| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
If the core creation fails in cms startup, remember to free
the core monitor.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We generate a cmsContext to use at gs_lib_ctx startup, and then
use that for every call into the cms. This encapsulates the
gs_memory_t.
For gs/pcl/xps etc this works well, as there is only a single
interpreter, hence a single cmsContext.
Unfortunately, for gpdl, each interpreter (potentially) gets its
own cmsContext (certainly, the PS interpreter does). So on startup,
when the PS interpreter initialises, it loads some default profiles
and allocates them with one gs_memory_t. When we then come to read
a profile using another interpreter (in this case, tiff), we read
that using a different gs_memory_t.
Because the icc_cache is stored in the device, it is shared across
all the different interpreters, so we can end up with a mixture of
blocks allocated with different gs_memory_t's. If we stored which
gs_memory_t * had been used to allocate each block with the block
we'd be fine - but we don't.
Accordingly, when we closedown, blocks are 'freed' with the wrong
gs_memory_t, causing problems.
The simplest solution here (short of updating the memory wrappers
that we pass into lcms2/lcms2mt to store gs_memory_t's in every
block, with the attendant memory increase this would cause) is to
move the cmsContext from gs_lib_ctx_t to the gs_lib_ctx core.
In this way we only have a single cmsContext shared across all the
different interpreters. This feels like the correct solution to me.
|
|
|
|
|
|
|
| |
We were calling gp_set_debug_mem_ptr(mem) before we'd called
gp_get_globals(). This was writing into thread local storage
before we'd allocated ourselves a thread local storage key,
causing crashes on shutdown.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some devices within Ghostscript (currently the x11 devices,
uniprint and opvp/oprp) use non const static variables, so cannot
be run in multiple instances at a time.
We now maintain a core "count" of how many non-threadsafe devices are
being used at any time. This value can be atomically adjusted by calls
to gs_lib_ctx_nts_adjust.
Non threadsafe devices now call gx_init_non_threadsafe_device either
as or as part of their initialise_device proc. This function attempts
to increment the non-threadsafe count and fails to init if there is
already a non-threadsafe device running.
On success, the device finalize method is modified so that it will
decrement the count at the end.
The known non-threadsafe devices are updated to call this.
In order to have somewhere safe to store this count, we introduce
a gs_globals structure, shared between instances. Setting this up
without race conditions requires some new gp_ functions that can
make use of platform specific threading primitives. We have these
implemented for both windows and pthread based platforms. On other
platforms, we drop back to the old unsafe mechanism for counting
instances.
While we do this work, we take the opportunity to push the
gs_memory_t pointer used for non-threadsafe debug printing into thread
local storage.
This enables us to remove the remaining GS_THREADSAFE guarded
compilation from the source code. What is left is broadly down to
allowing debugging collection for statistics, and these are now
controlled by specific COLLECT_STATS_XXX defines. It is assumed
that anyone wanting to collect such stats is smart enough to not
try to do so while using Ghostscript in a multi-instance environment.
|
| |
|
|
|
|
|
|
| |
Fix (hopefully) the last few LGTM warnings. Suppress warnings for
those things that we can't avoid (use of goto in speed critical
state machines for example), and fix those we can.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
for the "%pipe%", %handle%" and %printer% io devices.
We previously validated only the part after the "%pipe%" Postscript device
specifier, but this proved insufficient.
This rebuilds the original file name string, and validates it complete. The
slight complication for "%pipe%" is it can be reached implicitly using
"|" so we have to check both prefixes.
Addresses CVE-2021-3781
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The NupControl string needs to be a reference counted to work with save/
restore, and when the parameter is changed the new value needs to be
propagated to children devices. The structure containing the string is
adpated (simplified slightly) from the PageList implementation.
Note that the parents and children references must be included in the ref_count
when the NupControl structure is updated (example if 'epo' is installed, when
it uninstalls itself, cannot free the the structure when it does rc_decrement).
Minor comment change to devices/gdevbit.c to change NupList to NupControl.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The separating devices make a (fairly blunt) effort to avoid attempting to use
proscribed characters in file names for separations (for example, '/', '\',
etc). As part of this some characters can be replaced with escaped percent
chars - so the single percent character survives a later call to a formatted
string function (sprintf).
This ended up foxing the file access validation code which added the fully
escaped file name string to the permit write table, but later attempted to
validate a file name post sprintf, where the escaping had been undone.
