calloc(icp->al, p->channels, sizeof(icmScreeningData))) == NULL) { - sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed"); - return icp->errc = 2; - } -@@ -7366,10 +7561,20 @@ static unsigned int icmUcrBg_get_size( - icmUcrBg *p = (icmUcrBg *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->UCRcount > (UINT_MAX - len - 4) / 2) -+ goto overflow; -+ - len += 4 + p->UCRcount * 2; /* Undercolor Removal */ -+ if (p->BGcount > (UINT_MAX - len - 4 - p->size) / 2) -+ goto overflow; -+ - len += 4 + p->BGcount * 2; /* Black Generation */ - len += p->size; /* Description string */ - return len; -+ -+ overflow: -+ p->icp->errc = 1; -+ return (unsigned int) -1; - } - - /* read the object, return 0 on success, error code on fail */ -@@ -7498,6 +7703,8 @@ static int icmUcrBg_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUcrBg_write malloc() failed"); - return icp->errc = 2; -@@ -7663,7 +7870,7 @@ static int icmUcrBg_allocate( - if (p->UCRcount != p->UCR_count) { - if (p->UCRcurve != NULL) - icp->al->free(icp->al, p->UCRcurve); -- if ((p->UCRcurve = (double *) icp->al->malloc(icp->al, p->UCRcount * sizeof(double))) == NULL) { -+ if ((p->UCRcurve = (double *) icp->al->calloc(icp->al, p->UCRcount, sizeof(double))) == NULL) { - sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed"); - return icp->errc = 2; - } -@@ -7672,7 +7879,7 @@ static int icmUcrBg_allocate( - if (p->BGcount != p->BG_count) { - if (p->BGcurve != NULL) - icp->al->free(icp->al, p->BGcurve); -- if ((p->BGcurve = (double *) icp->al->malloc(icp->al, p->BGcount * sizeof(double))) == NULL) { -+ if ((p->BGcurve = (double *) icp->al->calloc(icp->al, p->BGcount, sizeof(double))) == NULL) { - sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed"); - return icp->errc = 2; - } -@@ -7743,6 +7950,15 @@ static unsigned int icmVideoCardGamma_ge - len += 2; /* 2 bytes for channels */ - len += 2; /* 2 for entry count */ - len += 2; /* 2 for entry size */ -+ if (p->u.table.entryCount > 0 && -+ p->u.table.entrySize > 0 && -+ p->u.table.channels > -+ (UINT_MAX - len) / -+ p->u.table.entryCount / -+ p->u.table.entrySize) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += ( p->u.table.channels * /* compute table size */ - p->u.table.entryCount * - p->u.table.entrySize ); -@@ -7762,10 +7978,11 @@ static int icmVideoCardGamma_read( - ) { - icmVideoCardGamma *p = (icmVideoCardGamma *)pp; - icc *icp = p->icp; -- int rv, c; -+ int rv; - char *bp, *buf; - unsigned char *pchar; - unsigned short *pshort; -+ unsigned long c; - - if (len < 18) { - sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal"); -@@ -7803,6 +8020,16 @@ static int icmVideoCardGamma_read( - p->u.table.channels = read_UInt16Number(bp+12); - p->u.table.entryCount = read_UInt16Number(bp+14); - p->u.table.entrySize = read_UInt16Number(bp+16); -+ if (p->u.table.entrySize > 65530 || p->u.table.entrySize == 0) { -+ sprintf(icp->err,"icmVideoCardGamma_read: Too many entries (or none)"); -+ return icp->errc = 1; -+ } -+ if (p->u.table.entryCount > 0 && p->u.table.entrySize > 0 && -+ p->u.table.channels > -+ UINT_MAX / p->u.table.entryCount / p->u.table.entrySize) { -+ sprintf(icp->err,"icmVideoCardGamma_read: Overflow reading tag"); -+ return icp->errc = 1; -+ } - if (len-18 < p->u.table.channels*p->u.table.entryCount*p->u.table.entrySize) { - sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal"); - return icp->errc = 1; -@@ -7871,6 +8098,8 @@ static int icmVideoCardGamma_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmViewingConditions_write malloc() failed"); - return icp->errc = 2; -@@ -8049,7 +8278,7 @@ static int icmVideoCardGamma_allocate( - ) { - icmVideoCardGamma *p = (icmVideoCardGamma *)pp; - icc *icp = p->icp; -- int size; -+ unsigned int size; - - /* note: allocation is only relevant for table type - * and in that case the channels, entryCount, and entrySize -@@ -8059,6 +8288,11 @@ static int icmVideoCardGamma_allocate( - if (p->tagType == icmVideoCardGammaTableType) { - if (p->u.table.data != NULL) - icp->al->free(icp->al, p->u.table.data); -+ if (p->u.table.entryCount > 0 && -+ p->u.table.channels > UINT_MAX / p->u.table.entryCount) { -+ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large"); -+ return icp->errc = 1; -+ } - size = (p->u.table.channels * - p->u.table.entryCount); - switch (p->u.table.entrySize) { -@@ -8066,6 +8300,10 @@ static int icmVideoCardGamma_allocate( - size *= sizeof(unsigned char); - break; - case 2: -+ if (size > UINT_MAX / sizeof(unsigned short)) { -+ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large"); -+ return icp->errc = 1; -+ } - size *= sizeof(unsigned short); - break; - default: -@@ -8201,6 +8439,8 @@ static int icmViewingConditions_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmViewingConditions_write malloc() failed"); - return icp->errc = 2; -@@ -8433,6 +8673,8 @@ static int icmCrdInfo_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmCrdInfo_write malloc() failed"); - return icp->errc = 2; -@@ -8736,6 +8978,8 @@ static int icmHeader_write( - int rv = 0; - - len = p->get_size(p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->calloc(icp->al,1,len)) == NULL) { /* Zero it - some CMS are fussy */ - sprintf(icp->err,"icmHeader_write calloc() failed"); - return icp->errc = 2; -@@ -9245,13 +9489,23 @@ static int icc_read( - } - - p->count = read_UInt32Number(tcbuf); /* Tag count */ -+ if (p->count > 100) { -+ sprintf(p->err,"icc_read: too many table tags"); -+ return p->errc = 1; -+ } - if (p->count > 0) { - char *bp, *buf; -- if ((p->data = (icmTag *) p->al->malloc(p->al, p->count * sizeof(icmTag))) == NULL) { -+ if ((p->data = (icmTag *) p->al->calloc(p->al, p->count, sizeof(icmTag))) == NULL) { - sprintf(p->err,"icc_read: Tag table malloc() failed"); - return p->errc = 2; - } - -+ if (p->count > (UINT_MAX - 4) / 12) { -+ sprintf(p->err,"icc_read: overflow"); -+ p->al->free(p->al, p->data); -+ p->data = NULL; -+ return p->errc = 1; -+ } - len = 4 + p->count * 12; - if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) { - sprintf(p->err,"icc_read: Tag table read buffer malloc() failed"); -@@ -9281,6 +9535,14 @@ static int icc_read( - return p->errc = 1; - } - p->data[i].size = read_UInt32Number(bp + 8); -+ if (p->data[i].offset + p->data[i].size > -+ p->header->size) { -+ sprintf(p->err,"icc_read: tag out of bounds"); -+ p->al->free(p->al, p->data); -+ p->data = NULL; -+ p->al->free(p->al, buf); -+ return p->errc = 1; -+ } - if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0 - || p->fp->read(p->fp, tcbuf, 1, 4) != 4) { - sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers"); -@@ -9321,8 +9583,14 @@ static unsigned int icc_get_size( - } - - size += p->header->get_size(p->header); -+ if (p->errc) -+ return (unsigned int) -1; - - size = DO_ALIGN(size); -+ if (size == 0 || p->count > (UINT_MAX - 4 - size) / 12) { -+ p->errc = 1; -+ return (unsigned int) -1; -+ } - size += 4 + p->count * 12; /* Tag table length */ - - /* Reset touched flag for each tag type */ -@@ -9337,8 +9605,13 @@ static unsigned int icc_get_size( - /* Get size for each tag type, skipping links */ - for (i = 0; i < p->count; i++) { - if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */ -+ unsigned int obj_size; - size = DO_ALIGN(size); -- size += p->data[i].objp->get_size(p->data[i].objp); -+ obj_size = p->data[i].objp->get_size(p->data[i].objp); -+ if (size == 0 || p->errc || -+ obj_size > UINT_MAX - size) -+ return (unsigned int) -1; -+ size += obj_size; - p->data[i].objp->touched = 1; /* Don't account for this again */ - } - } -@@ -9373,9 +9646,19 @@ static int icc_write( - } - - size += p->header->get_size(p->header); -+ if (p->errc) -+ return p->errc; - -+ if (p->count > (UINT_MAX - 4 - len) / 12) { -+ sprintf(p->err,"icc_write: too many tags"); -+ return p->errc = 1; -+ } - len = 4 + p->count * 12; /* Tag table length */ - size = DO_ALIGN(size); -+ if (size == 0 || size > UINT_MAX - len) { -+ sprintf(p->err,"icc_write: overflow writing tag table"); -+ return p->errc = 1; -+ } - size += len; - - /* Allocate memory buffer for tag table */ -@@ -9406,6 +9689,12 @@ static int icc_write( - size = DO_ALIGN(size); - p->data[i].offset = size; /* Profile relative target */ - p->data[i].size = p->data[i].objp->get_size(p->data[i].objp); -+ if (size == 0 || -+ p->errc || p->data[i].size > UINT_MAX - size) { -+ sprintf(p->err,"icc_write: internal error - overflow?"); -+ p->al->free(p->al, buf); -+ return p->errc; -+ } - size += p->data[i].size; - p->data[i].objp->touched = 1; /* Allocated space for it */ - } else { /* must be linked - copy allocation */ -@@ -9529,6 +9818,11 @@ static icmBase *icc_add_tag( - } - - /* Make space in tag table for new tag item */ -+ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) { -+ sprintf(p->err,"icc_add_tag: overflow"); -+ p->errc = 1; -+ return NULL; -+ } - if (p->data == NULL) - tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag)); - else -@@ -9612,6 +9906,11 @@ static icmBase *icc_link_tag( - } - - /* Make space in tag table for new tag item */ -+ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) { -+ sprintf(p->err,"icc_link_tag: overflow"); -+ p->errc = 1; -+ return NULL; -+ } - if (p->data == NULL) - tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag)); - else -@@ -12246,6 +12545,7 @@ static icmLuBase* icc_get_luobj ( - if ((blackPointTag = (icmXYZArray *)p->read_tag(p, icSigMediaBlackPointTag)) == NULL - || blackPointTag->ttype != icSigXYZType || blackPointTag->size < 1) { - blackPoint = icmBlack; /* default */ -+ p->errc = 0; /* reset the error code. black point is NOT required */ - } else - blackPoint = blackPointTag->data[0]; /* Copy structure */ - } diff --git a/ghostscript-CVE-2009-0792.patch b/ghostscript-CVE-2009-0792.patch deleted file mode 100644 index 3c40a76..0000000 --- a/ghostscript-CVE-2009-0792.patch +++ /dev/null @@ -1,166 +0,0 @@ -diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0792 ghostscript-8.64/icclib/icc.c ---- ghostscript-8.64/icclib/icc.c.CVE-2009-0792 2009-04-15 16:20:04.000000000 +0100 -+++ ghostscript-8.64/icclib/icc.c 2009-04-15 16:20:24.000000000 +0100 -@@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd( - rv |= 1; - } - ix = (int)floor(val); /* Coordinate */ -- if (ix > (p->size-2)) -+ if (ix < 0 || ix > (p->size-2)) - ix = (p->size-2); - w = val - (double)ix; /* weight */ - val = p->data[ix]; -@@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd( - ) { - int i; - -+ if (size > INT_MAX - 2) -+ /* Although rt->size is unsigned long, the rt data -+ * structure uses int data types to store indices. */ -+ return 2; -+ - rt->size = size; /* Stash pointers to these away */ - rt->data = data; - -@@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd( - rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ - - /* Initialize the reverse lookup structures, and get overall min/max */ -- if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { -+ if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { - return 2; - } - -@@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd( - int t; - t = s; s = e; e = t; - } -+ /* s and e should both be in the range [0,rt->rsize] -+ * now, but let's not rely on floating point -+ * calculations -- double-check. */ -+ if (s < 0) -+ s = 0; -+ if (e < 0) -+ e = 0; -+ if (s >= rt->rsize) -+ s = rt->rsize-1; - if (e >= rt->rsize) - e = rt->rsize-1; - -@@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd( - as = rt->rlists[j][0]; /* Allocate space for this list */ - nf = rt->rlists[j][1]; /* Next free location in list */ - if (nf >= as) { /* need to expand space */ -+ if (as > INT_MAX / 2 / sizeof (int)) -+ return 2; -+ - as *= 2; - rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as); - if (rt->rlists[j] == NULL) { -@@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd( - val = rsize_1; - ix = (int)floor(val); /* Coordinate */ - -- if (ix > (rt->size-2)) -+ if (ix < 0 || ix > (rt->size-2)) - ix = (rt->size-2); - if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */ - /* For each candidate forward range */ -@@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd( - /* We have failed to find an exact value, so return the nearest value */ - /* (This is slow !) */ - val = fabs(ival - rt->data[0]); -+ /* rt->size is known to be < INT_MAX */ - for (k = 0, i = 1; i < rt->size; i++) { - double er; - er = fabs(ival - rt->data[i]); -@@ -3671,7 +3689,7 @@ static int icmData_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) { -+ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) { - sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed"); - return icp->errc = 2; - } -@@ -3887,7 +3905,7 @@ static int icmText_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { -+ if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { - sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed"); - return icp->errc = 2; - } -@@ -4301,7 +4319,7 @@ double *in /* Input array[inputChan] */ - rv |= 1; - } - ix = (int)floor(val); /* Grid coordinate */ -- if (ix > (p->inputEnt-2)) -+ if (ix < 0 || ix > (p->inputEnt-2)) - ix = (p->inputEnt-2); - w = val - (double)ix; /* weight */ - val = table[ix]; -@@ -4360,7 +4378,7 @@ double *in /* Input array[outputChan] * - rv |= 1; - } - x = (int)floor(val); /* Grid coordinate */ -- if (x > clutPoints_2) -+ if (x < 0 || x > clutPoints_2) - x = clutPoints_2; - co[e] = val - (double)x; /* 1.0 - weight */ - gp += x * p->dinc[e]; /* Add index offset for base of cube */ -@@ -4433,7 +4451,7 @@ double *in /* Input array[outputChan] * - rv |= 1; - } - x = (int)floor(val); /* Grid coordinate */ -- if (x > clutPoints_2) -+ if (x < 0 || x > clutPoints_2) - x = clutPoints_2; - co[e] = val - (double)x; /* 1.0 - weight */ - gp += x * p->dinc[e]; /* Add index offset for base of cube */ -@@ -4506,7 +4524,7 @@ double *in /* Input array[outputChan] * - rv |= 1; - } - ix = (int)floor(val); /* Grid coordinate */ -- if (ix > (p->outputEnt-2)) -+ if (ix < 0 || ix > (p->outputEnt-2)) - ix = (p->outputEnt-2); - w = val - (double)ix; /* weight */ - val = table[ix]; -@@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate( - if (p->size != p->_size) { - if (p->desc != NULL) - icp->al->free(icp->al, p->desc); -- if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { -+ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { - sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed"); - return icp->errc = 2; - } -@@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate( - if (p->size != p->_size) { - if (p->string != NULL) - icp->al->free(icp->al, p->string); -- if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { -+ if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { - sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed"); - return icp->errc = 2; - } -@@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate( - if (p->ppsize != p->_ppsize) { - if (p->ppname != NULL) - icp->al->free(icp->al, p->ppname); -- if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) { -+ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) { - sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed"); - return icp->errc = 2; - } -@@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate( - if (p->crdsize[t] != p->_crdsize[t]) { - if (p->crdname[t] != NULL) - icp->al->free(icp->al, p->crdname[t]); -- if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) { -+ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) { - sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t); - return icp->errc = 2; - } diff --git a/ghostscript-bitcmyk.patch b/ghostscript-bitcmyk.patch deleted file mode 100644 index 718f22b..0000000 --- a/ghostscript-bitcmyk.