| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
The epo device interferes with the operation of the x11 devices when those
are integrating with an existing X application (i.e. xv, or other application
that relies on the 'GHOSTVIEW' functionality).
Disable epo by adding an x11 specific fillpage method.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We added the ability to process PDF page labels as pdfmarks, instead of
using the .pagelabels operator (as used by pdfwrite) for the benefit of
DejaVu.
Unfortunately, GSView 5 redefines the pdfmark operator, and attempts
to process the information itself. This is a problem when it doesn't
recognise the pdfmark in question, which it does not with PAGELABEL.
There's no way for us to fix GSView 5, and we don't want to revert the
enhancement for DejaVu because that is still being actively maintained.
This commit is a rather ugly hack which relies upon the presence of a
specific named dictionary in userdict when GSView is executing. If that
dictionary is present then we don't create PAGELABEL pdfmarks, thus
avoiding confusing GSView 5.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was partly caused by a subtlety of the nsis installer syntax which means
the '/r' option for the 'File' operation will match and install all
files/directories in the file heirarchy that match the search term, unless they
are explicitly excluded.
For example:
File /r doc
will end up matching:
doc/
something/doc
another/thing/doc
So, ensure we exclude subtrees so we no longer accidentally include files we
don't intend.
Also, add the missing removals, so we do remove eveything we intended to
install.
Lastly add in (and include removal of!) the Resource/* tree, and the iccprofiles
directories - both of which users have asked to be included.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
anymore"
This problem only exhibits in a 64-bit build.
The problem is caused by the union of 's' and 'file' in the arg_source
structure. When in a 32-bit build, this happens to work out to be 0
when the source is a string and not a file. But in a 64-bit it does not.
Now because we have a 'is_file' member in the structure this isn't a
problem, except that in get_codepoint() we pass both the u.file and
u.str members to the decoding function. In get_codepoint_utf8 we then
check to see if 'file' is 0, and if it is not, we attempt to read from
it. If 'file' is 0, then we treat this as a string instead.
To avoid altering the decoding function, with potential knock-on effects
through the code, I've chosen to test the 'is_file' member and pass
NULL for the file if this is not a file.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent changes required to harden SAFER mode mean that it is no longer
possible to run this script in SAFER mode, because it relies upon
unsafe Ghostscript non-standard extension operators.
Removing SAFER and DELAYSAFER, and the code to reset SAFER, allow the
program to run as well as it ever did (ie badly). This program should
now be considered unsafe, you should not use it on untrusted PostScript
programs.
I think its likely we will deprecate and remove this program in future.
|
|
|
|
| |
The deflate_block was not being freed after the writing of the page.
|
|
|
|
|
|
| |
The color space was not getting set in the input
and output formats when we had a change in the lcms
formatters.
|
|
|
|
|
| |
Prevents static analysis tools from complaining about it being used
uninitialized (it's being to in order to initialize it).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Improve the rebustness of the previous solution (previously it could trigger an
error when there *was* stack capacity available).
Remove redundant check: we don't need to check if the *current* stack size is
sufficient, before checking the maximum permitted stack size.
Also check the exec stack, as execstackoverflow can also cause the
Postscript call out to fail.
Lastly, in event of failure, put the LockSafetyParams flag back in the existing
device (this is only necessary because we don't enfore JOBSERVER mode).
Note: the Postscript callout (%grestorepagedevice) never pushes any dictionaries
on the dict stack - if that changes, we should check that stack, too.
|
|
|
|
| |
accidentally removed in a previous commit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As a result of the recent security review, this bug was raised to go
through the PostScript interpreter looking for places where we exit the
'C' level and return control to PostScript. This is done when we need
to evaluate something in the PostScript environment, such as a transfer
function or a tint transform.
Because these functions are written in PostScript we need to run them
in the PostScript environment.
To do this we push the procedure (or at least 'a' procedure) onto the
exec stack and exit with an o_push_estack error. In many cases that's
all we need to do, but sometimes we want to return control back to the
'C' environment and, in some of those cases, we want to store some state
for the C code. We can't use the operand stack (because the PostScript
function will alter that) so we store stuff on the exec stack instead.
When we complete the C level, we should restore the exec stack, so if
we stored any state on it, we should remove it. Sometimes we were not
doing so if there was an error.
Generally this did not cause a problem, because in general on an error
we would stop. However if the error handler had been altered it was
possible we might carry on. 'Sometimes' that would mean we tried to
execute something which wasn't executable, and sometimes it might mean
that we tried to return to the C level, but without the expected
state on the exec stack.
This could lead to memory corruption and crashes.
This commit tries to find everywhere where we might end up leaving
extra items on the exec stack in the case of an error, and either
removes the required number of items from the exec stack or uses
whatever cleanup routine was established for the C code.
Its important to note that, in normal use, none of these could actually
cause a problem. This makes it hard to test. all the cases here I have
tested, though in many cases the only way I could produce an error was
by forcing an error return in the debugger. I suspect some error cases
simply aren't possible but its good practice to check the return codes
anyway, even if its only a theoretical problem.
|
|
|
|
|
| |
The cloning operation was getting called with a NULL
pointer for the current ICC link handle.
|
|
|
|
|
| |
After this long, there is no reason to carry this code around that was
a hack for joins of a flattened curve.
|
|
|
|
|
| |
This issue was introduced during some error clean up
of the ICC profile code.
|
|
|
|
| |
The temp and ICC profile paths need to finish with wildcards to work correctly.
|
|
|
|
|
|
|
|
|
| |
During a grestore, if the device is going to change, we call out to Postscript
to restore the device configuration, before returning to restore the graphics
state internally.