So, add code to remove escape '%' characters before adding the string to the
file access permit lists.
|
|
|
|
|
|
|
|
|
|
|
| |
Bug #703338 "Hide permitted paths from invocation comment"
As noted in the bug report, the --permit-file* control arguments are
not replaced with '?' when sanitising the arguments. This leads to an
information leak with the 'Invocation' comment emitted by pdfwrite.
This commit adds checking for the -- switches and sanitises the
permit-file* cases.
|
|
|
|
|
| |
Don't strlen a possibly NULL path. Shouldn't ever be a problem,
but doesn't hurt to be safe.
|
|
|
|
|
|
| |
We had to add the outputfile to the "control" file permission list (as well
as write), but for the "pipe" case, I accidentally added the call after the
break out of loop that checks for a pipe.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Firstly, in gx_device_delete_output_file the iodev pointer was being passed
to the delete_method incorrectly (passing a pointer to that pointer). Thus
when we attempted to use that to confirm permission to delete the file, it
crashed. Credit to Ken for finding that.
Secondly, due to the way pdfwrite works, when running with an output file per
page, it creates the current output file immediately it has completed writing
the previous one. Thus, it has to delete that partial file on exit.
Previously, the output file was not added to the "control" permission list,
so an attempt to delete it would result in an error. So add the output file
to the "control" as well as "write" list.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To do this, we introduce gp_unlink and gp_rename, and call those
as appropriate.
Also, make gp_open_scratch_file add the file to the permit list.
When such a file is closed, it will be deleted from the permit list.
It will also be removed from the permit list if the file is deleted
using the PS deletefile operator.
On closedown, if scratch files haven't been deleted, then we'll
delete them as part of the closedown of gs_lib_ctx.
This means that 'purging' the control lists must not remove scratch
file paths from the list.
Also, ensure that gsapi callers can't maliciously (or accidentally)
remove scratch path paths from the list so as to leave them around
after closedown.
|
| |
|
|
|
|
|
| |
This didn't matter for gs, but for gpdl, it could cause problems
on shutdown.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add gsapi_{,de}register_callout API. This allows integrators
to register handlers for "callouts" from gs devices.
The first example of such a callout is the display device.
Previously, this has relied on the gsapi_set_display_callback
API to pass a pointer to a structure into the core, from where
it was hackily poked into the display device structure.
Instead, we now have the display device "callout" to registered
handlers to get the structure and the handle to use.
The legacy API is maintained by the API level implementing
a handler to return the display callback in response to the
devices callout.
The code to do the 'poking' of the display device has therefore
been removed, and replaced by code that checks to see if an
opened device needs reopening after init, if so, opens/closes it.
|
|
|
|
|
|
| |
This allows us to specify specific caller_handles for each
callback type rather than using a default one specified at
gs instance creation time. The old functions still work.
|
| |
|
|
|
|
|
|
| |
Return gs_error_VMerror after alloc failure, not -1. This doesn't fix a
known memento squeeze test case, but returning -1 after alloc failure breaks
gs_main_finit()'s cleanup and leaks blocks.
|
|
|
|
|
|
|
|
|
|
| |
(found by memento).
After we've freed p_ctx->profiledir we need to set it to NULL otherwise if we
return an error it will be freed a second time when we close down.
Fixes:
MEMENTO_FAILAT=101810 LD_LIBRARY_PATH=../libbacktrace/.libs ./membin/gpdl -sDEVICE=bit -o /dev/null examples/tiger.eps
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than relying on building with MEMENTO_SQUEEZE_BUILD,
instead nobble the pthread based threading functions themselves
to check Memento_squeezing in MEMENTO builds.
a) This means less pollution of the code overall as the changes
are restricted to just one module.
b) This will stop me forgetting to build with MEMENTO_SQUEEZE_BUILD
and not understanding the results - EVERY SINGLE TIME.
c) It means a single MEMENTO build can be used both for
memory squeezing (of single-threaded runs) and normal memento
testing (of both single- and multi-threaded runs).
|
|
|
|
|
|
|
|
|
| |
When we implemented the new file access controls, we didn't realise that piped
output files could include formatted strings: "|md5sum > %03d.txt", for example.
This just tweaks the gs_add_control_path() logic so it will go through both
the formatted string section *and* the pipe output section (rather than one or
the other).
|
|
|
|
|
|
|
|
|
| |
The previous solution didn't quite work, when using formatted strings for
output file names (i.e. output-%d.tif).