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up ghostscript-8.64/base/gdevbit.c.bitcmyk ghostscript-8.64/base/gdevbit.c ---- ghostscript-8.64/base/gdevbit.c.bitcmyk 2008-08-21 00:58:43.000000000 +0100 -+++ ghostscript-8.64/base/gdevbit.c 2009-02-17 16:27:38.000000000 +0000 -@@ -653,7 +653,7 @@ bit_put_params(gx_device * pdev, gs_para - pdev->color_info.depth == 32 ? cmyk_8bit_map_cmyk_color : - bit_map_cmyk_color); - } -- /* Reset the sparable and linear shift, masks, bits. */ -+ /* Reset the separable and linear shift, masks, bits. */ - set_linear_color_bits_mask_shift(pdev); - pdev->color_info.separable_and_linear = GX_CINFO_SEP_LIN; - ((gx_device_bit *)pdev)->FirstLine = FirstLine; -@@ -671,16 +671,18 @@ bit_print_page(gx_device_printer * pdev, - byte *in = gs_alloc_bytes(pdev->memory, line_size, "bit_print_page(in)"); - byte *data; - int nul = !strcmp(pdev->fname, "nul") || !strcmp(pdev->fname, "/dev/null"); -- int lnum = ((gx_device_bit *)pdev)->FirstLine; -- int bottom = ((gx_device_bit *)pdev)->LastLine; -+ int lnum = ((gx_device_bit *)pdev)->FirstLine >= pdev->height ? pdev->height - 1 : -+ ((gx_device_bit *)pdev)->FirstLine; -+ int bottom = ((gx_device_bit *)pdev)->LastLine >= pdev->height ? pdev->height - 1 : -+ ((gx_device_bit *)pdev)->LastLine; - int line_count = any_abs(bottom - lnum); - int i, step = lnum > bottom ? -1 : 1; - - if (in == 0) - return_error(gs_error_VMerror); - if ((lnum == 0) && (bottom == 0)) -- bottom = pdev->height - 1; -- for (i = 0; i < line_count; i++, lnum += step) { -+ line_count = pdev->height - 1; /* default when LastLine == 0, FirstLine == 0 */ -+ for (i = 0; i <= line_count; i++, lnum += step) { - gdev_prn_get_bits(pdev, lnum, in, &data); - if (!nul) - fwrite(data, 1, line_size, prn_stream); diff --git a/ghostscript-gs-executable.patch b/ghostscript-gs-executable.patch index 7f1a966..ae16dde 100644 --- a/ghostscript-gs-executable.patch +++ b/ghostscript-gs-executable.patch @@ -1,6 +1,6 @@ -diff -up ghostscript-8.64/lib/bdftops.gs-executable ghostscript-8.64/lib/bdftops ---- ghostscript-8.64/lib/bdftops.gs-executable 2009-06-10 17:55:39.762484085 +0100 -+++ ghostscript-8.64/lib/bdftops 2009-06-10 17:55:39.765483778 +0100 +diff -up ghostscript-8.70/lib/bdftops.gs-executable ghostscript-8.70/lib/bdftops +--- ghostscript-8.70/lib/bdftops.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/bdftops 2009-08-03 17:53:20.569875831 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -12,9 +12,9 @@ diff -up ghostscript-8.64/lib/bdftops.gs-executable ghostscript-8.64/lib/bdftops -exec "$GS_EXECUTABLE" -q -dBATCH -dNODISPLAY -- bdftops.ps "$@" +exec "$gs" -q -dBATCH -dNODISPLAY -- bdftops.ps "$@" -diff -up ghostscript-8.64/lib/dumphint.gs-executable ghostscript-8.64/lib/dumphint ---- ghostscript-8.64/lib/dumphint.gs-executable 2009-06-10 17:55:39.767484373 +0100 -+++ ghostscript-8.64/lib/dumphint 2009-06-10 17:55:39.823360403 +0100 +diff -up ghostscript-8.70/lib/dumphint.gs-executable ghostscript-8.70/lib/dumphint +--- ghostscript-8.70/lib/dumphint.gs-executable 2009-01-04 20:11:57.000000000 +0000 ++++ ghostscript-8.70/lib/dumphint 2009-08-03 17:53:20.570875283 +0100 @@ -7,9 +7,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -32,9 +32,9 @@ diff -up ghostscript-8.64/lib/dumphint.gs-executable ghostscript-8.64/lib/dumphi -exec "$GS_EXECUTABLE" -q -dNODISPLAY $OPTIONS -- "`dirname $0`/dumphint.ps" "$1" +exec "$gs" -q -dNODISPLAY $OPTIONS -- "`dirname $0`/dumphint.ps" "$1" -diff -up ghostscript-8.64/lib/eps2eps.gs-executable ghostscript-8.64/lib/eps2eps ---- ghostscript-8.64/lib/eps2eps.gs-executable 2009-06-10 17:55:39.846358935 +0100 -+++ ghostscript-8.64/lib/eps2eps 2009-06-10 17:55:39.848359175 +0100 +diff -up ghostscript-8.70/lib/eps2eps.gs-executable ghostscript-8.70/lib/eps2eps +--- ghostscript-8.70/lib/eps2eps.gs-executable 2009-01-10 22:11:18.000000000 +0000 ++++ ghostscript-8.70/lib/eps2eps 2009-08-03 17:53:20.573877995 +0100 @@ -7,9 +7,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -52,9 +52,9 @@ diff -up ghostscript-8.64/lib/eps2eps.gs-executable ghostscript-8.64/lib/eps2eps -exec "$GS_EXECUTABLE" -q -sDEVICE=epswrite -sstdout=%stderr "-sOutputFile=$2" -dNOPAUSE -dBATCH -dSAFER $OPTIONS "$1" +exec "$gs" -q -sDEVICE=epswrite -sstdout=%stderr "-sOutputFile=$2" -dNOPAUSE -dBATCH -dSAFER $OPTIONS "$1" -diff -up ghostscript-8.64/lib/font2c.gs-executable ghostscript-8.64/lib/font2c ---- ghostscript-8.64/lib/font2c.gs-executable 2009-06-10 17:55:39.850358868 +0100 -+++ ghostscript-8.64/lib/font2c 2009-06-10 17:55:39.852359769 +0100 +diff -up ghostscript-8.70/lib/font2c.gs-executable ghostscript-8.70/lib/font2c +--- ghostscript-8.70/lib/font2c.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/font2c 2009-08-03 17:53:20.576874823 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -66,9 +66,9 @@ diff -up ghostscript-8.64/lib/font2c.gs-executable ghostscript-8.64/lib/font2c -exec "$GS_EXECUTABLE" -q -dNODISPLAY -dWRITESYSTEMDICT -- font2c.ps "$@" +exec "$gs" -q -dNODISPLAY -dWRITESYSTEMDICT -- font2c.ps "$@" -diff -up ghostscript-8.64/lib/gsbj.gs-executable ghostscript-8.64/lib/gsbj ---- ghostscript-8.64/lib/gsbj.gs-executable 2009-06-10 17:55:39.854358559 +0100 -+++ ghostscript-8.64/lib/gsbj 2009-06-10 17:55:39.856358929 +0100 +diff -up ghostscript-8.70/lib/gsbj.gs-executable ghostscript-8.70/lib/gsbj +--- ghostscript-8.70/lib/gsbj.