1 files changed, 0 insertions, 91 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
deleted file mode 100644
index 174f79e42a..0000000000
--- a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 759238fd904aab1706dc1007826a13a670cda320 Mon Sep 17 00:00:00 2001
-From: Ken Sharp <ken.sharp@artifex.com>
-Date: Thu, 23 Aug 2018 14:12:48 +0100
-Subject: [PATCH 3/5] Fix Bug 699660 "shading_param incomplete type checking"
-Its possible to pass a t_struct parameter to .shfill which is not a
-shading function built by .buildshading. This could then lead to memory
-corruption or a segmentation fault by treating the object passed in
-as if it were a shading.
-Its non-trivial to check the t_struct, because this function can take
-7 different kinds of structures as a parameter. Checking these is
-possible, of course, but would add a performance penalty.
-However, we can note that we never call .shfill without first calling
-.buildshading, and we never call .buildshading without immediately
-calling .shfill. So we can treat these as an atomic operation. The
-.buildshading function takes all its parameters as PostScript objects
-and validates them, so that should be safe.
-This allows us to 'hide' the .shfill operator preventing the possibility
-of passing an invalid parameter.
-CVE: CVE-2018-15909
-Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- Resource/Init/gs_init.ps  | 4 ++--
- Resource/Init/gs_ll3.ps   | 7 ++++++-
- Resource/Init/pdf_draw.ps | 3 +--
- 3 files changed, 9 insertions(+), 5 deletions(-)
-diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
-index 6c8da53..1956ed5 100644
--- a/Resource/Init/gs_init.ps
-+++ b/Resource/Init/gs_init.ps
-@@ -2181,8 +2181,8 @@ SAFER { .setsafeglobal } if
- /.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize
- /.oserrno /.setoserrno /.oserrorstring /.getCPSImode
- /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
-/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
-/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
-+/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
-+%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
- /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
- /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
- /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
-diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
-index 5aa56a3..1d37e53 100644
--- a/Resource/Init/gs_ll3.ps
-+++ b/Resource/Init/gs_ll3.ps
-@@ -440,6 +440,11 @@ systemdict /.reuseparamdict mark
-     /shfill .systemvar /undefined signalerror
-   } ifelse
- } bind def
-+
-+/.buildshading_and_shfill {
-+  .buildshading .shfill
-+} bind def
-+
- systemdict /.reuseparamdict undef
- 
- /.buildpattern2 {      % <template> <matrix> .buildpattern2
-@@ -464,7 +469,7 @@ systemdict /.reuseparamdict undef
-         % Currently, .shfill requires that the color space
-         % in the pattern be the current color space.
-         % Disable overprintmode for shfill
-  { dup gsave 0 .setoverprintmode .buildshading .shfill } stopped
-+  { dup gsave 0 .setoverprintmode .buildshading_and_shfill } stopped
-   grestore {
-     /$error .systemvar /errorinfo 2 copy known {
-       pop pop
-diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
-index e8ca213..a7144d3 100644
--- a/Resource/Init/pdf_draw.ps
-+++ b/Resource/Init/pdf_draw.ps
-@@ -1365,9 +1365,8 @@ drawopdict begin
-     { dup /.shading .knownget {
-         exch pop
-       } {
-       .buildshading
-+       .buildshading_and_shfill
-       } ifelse
-      .shfill
-     } stopped {
-       pop
-       (   **** Error: Ignoring invalid smooth shading object, output may be incorrect.\n)
-- 
-2.8.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch deleted file mode 100644 index 174f79e42a..0000000000 --- a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch +++ /dev/null
@@ -1,91 +0,0 @@
1	From 759238fd904aab1706dc1007826a13a670cda320 Mon Sep 17 00:00:00 2001
2	From: Ken Sharp <ken.sharp@artifex.com>
3	Date: Thu, 23 Aug 2018 14:12:48 +0100
4	Subject: [PATCH 3/5] Fix Bug 699660 "shading_param incomplete type checking"
5
6	Its possible to pass a t_struct parameter to .shfill which is not a
7	shading function built by .buildshading. This could then lead to memory
8	corruption or a segmentation fault by treating the object passed in
9	as if it were a shading.
10
11	Its non-trivial to check the t_struct, because this function can take
12	7 different kinds of structures as a parameter. Checking these is
13	possible, of course, but would add a performance penalty.
14
15	However, we can note that we never call .shfill without first calling
16	.buildshading, and we never call .buildshading without immediately
17	calling .shfill. So we can treat these as an atomic operation. The
18	.buildshading function takes all its parameters as PostScript objects
19	and validates them, so that should be safe.
20
21	This allows us to 'hide' the .shfill operator preventing the possibility
22	of passing an invalid parameter.
23
24	CVE: CVE-2018-15909
25	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
26
27	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
28	---
29	Resource/Init/gs_init.ps \| 4 ++--
30	Resource/Init/gs_ll3.ps \| 7 ++++++-
31	Resource/Init/pdf_draw.ps \| 3 +--
32	3 files changed, 9 insertions(+), 5 deletions(-)
33
34	diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
35	index 6c8da53..1956ed5 100644
36	--- a/Resource/Init/gs_init.ps
37	+++ b/Resource/Init/gs_init.ps
38	@@ -2181,8 +2181,8 @@ SAFER { .setsafeglobal } if
39	/.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize
40	/.oserrno /.setoserrno /.oserrorstring /.getCPSImode
41	/.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
42	-/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
43	-/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
44	+/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
45	+%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
46	/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
47	/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
48	/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
49	diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
50	index 5aa56a3..1d37e53 100644
51	--- a/Resource/Init/gs_ll3.ps
52	+++ b/Resource/Init/gs_ll3.ps
53	@@ -440,6 +440,11 @@ systemdict /.reuseparamdict mark
54	/shfill .systemvar /undefined signalerror
55	} ifelse
56	} bind def
57	+
58	+/.buildshading_and_shfill {
59	+ .buildshading .shfill
60	+} bind def
61	+
62	systemdict /.reuseparamdict undef
63
64	/.buildpattern2 { % <template> <matrix> .buildpattern2
65	@@ -464,7 +469,7 @@ systemdict /.reuseparamdict undef
66	% Currently, .shfill requires that the color space
67	% in the pattern be the current color space.
68	% Disable overprintmode for shfill
69	- { dup gsave 0 .setoverprintmode .buildshading .shfill } stopped
70	+ { dup gsave 0 .setoverprintmode .buildshading_and_shfill } stopped
71	grestore {
72	/$error .systemvar /errorinfo 2 copy known {
73	pop pop
74	diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
75	index e8ca213..a7144d3 100644
76	--- a/Resource/Init/pdf_draw.ps
77	+++ b/Resource/Init/pdf_draw.ps
78	@@ -1365,9 +1365,8 @@ drawopdict begin
79	{ dup /.shading .knownget {
80	exch pop
81	} {
82	- .buildshading
83	+ .buildshading_and_shfill
84	} ifelse
85	- .shfill
86	} stopped {
87	pop
88	( **** Error: Ignoring invalid smooth shading object, output may be incorrect.\n)
89	--
90	2.8.1
91