This adds a dedicated gs_remove_outputfile_control_path() to mirror
gs_add_outputfile_control_path() and uses those for the dynamic adding and
removing of separation output file names.
|
|
|
|
|
|
| |
Only accept %d (and friends) (as opposed to anything starting with %).
Only accept legal combinations of flags/widths/precision etc.
Generate a more conservative wildcard.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ray spotted that gs_add_explicit_control_path was adding 17
to arg before using it. 17 happens to be the right amount
to add for "--permit-file-read=", but the wrong amount for
write/control/all.
Update the code to call it with the correct arg pointer
to start with.
Also, update a couple of routines to cope with being called
with NULL strings.
Also use enum values in switch rather than 0, 1, 2.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before attempting to open files, we pre-process the requested file name to
remove surplus/unnecessary elements: i.e. './././file' would be reduced to just
'./file', or '../dir/../dir/../dir/file' would be reduced to '../dir/file'.
The 'reduced' path is what we try to open, hence it is also what we check
against the file permissions list before we allow files to be accessed.
That being so, we should also 'reduce' paths as we add them to the permissions
lists - thus the permissions list creation and checking are consistent.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
it was always adding to the "read" list, rather than the list requested by the
parameter.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To facilitate debugging, we want a way to pickle the gs invocation
used into device output (for devices that want it).
We therefore amend the argument processing logic to pass arguments
to gs_lib_ctx, where they will are 'sanitized' and stored in a list.
This list can then be accessed by a device.
We are careful to sanitize the args so as not to reveal paths or
secret passwords/code etc. Essentially we never store any filenames
or string values stored (except for certain whitelisted -s options).
It is likely that we'll want to expand the whitelisted values in
future.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 7ecbfda9 broke -F completely since it requires the file to run to
immediately follow the switch, and -f____ use to run the file, but since
gs_add_control_path returns 0 as long as there was no error, the code
never called argproc. Also, argproc already does the add_control_path
and remove_control_path, so simplify -f and -F code.
Also gs_add_outputfile_control_path was ignoring the return code when
adding the full pipe string as a path, so fix it.
Note that plmain ignores the return code from gs_remove_control_path,
but that should be OK.
|
|
|
|
| |
This avoids us having to repeatedly init/fin the CAL lib.
|
| |
|
|
|
|
| |
Still to do - Example?
|
|
|
|
|
| |
When freeing gs_lib_ctx, don't remove the mem->gs_lib_ctx pointers
until after we have finished using them. This avoids a leak.
|
|
|
|
|
|
| |
This basically involves duplicating the changes from Chris'
gs commit. Part of this promotes a couple of static functions
to being global ones so both implementations can call them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(squash of commits from filesec branch)
Most of this commit is donkeywork conversions of calls from
FILE * -> gp_file *, fwrite -> gp_fwrite etc. Pretty much every
device is touched, along with the clist and parsing code.
The more interesting changes are within gp.h (where the actual
new API is defined), gpmisc.c (where the basic implementations
live), and the platform specific levels (gp_mswin.c, gp_unifs.c
etc where the platform specific implementations have been
tweaked/renamed).
File opening path validation
All file opening routines now call a central routine for
path validation.
This then consults new entries in gs_lib_ctx to see if validation
is enabled or not. If so, it validates the paths by seeing if
they match.
Simple C level functions for adding/removing/clearing paths, exposed
through the gsapi level.
Add 2 postscript operators for path control.
<name> <string> .addcontrolpath -
Add the given <string> (path) to the list of paths for
controlset <name>, where <name> can be:
/PermitFileReading
/PermitFileWriting
/PermitFileControl
(Anything else -> rangecheck)
- .activatepathcontrol -
Enable path control. At this point PS cannot make any
more changes, and all file access is checked.
|
| |
|
|
|
|
|
| |
Monitors don't play nice with memento squeezing, so nobble the
code.
|
|
|
|
|
|
|
|
|
| |
This commit is a squashed version of the gpdl-shared-device
branch. Essentially this is a first version of the new
language switching mechanism.
This does not build as part as "all", but rather as "experimental"
or "gpdl".
|
|
|
|
|
|
|
|
|
| |
Also update copyright dates.
Remove gs_cmdl.ps as we no longer use it, and remove its entry from
psfiles.htm.
Remove xfonts.htm as this feature (xfont support) is long, long gone.
|
|
|
|
|
|
| |
Set the level of accuracy that should be used. A setting of 0 will result in less accurate
color rendering compared to a setting of 2. However, the creation of a transformation
will be faster at a setting of 0 compared to a setting of 2. Default setting is 2.
|