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/gsbj 2009-08-03 17:53:20.579874829 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -80,9 +80,9 @@ diff -up ghostscript-8.64/lib/gsbj.gs-executable ghostscript-8.64/lib/gsbj -exec "$GS_EXECUTABLE" -q -sDEVICE=bj10e -r180 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" +exec "$gs" -q -sDEVICE=bj10e -r180 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" -diff -up ghostscript-8.64/lib/gsdj500.gs-executable ghostscript-8.64/lib/gsdj500 ---- ghostscript-8.64/lib/gsdj500.gs-executable 2009-06-10 17:55:39.863358659 +0100 -+++ ghostscript-8.64/lib/gsdj500 2009-06-10 17:55:39.865358381 +0100 +diff -up ghostscript-8.70/lib/gsdj500.gs-executable ghostscript-8.70/lib/gsdj500 +--- ghostscript-8.70/lib/gsdj500.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/gsdj500 2009-08-03 17:53:20.582874574 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -94,9 +94,9 @@ diff -up ghostscript-8.64/lib/gsdj500.gs-executable ghostscript-8.64/lib/gsdj500 -exec "$GS_EXECUTABLE" -q -sDEVICE=djet500 -r300 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" +exec "$gs" -q -sDEVICE=djet500 -r300 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" -diff -up ghostscript-8.64/lib/gsdj.gs-executable ghostscript-8.64/lib/gsdj ---- ghostscript-8.64/lib/gsdj.gs-executable 2009-06-10 17:55:39.858358853 +0100 -+++ ghostscript-8.64/lib/gsdj 2009-06-10 17:55:39.860359097 +0100 +diff -up ghostscript-8.70/lib/gsdj.gs-executable ghostscript-8.70/lib/gsdj +--- ghostscript-8.70/lib/gsdj.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/gsdj 2009-08-03 17:53:20.585875161 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -108,9 +108,9 @@ diff -up ghostscript-8.64/lib/gsdj.gs-executable ghostscript-8.64/lib/gsdj -exec "$GS_EXECUTABLE" -q -sDEVICE=deskjet -r300 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" +exec "$gs" -q -sDEVICE=deskjet -r300 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" -diff -up ghostscript-8.64/lib/gslj.gs-executable ghostscript-8.64/lib/gslj ---- ghostscript-8.64/lib/gslj.gs-executable 2009-06-10 17:55:39.867359335 +0100 -+++ ghostscript-8.64/lib/gslj 2009-06-10 17:55:39.868359409 +0100 +diff -up ghostscript-8.70/lib/gslj.gs-executable ghostscript-8.70/lib/gslj +--- ghostscript-8.70/lib/gslj.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/gslj 2009-08-03 17:53:20.588874966 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -122,9 +122,9 @@ diff -up ghostscript-8.64/lib/gslj.gs-executable ghostscript-8.64/lib/gslj -exec "$GS_EXECUTABLE" -q -sDEVICE=laserjet -r300 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" +exec "$gs" -q -sDEVICE=laserjet -r300 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" -diff -up ghostscript-8.64/lib/gslp.gs-executable ghostscript-8.64/lib/gslp ---- ghostscript-8.64/lib/gslp.gs-executable 2009-06-10 17:55:39.870359296 +0100 -+++ ghostscript-8.64/lib/gslp 2009-06-10 17:55:39.872359052 +0100 +diff -up ghostscript-8.70/lib/gslp.gs-executable ghostscript-8.70/lib/gslp +--- ghostscript-8.70/lib/gslp.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/gslp 2009-08-03 17:53:20.591874666 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -136,9 +136,9 @@ diff -up ghostscript-8.64/lib/gslp.gs-executable ghostscript-8.64/lib/gslp -exec "$GS_EXECUTABLE" -q -sDEVICE=epson -r180 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" +exec "$gs" -q -sDEVICE=epson -r180 -dNOPAUSE -sPROGNAME=$0 -- gslp.ps --heading-center "`date`" "$@" -diff -up ghostscript-8.64/lib/gsnd.gs-executable ghostscript-8.64/lib/gsnd ---- ghostscript-8.64/lib/gsnd.gs-executable 2009-06-10 17:55:39.874358723 +0100 -+++ ghostscript-8.64/lib/gsnd 2009-06-10 17:55:39.876358801 +0100 +diff -up ghostscript-8.70/lib/gsnd.gs-executable ghostscript-8.70/lib/gsnd +--- ghostscript-8.70/lib/gsnd.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/gsnd 2009-08-03 17:53:20.594874682 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -150,9 +150,9 @@ diff -up ghostscript-8.64/lib/gsnd.gs-executable ghostscript-8.64/lib/gsnd -exec "$GS_EXECUTABLE" -dNODISPLAY "$@" +exec "$gs" -dNODISPLAY "$@" -diff -up ghostscript-8.64/lib/pdf2dsc.gs-executable ghostscript-8.64/lib/pdf2dsc ---- ghostscript-8.64/lib/pdf2dsc.gs-executable 2009-06-10 17:55:39.878358517 +0100 -+++ ghostscript-8.64/lib/pdf2dsc 2009-06-10 17:55:39.880358835 +0100 +diff -up ghostscript-8.70/lib/pdf2dsc.gs-executable ghostscript-8.70/lib/pdf2dsc +--- ghostscript-8.70/lib/pdf2dsc.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/pdf2dsc 2009-08-03 17:53:20.597874954 +0100 @@ -11,9 +11,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -171,9 +171,9 @@ diff -up ghostscript-8.64/lib/pdf2dsc.gs-executable ghostscript-8.64/lib/pdf2dsc -exec "$GS_EXECUTABLE" -q -dNODISPLAY -dSAFER -dDELAYSAFER\ +exec "$gs" -q -dNODISPLAY -dSAFER -dDELAYSAFER\ -sPDFname="$pdffile" -sDSCname="$dscfile" pdf2dsc.ps -c quit -diff -up ghostscript-8.64/lib/pdf2ps.gs-executable ghostscript-8.64/lib/pdf2ps ---- ghostscript-8.64/lib/pdf2ps.gs-executable 2009-06-10 17:55:39.882358707 +0100 -+++ ghostscript-8.64/lib/pdf2ps 2009-06-10 17:55:39.884359406 +0100 +diff -up ghostscript-8.70/lib/pdf2ps.gs-executable ghostscript-8.70/lib/pdf2ps +--- ghostscript-8.70/lib/pdf2ps.