We have to ensure sufficient op stack space is available to complete the
operation, otherwise the device can end up an undefined state.
|
|
|
|
|
|
|
| |
There was also an issue that the string being returned from the graphics
library was null terminated, and Postscript strings are not (and Ghostscript
strings are not necessarily). We leave the null termination in place, but
reduce the length returned by 1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We already had a 'private' dictionary for non-standard errors: gserrordict.
This now includes all the default error handlers, the dictionary is made
noaccess and all the prodedures are bound and executeonly.
When running with -dSAFER, in the event of a Postscript error, instead of
pulling the handler from errordict, we'll pull it from gserrordict - thus
malicious input cannot trigger problems by the use of custom error handlers.
errordict remains open and writeable, so files such as the Quality Logic tests
that install their own handlers will still 'work', with the exception that the
custom error handlers will not be called.
This is a 'first pass', 'sledgehammer' approach: a nice addition would to allow
an integrator to specify a list of errors that are not to be replaced (for
example, embedded applications would probably want to ensure that VMerror is
always handled as they intend).
|
|
|
|
|
|
|
|
|
|
| |
sbufavailable() returns the number of bytes still available in the stream
buffer. This can end up as negative at EOF (after we've read the final byte in
the buffer, we read ptr is moved to the next byte, past the end of the buffer -
that should never be read, however).
We can safely use a signed integer since this is buffer space, *not* the total
bytes available from the stream
|
| |
|
| |
|
|
|
|
|
| |
When doing the rect fill for transparency knockout groups
we were not handling overprint properly
|
|
|
|
| |
maskbuf is not defined in this particular path (as it is NULL)
|
|
|
|
|
| |
When writing long strings, psc->inpos changes value between
writing it's low and high bytes.
|
| |
|
|
|
|
|
|
|
|
|
| |
The existing scripts assume that the gs binaries are on the path.
The tweaked scripts check to see if there is a binary in the same
directory as the .bat file, and if there is, use that in preference
to any version on the path.
Otherwise functionality is identical.
|
|
|
|
|
| |
Silly typo in the contone fill code for the landscape flippedy
color cache case.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When handling -d or -s args, the code currently arg_copies the string
it gets back, then uses that copied block to make postscript names
from.
Here we change the code so that postscript names are made in a
slightly different way, so they copy the string content. This means
we can free the arg_copied block afterwards, solving the leaks.
While we are here, remove a layer of nasty variable hiding macros
that do nothing but confuse things.
|
|
|
|
|
|
| |
We can only return NULL from arg_next if the return code == 0. We
therefore have to ensure that all call sites check for either of
those conditions.
|
|
|
|
|
|
|
| |
The previous attempt failed because it gave the wrong return value
when we hit an empty argument.
Now we ignore empty arguments.
|
|
|
|
|
|
|
|
|
| |
Revert "Bug 699699 "Crash upon bogus input argument.""
(commit b509290189f1f37a76339f7b6921d42f126bfd57).
This reopens bug 699699, so we can fix it in a way that doesn't
return 1 for 'empty' arguments.
This reopens bug 699699.
|
|
|
|
|
| |
When we met an @file in the arg handling, we were failing to swallow
it and returning "@file" to the caller.
|
|
|
|
|
| |
also add a *.cat rule to .gitattributes to ensure .cat files are always treated
as binary
|
| |
|
|
|
|
|
| |
In the event that the .trysetparams fails during .installpagedevice, catch the
error, and ensure that at least the .LockSafetyParams is set.
|
|
|
|
|
|
|
|
|
| |
Give the range of color spaces and models that cups supports, we can't
reasonably provide (or expect others to provide) output ICC profiles for all
cases.
For the purpose of profile validation, have it claim to be DeviceN and benefit
from the extra tolerance in profiles allowed for that class of device.
|
|
|
|
| |
Doc changes, etc
|
| |
|
| |
|
|
|
|
|
|
|
| |
For the setcolorspace continuation procedure, and the related procs
for specific colour spaces, we need to remove the extra operands we
placed on the exec stack, so that there's no possibility of returning
and executing them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code in arg_next starts by setting *argstr to NULL, the following
do..while loop assumes that *argstr will be filled in, and checks its
first byte. However, if we run out of characters in the argument string
then *argstr remains NULL, and causes a crash.
This can happen if we pass an empty quoted argument ""
In addition, the processing of -o and possibly other switches assumes
that arg_next will return an error if it doesn't find an argument
whereas now it can return a NULL. I believe its possible that it always
could do so.
So check the 'arg' returned from arg_next to make sure its not NULL
before we try to use it.
We should check other places where arg_next is called as well.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we successfully create a temporary file from Postscript, either doing so
when SAFER is not in force, or when SAFER is in force, and creating it in
a write permitted directory, we record the file name so we can later delete
the file, even is SAFER has been engaged, or if the PermitWriting list has
changed to no longer the directory in question.
Previously the recording of the name was done in Postscript, even though the
checking was done in C.
This moves the recording of the names to C, meaning we can remove the Postscript
redefinitions of .tempfile and deletfile, and make the dictionary in question
noaccess.
Also, tidy up the adding of the temporary file directory to the list of
permitted directories, and include the list in all of the categories
(PermitFileWriting, PermitFileReading and PermitFileControl) - it was only
previously adding to writing.
|
|
|
|
|
|
| |
The original code worked for one byte code points, and for the case there the
original character code and Unicode value both had the same number of bytes,
but was totally wrong if the the two were different.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code in z2grestore (part of the level 2 restore machinery) in
ghostpdl/psi/zdevice2.c sets the device's LockSafetyParams to false, and
according to the comments there relies on putdeviceparams setting
the flag back when the old device is re-instated.
However, if we have corrupted any part of the device's content, then
its possible to exit putdeviceparams, in one place only, without
setting LockSafetyParams. Here we simply add an explicit reset of the
value even in the case of an error setting the new device.
|