From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 14 Jun 2023 09:08:12 +0100
Subject: [PATCH] Bug 706778: 706761 revisit

Two problems with the original commit. The first a silly typo inverting the
logic of a test.

The second was forgetting that we actually actually validate two candidate
strings for pipe devices. One with the expected "%pipe%" prefix, the other
using the pipe character prefix: "|".

This addresses both those.

Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099]
CVE: CVE-2023-36664
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 base/gpmisc.c   | 2 +-
 base/gslibctx.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/base/gpmisc.c b/base/gpmisc.c
index 09ac6b3..01d449f 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem,
     /* "%pipe%" do not follow the normal rules for path definitions, so we
        don't "reduce" them to avoid unexpected results
      */
-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 	bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
 	if (buffer == NULL)
 	    return gs_error_VMerror;
diff --git a/base/gslibctx.c b/base/gslibctx.c
index 355c0e3..d8f74a3 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
     /* "%pipe%" do not follow the normal rules for path definitions, so we
        don't "reduce" them to avoid unexpected results
      */
-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
 	if (buffer == NULL)
 	    return gs_error_VMerror;
@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
     /* "%pipe%" do not follow the normal rules for path definitions, so we
        don't "reduce" them to avoid unexpected results
      */
-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
 	if (buffer == NULL)
 	    return gs_error_VMerror;
-- 
2.25.1