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/pdf2ps 2009-08-03 17:53:20.601874677 +0100 @@ -7,9 +7,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -191,9 +191,9 @@ diff -up ghostscript-8.64/lib/pdf2ps.gs-executable ghostscript-8.64/lib/pdf2ps # appears before other options. -exec "$GS_EXECUTABLE" $OPTIONS -q -dNOPAUSE -dBATCH -dSAFER -sDEVICE=pswrite "-sOutputFile=$outfile" $OPTIONS -c save pop -f "$1" +exec "$gs" $OPTIONS -q -dNOPAUSE -dBATCH -dSAFER -sDEVICE=pswrite "-sOutputFile=$outfile" $OPTIONS -c save pop -f "$1" -diff -up ghostscript-8.64/lib/pdfopt.gs-executable ghostscript-8.64/lib/pdfopt ---- ghostscript-8.64/lib/pdfopt.gs-executable 2009-06-10 17:55:39.886358586 +0100 -+++ ghostscript-8.64/lib/pdfopt 2009-06-10 17:55:39.888358849 +0100 +diff -up ghostscript-8.70/lib/pdfopt.gs-executable ghostscript-8.70/lib/pdfopt +--- ghostscript-8.70/lib/pdfopt.gs-executable 2008-05-25 03:17:14.000000000 +0100 ++++ ghostscript-8.70/lib/pdfopt 2009-08-03 17:53:20.604874898 +0100 @@ -7,9 +7,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -211,9 +211,9 @@ diff -up ghostscript-8.64/lib/pdfopt.gs-executable ghostscript-8.64/lib/pdfopt -exec "$GS_EXECUTABLE" -q -dNODISPLAY $OPTIONS -- pdfopt.ps "$1" "$2" +exec "$gs" -q -dNODISPLAY $OPTIONS -- pdfopt.ps "$1" "$2" -diff -up ghostscript-8.64/lib/pf2afm.gs-executable ghostscript-8.64/lib/pf2afm ---- ghostscript-8.64/lib/pf2afm.gs-executable 2009-06-10 17:55:39.890358746 +0100 -+++ ghostscript-8.64/lib/pf2afm 2009-06-10 17:55:39.892358698 +0100 +diff -up ghostscript-8.70/lib/pf2afm.gs-executable ghostscript-8.70/lib/pf2afm +--- ghostscript-8.70/lib/pf2afm.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/pf2afm 2009-08-03 17:53:20.608874740 +0100 @@ -10,8 +10,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -225,9 +225,9 @@ diff -up ghostscript-8.64/lib/pf2afm.gs-executable ghostscript-8.64/lib/pf2afm -exec "$GS_EXECUTABLE" -q -dNODISPLAY -dSAFER -dDELAYSAFER -- pf2afm.ps "$@" +exec "$gs" -q -dNODISPLAY -dSAFER -dDELAYSAFER -- pf2afm.ps "$@" -diff -up ghostscript-8.64/lib/pfbtopfa.gs-executable ghostscript-8.64/lib/pfbtopfa ---- ghostscript-8.64/lib/pfbtopfa.gs-executable 2009-06-10 17:55:39.894358695 +0100 -+++ ghostscript-8.64/lib/pfbtopfa 2009-06-10 17:55:39.896359133 +0100 +diff -up ghostscript-8.70/lib/pfbtopfa.gs-executable ghostscript-8.70/lib/pfbtopfa +--- ghostscript-8.70/lib/pfbtopfa.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/pfbtopfa 2009-08-03 17:53:20.612874691 +0100 @@ -7,9 +7,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -245,9 +245,9 @@ diff -up ghostscript-8.64/lib/pfbtopfa.gs-executable ghostscript-8.64/lib/pfbtop -exec "$GS_EXECUTABLE" -q -dNODISPLAY -- pfbtopfa.ps "$1" "$outfile" +exec "$gs" -q -dNODISPLAY -- pfbtopfa.ps "$1" "$outfile" -diff -up ghostscript-8.64/lib/pphs.gs-executable ghostscript-8.64/lib/pphs ---- ghostscript-8.64/lib/pphs.gs-executable 2009-06-10 17:55:39.898358975 +0100 -+++ ghostscript-8.64/lib/pphs 2009-06-10 17:55:39.900359087 +0100 +diff -up ghostscript-8.70/lib/pphs.gs-executable ghostscript-8.70/lib/pphs +--- ghostscript-8.70/lib/pphs.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/pphs 2009-08-03 17:53:20.616874647 +0100 @@ -9,8 +9,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -259,9 +259,9 @@ diff -up ghostscript-8.64/lib/pphs.gs-executable ghostscript-8.64/lib/pphs -exec "$GS_EXECUTABLE" -q -dNODISPLAY -- pphs.ps "$@" +exec "$gs" -q -dNODISPLAY -- pphs.ps "$@" -diff -up ghostscript-8.64/lib/printafm.gs-executable ghostscript-8.64/lib/printafm ---- ghostscript-8.64/lib/printafm.gs-executable 2009-06-10 17:55:39.902358678 +0100 -+++ ghostscript-8.64/lib/printafm 2009-06-10 17:55:39.904358851 +0100 +diff -up ghostscript-8.70/lib/printafm.gs-executable ghostscript-8.70/lib/printafm +--- ghostscript-8.70/lib/printafm.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/printafm 2009-08-03 17:53:20.619874766 +0100 @@ -9,8 +9,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -273,9 +273,9 @@ diff -up ghostscript-8.64/lib/printafm.gs-executable ghostscript-8.64/lib/printa -exec "$GS_EXECUTABLE" -q -dNODISPLAY -- printafm.ps "$@" +exec "$gs" -q -dNODISPLAY -- printafm.ps "$@" -diff -up ghostscript-8.64/lib/ps2epsi.gs-executable ghostscript-8.64/lib/ps2epsi ---- ghostscript-8.64/lib/ps2epsi.gs-executable 2009-06-10 17:55:39.906359755 +0100 -+++ ghostscript-8.64/lib/ps2epsi 2009-06-10 17:55:39.908359051 +0100 +diff -up ghostscript-8.70/lib/ps2epsi.gs-executable ghostscript-8.70/lib/ps2epsi +--- ghostscript-8.70/lib/ps2epsi.gs-executable 2009-04-07 11:20:02.000000000 +0100 ++++ ghostscript-8.70/lib/ps2epsi 2009-08-03 17:54:48.355750266 +0100 @@ -6,9 +6,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -287,18 +287,27 @@ diff -up ghostscript-8.64/lib/ps2epsi.gs-executable ghostscript-8.64/lib/ps2epsi # try to create a temporary file securely if test -z "$TMPDIR"; then -@@ -75,7 +74,7 @@ awk 'F==1 { - } - ' U="$USERNAME$LOGNAME" F=1 - F=2 "${infile}" >"$tmpfile" +@@ -50,7 +49,7 @@ else + outfile=$2 + fi --"$GS_EXECUTABLE" -q -sPAPERSIZE=a0 -dNOPAUSE -dSAFER -dDELAYSAFER -r72 -sDEVICE=bit -sOutputFile=/dev/null "$tmpfile" ps2epsi.ps "$tmpfile" <"${infile}" 1>&2 -+"$gs" -q -sPAPERSIZE=a0 -dNOPAUSE -dSAFER -dDELAYSAFER -r72 -sDEVICE=bit -sOutputFile=/dev/null "$tmpfile" ps2epsi.ps "$tmpfile" <"${infile}" 1>&2 +-"$GS_EXECUTABLE" -q -dBATCH -dNOPAUSE -dSAFER -dDELAYSAFER -sDEVICE=bbox -sOutputFile=/dev/null "${infile}" 2>${outfile} ++"$gs" -q -dBATCH -dNOPAUSE -dSAFER -dDELAYSAFER -sDEVICE=bbox -sOutputFile=/dev/null "${infile}" 2>${outfile} + + ls -l "${infile}" | + awk 'F==1 { +@@ -92,7 +91,7 @@ awk 'F==1 { + } + ' F=1 - F=2 "${outfile}" >>"$tmpfile" + +-"$GS_EXECUTABLE" -q -dNOPAUSE -dSAFER -dDELAYSAFER -r72 -sDEVICE=bit -sOutputFile=/dev/null "$tmpfile" ps2epsi.ps "$tmpfile" <"${infile}" 1>&2 ++"$gs" -q -dNOPAUSE -dSAFER -dDELAYSAFER -r72 -sDEVICE=bit -sOutputFile=/dev/null "$tmpfile" ps2epsi.ps "$tmpfile" <"${infile}" 1>&2 rm -f "$tmpfile" rm -rf "$tmpdir" -diff -up ghostscript-8.64/lib/ps2pdfwr.gs-executable ghostscript-8.64/lib/ps2pdfwr ---- ghostscript-8.64/lib/ps2pdfwr.gs-executable 2009-06-10 17:55:39.910358261 +0100 -+++ ghostscript-8.64/lib/ps2pdfwr 2009-06-10 17:55:39.912359265 +0100 +diff -up ghostscript-8.70/lib/ps2pdfwr.gs-executable ghostscript-8.70/lib/ps2pdfwr +--- ghostscript-8.70/lib/ps2pdfwr.gs-executable 2009-01-10 22:11:18.000000000 +0000 ++++ ghostscript-8.70/lib/ps2pdfwr 2009-08-03 17:53:20.626874926 +0100 @@ -7,9 +7,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -316,9 +325,9 @@ diff -up ghostscript-8.64/lib/ps2pdfwr.gs-executable ghostscript-8.64/lib/ps2pdf # appears before other options. -exec "$GS_EXECUTABLE" $OPTIONS -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr "-sOutputFile=$outfile" $OPTIONS -c .setpdfwrite -f "$infile" +exec "$gs" $OPTIONS -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr "-sOutputFile=$outfile" $OPTIONS -c .setpdfwrite -f "$infile" -diff -up ghostscript-8.64/lib/ps2ps.gs-executable ghostscript-8.64/lib/ps2ps ---- ghostscript-8.64/lib/ps2ps.gs-executable 2009-06-10 17:55:39.914358120 +0100 -+++ ghostscript-8.64/lib/ps2ps 2009-06-10 17:55:39.915358850 +0100 +diff -up ghostscript-8.70/lib/ps2ps.gs-executable ghostscript-8.70/lib/ps2ps +--- ghostscript-8.70/lib/ps2ps.gs-executable 2009-01-10 22:11:18.000000000 +0000 ++++ ghostscript-8.70/lib/ps2ps 2009-08-03 17:53:20.630875037 +0100 @@ -7,9 +7,8 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" @@ -336,9 +345,9 @@ diff -up ghostscript-8.64/lib/ps2ps.gs-executable ghostscript-8.64/lib/ps2ps -exec "$GS_EXECUTABLE" -q -sDEVICE=pswrite -sstdout=%stderr "-sOutputFile=$2" -dNOPAUSE -dBATCH $OPTIONS "$1" +exec "$gs" -q -sDEVICE=pswrite -sstdout=%stderr "-sOutputFile=$2" -dNOPAUSE -dBATCH $OPTIONS "$1" -diff -up ghostscript-8.64/lib/wftopfa.gs-executable ghostscript-8.64/lib/wftopfa ---- ghostscript-8.64/lib/wftopfa.gs-executable 2009-06-10 17:55:39.917358998 +0100 -+++ ghostscript-8.64/lib/wftopfa 2009-06-10 17:55:39.919358413 +0100 +diff -up ghostscript-8.70/lib/wftopfa.gs-executable ghostscript-8.70/lib/wftopfa +--- ghostscript-8.70/lib/wftopfa.gs-executable 2007-07-05 20:04:29.000000000 +0100 ++++ ghostscript-8.70/lib/wftopfa 2009-08-03 17:53:20.633874780 +0100 @@ -6,8 +6,7 @@ GS_EXECUTABLE=gs gs="`dirname $0`/$GS_EXECUTABLE" diff --git a/ghostscript-jbig2dec-nullderef.patch b/ghostscript-jbig2dec-nullderef.patch index 26a2ed1..bd351aa 100644 --- a/ghostscript-jbig2dec-nullderef.patch +++ b/ghostscript-jbig2dec-nullderef.patch @@ -1,7 +1,7 @@ -diff -up ghostscript-8.64/jbig2dec/jbig2_generic.c.jbig2dec-nullderef ghostscript-8.64/jbig2dec/jbig2_generic.c ---- ghostscript-8.64/jbig2dec/jbig2_generic.c.jbig2dec-nullderef 2007-10-25 23:14:22.000000000 +0100 -+++ ghostscript-8.64/jbig2dec/jbig2_generic.c 2009-06-02 10:45:01.814127074 +0100 -@@ -599,6 +599,10 @@ jbig2_immediate_generic_region(Jbig2Ctx +diff -up ghostscript-8.70/jbig2dec/jbig2_generic.c.jbig2dec-nullderef ghostscript-8.70/jbig2dec/jbig2_generic.c +--- ghostscript-8.70/jbig2dec/jbig2_generic.c.jbig2dec-nullderef 2009-05-29 07:48:44.000000000 +0100 ++++ ghostscript-8.70/jbig2dec/jbig2_generic.c 2009-08-03 17:51:13.864875636 +0100 +@@ -596,6 +596,10 @@ jbig2_immediate_generic_region(Jbig2Ctx memcpy (params.gbat, gbat, gbat_bytes); image = jbig2_image_new(ctx, rsi.width, rsi.height); @@ -12,10 +12,10 @@ diff -up ghostscript-8.64/jbig2dec/jbig2_generic.c.jbig2dec-nullderef ghostscrip jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "allocated %d x %d image buffer for region decode results", rsi.width, rsi.height); -diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c ---- ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef 2009-06-02 10:45:01.809127374 +0100 -+++ ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c 2009-06-02 10:45:01.814127074 +0100 -@@ -370,6 +370,11 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, +diff -up ghostscript-8.70/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef ghostscript-8.70/jbig2dec/jbig2_symbol_dict.c +--- ghostscript-8.70/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef 2009-05-29 07:48:44.000000000 +0100 ++++ ghostscript-8.70/jbig2dec/jbig2_symbol_dict.c 2009-08-03 17:52:35.318750131 +0100 +@@ -367,6 +367,11 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, memcpy(region_params.gbat, params->sdat, sdat_bytes); image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT); @@ -27,7 +27,7 @@ diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef ghosts code = jbig2_decode_generic_region(ctx, segment, ®ion_params, as, image, GB_stats); -@@ -520,6 +525,11 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, +@@ -517,6 +522,11 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, ID, RDX, RDY); image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT); @@ -39,7 +39,7 @@ diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef ghosts /* Table 18 */ rparams.GRTEMPLATE = params->SDRTEMPLATE; -@@ -638,6 +648,16 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, +@@ -635,6 +645,16 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, for (j = HCFIRSTSYM; j < NSYMSDECODED; j++) { Jbig2Image *glyph; glyph = jbig2_image_new(ctx, SDNEWSYMWIDTHS[j], HCHEIGHT); @@ -53,16 +53,16 @@ diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef ghosts + jbig2_image_release(ctx, image); + return NULL; + } - jbig2_image_compose(ctx, glyph, image, + jbig2_image_compose(ctx, glyph, image, -x, 0, JBIG2_COMPOSE_REPLACE); x += SDNEWSYMWIDTHS[j]; -diff -up ghostscript-8.64/jbig2dec/jbig2_text.c.jbig2dec-nullderef ghostscript-8.64/jbig2dec/jbig2_text.c ---- ghostscript-8.64/jbig2dec/jbig2_text.c.jbig2dec-nullderef 2008-05-09 15:00:44.000000000 +0100 -+++ ghostscript-8.64/jbig2dec/jbig2_text.c 2009-06-02 10:45:01.816126454 +0100 -@@ -315,6 +315,9 @@ jbig2_decode_text_region(Jbig2Ctx *ctx, +diff -up ghostscript-8.70/jbig2dec/jbig2_text.c.jbig2dec-nullderef ghostscript-8.70/jbig2dec/jbig2_text.c +--- ghostscript-8.70/jbig2dec/jbig2_text.c.jbig2dec-nullderef 2009-05-29 07:48:44.000000000 +0100 ++++ ghostscript-8.70/jbig2dec/jbig2_text.c 2009-08-03 17:53:05.166750610 +0100 +@@ -312,6 +312,9 @@ jbig2_decode_text_region(Jbig2Ctx *ctx, IBO = IB; - image = jbig2_image_new(ctx, IBO->width + RDW, - IBO->height + RDH); + refimage = jbig2_image_new(ctx, IBO->width + RDW, + IBO->height + RDH); + if (image == NULL) + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, + "could not allocate image storage"); diff --git a/ghostscript.spec b/ghostscript.spec index a49c10f..d49a35c 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,15 +1,15 @@ -%define gs_ver 8.64 -%define gs_dot_ver 8.64 +%define gs_ver 8.70 +%define gs_dot_ver 8.70 %{expand: %%define build_with_freetype %{?_with_freetype:1}%{!?_with_freetype:0}} Summary: A PostScript interpreter and renderer. Name: ghostscript Version: %{gs_ver} -Release: 11%{?dist} +Release: 1%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 -License: GPLv2 and Redistributable, no modification permitted +License: GPLv3+ and Redistributable, no modification permitted URL: http://www.ghostscript.com/ Group: Applications/Publishing Source0: ghostscript-%{gs_ver}.tar.bz2 @@ -23,12 +23,8 @@ Patch4: ghostscript-fPIC.patch Patch5: ghostscript-runlibfileifexists.patch Patch6: ghostscript-system-jasper.patch Patch7: ghostscript-pksmraw.patch -Patch8: ghostscript-bitcmyk.patch -Patch9: ghostscript-CVE-2009-0583,0584.patch -Patch10: ghostscript-CVE-2009-0792.patch -Patch11: ghostscript-CVE-2009-0196.patch -Patch12: ghostscript-jbig2dec-nullderef.patch -Patch13: ghostscript-gs-executable.patch +Patch8: ghostscript-jbig2dec-nullderef.patch +Patch9: ghostscript-gs-executable.patch Requires: urw-fonts >= 1.1, ghostscript-fonts BuildRequires: libjpeg-devel, libXt-devel @@ -112,24 +108,11 @@ rm -rf libpng zlib jpeg jasper # Fix pksmraw output (bug #308211). Still needed in 8.63. %patch7 -p1 -b .pksmraw -# Fix bitcmyk driver (bug #486644). -%patch8 -p1 -b .bitcmyk - -# Applied patch to fix CVE-2009-0583 (bug #487742) and CVE-2009-0584 -# (bug #487744). -%patch9 -p1 -b .CVE-2009-0583,0584 - -# Applied patch to fix CVE-2009-0792 (bug #491853). -%patch10 -p1 -b .CVE-2009-0792 - -# Applied patch to fix CVE-2009-0196 (bug #493379). -%patch11 -p1 -b .CVE-2009-0196 - # Applied patch to fix NULL dereference in JBIG2 decoder (bug #501710). -%patch12 -p1 -b .jbig2dec-nullderef +%patch8 -p1 -b .jbig2dec-nullderef # Fix scripts so they don't get broken on install (bug #502550). -%patch13 -p1 -b .gs-executable +%patch9 -p1 -b .gs-executable # Convert manual pages to UTF-8 from8859_1() { @@ -279,7 +262,6 @@ rm -rf $RPM_BUILD_ROOT %dir %{_datadir}/ghostscript/%{gs_dot_ver}/Resource/Init %config %{_datadir}/ghostscript/%{gs_dot_ver}/Resource/Init/gs_init.ps %config %{_datadir}/ghostscript/%{gs_dot_ver}/Resource/Init/Fontmap* -%{_datadir}/ghostscript/%{gs_dot_ver}/examples %{_datadir}/ghostscript/%{gs_dot_ver}/lib %{_mandir}/man*/* %lang(de) %{_mandir}/de/man*/* @@ -294,6 +276,7 @@ rm -rf $RPM_BUILD_ROOT %files doc %defattr(-,root,root) +%doc %{_datadir}/ghostscript/%{gs_dot_ver}/examples %doc %{_docdir}/%{name}-%{gs_dot_ver} %files gtk @@ -312,6 +295,20 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Mon Aug 3 2009 Tim Waugh 8.70-1 +- 8.70. +- License has changed to GPLv3+. Packages containing programs that + link to libgs/libijs are: + - foomatic (GPLv2+) + - libspectre (GPLv2+) + - ImageMagick (ImageMagick, listed on Licensing wiki page under + "Good Licenses" and marked as GPLv3 compat) + - gutenprint (GPLv2+) + +* Mon Aug 3 2009 Tim Waugh 8.64-12 +- Moved examples to doc subpackage (bug #515167). +- Converted spec file to UTF-8. + * Thu Jul 30 2009 Tim Waugh 8.64-11 - Fixed CVE-2009-0583,0584 patch by using 255 as the maximum number of points, not 100, and by not treating a missing black point tag as an @@ -1053,7 +1050,7 @@ rm -rf $RPM_BUILD_ROOT * Thu Jul 13 2000 Prospector - automatic rebuild -* Fri Jul 07 2000 Trond Eivind Glomsrød +* Fri Jul 07 2000 Trond Eivind Glomsrød - fixed the broken inclusion of files in /usr/doc - Build requires freetype-devel diff --git a/sources b/sources index 2d75b17..9eb8855 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 2fbae60417d42779f6488ab897dcaaf6 acro5-cmaps-2001.tar.gz dfc93dd2aaaf2b86d2fd55f654c13261 adobe-cmaps-200406.tar.gz -b13289cb2115f38f40c5e064f87e228a ghostscript-8.64.tar.bz2 +526366f8cb4fda0d3d293597cc5b984b ghostscript-8.70.tar.bz2