| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
These should not have been a problem, as they are 'monotonic' in
any given build, but nonetheless, this is neater.
Remove clist_io_procs_memory_global and clist_io_procs_file_global.
These hold pointers to the io_procs structures for either memory
or file writing as appropriate. Here we move them into
gs_lib_ctx_core_t.
|
| |
|
|
|
|
| |
Fix (hopefully) the last few LGTM warnings. Suppress warnings for
those things that we can't avoid (use of goto in speed critical
state machines for example), and fix those we can.
|
| | |
|
| | |
|
| |
|
|
|
| |
We're actually safe because gp_fmode_binary_suffix is max one-character long,
but Coverity doesn't know that.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(this is a squash of several commits from filesec branch)
Use errno to indicate invalidfileaccess
Integrate fontconfig with file access controls
fontconfig API has a call to retrieve all the directories about which fontconfig
knows, so we can get those, and add them to the paths from which we're permitted
to read.
Add (most of) the Postscript "managed" paths....
...to the access controls.
GenericResourceDir, ICCProfilesDir (reading) and temporary file directories for
read/write/control.
Add paths/files from C to the file access controls
The -I paths, environment variables and build time paths.
The command line specified output file, permit writing.
Lastly, the command line specified input file is added to the readable list,
interpreted, and then removed from the list.
Add the FONTPATH path list to permit read access control list.
I opted to do this in Postscript because the list is (normally) a colon
separated list of paths, which we split into an array of paths (in Postscript) -
it seems sensible to do this only once, both for storage and permissions.
Add a non-standard string 'reverse search" operator
The search operator searches for the first occurrence of a character code in a
string (i.e. searches forwards from the start of the string), 'rsearch' finds
the last instance of a character code (i.e. search backwards from the end of
the string).
Fix gp_open_scratch_file_rm for access permissions
i.e. the same as gp_open_scratch_file
Handle clist file 'rewind' failures
'Rewinding' clist files may involved closing and recreating the temporary files,
which conceivably can fail, but the clist procs rewind method was a void
function, so couldn't return an error.
It now can, and does return an error, and we handle the error.
Add file permissions support for piped output.
Paths from Fontmap to PermitReading list
cidfmap paths, add to PermitReading list
Add command line options for path access control addition
--permit-file-read
--permit-file-write
--permit-file-control
--permit-file-all
They all take a separated list of paths (the usual platform specific ':' or ';'
separator), and to the respective access control lists - the final 'all' option
adds the paths to all the control lists.
Add file access control to the 'gp_stat' method.
This is complicated by the need to add the memory allocator context to the
gp_stat parameters. To facilitate this, I've added a gs_memory_t pointer to the
gx_io_device structure, which is set during the io device initialisation at
startup.
mkromfs: Add dummy gp_stat_impl for Windows - saves quite a bit of pointless
build upheaval
Add file access protection to file enumeration.
The low level implementation of Postscript's filenameforall (*_enumerate_files)
needs to also honour file access protection.
This is has been complicated by requiring a gs_memory_t to be available where
it wasn't previously (in order to access the gs_lib_ctx and the file permissions
lists therein).
Temp
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(squash of commits from filesec branch)
Most of this commit is donkeywork conversions of calls from
FILE * -> gp_file *, fwrite -> gp_fwrite etc. Pretty much every
device is touched, along with the clist and parsing code.
The more interesting changes are within gp.h (where the actual
new API is defined), gpmisc.c (where the basic implementations
live), and the platform specific levels (gp_mswin.c, gp_unifs.c
etc where the platform specific implementations have been
tweaked/renamed).
File opening path validation
All file opening routines now call a central routine for
path validation.
This then consults new entries in gs_lib_ctx to see if validation
is enabled or not. If so, it validates the paths by seeing if
they match.
Simple C level functions for adding/removing/clearing paths, exposed
through the gsapi level.
Add 2 postscript operators for path control.
<name> <string> .addcontrolpath -
Add the given <string> (path) to the list of paths for
controlset <name>, where <name> can be:
/PermitFileReading
/PermitFileWriting
/PermitFileControl
(Anything else -> rangecheck)
- .activatepathcontrol -
Enable path control. At this point PS cannot make any
more changes, and all file access is checked.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Firstly, move entirely to HAVE_VALGRIND rather than ENABLE_VALGRIND.
My fault for having introduced 2 schemes to do the same thing in
the past.
Accordingly, move direct inclusions of memcheck/valgrind.h over to
calling our local valgrind.h header.
And finally, fix the problem that prompted all of this; in
image_simple_expand, we take 1 bit data in. The last bytes in this
data can frequently be only semi-filled, resulting in some
undefined bits. While our code to quickly skip complete bytes is
safe by construction, valgrind cannot recognise it as such, and so
signals false positive UMRs.
Work around that here by tweaking valgrinds ideas of what bits
are defined.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now we properly "include what we use" let's sanitise the horrid
blah_DEFINED ifdeffery (i.e. kill it where possible).
Also, we update the .c dependencies in the base/psi makefiles to
be correct.
Unfortunately, this new correct set of dependencies causes nmake
to soil itself and die with an out of memory error. After much
experimentation, I've come to the conclusion that this is because
it copes poorly with given the same file as a dependency multiple
times.
Sadly, our style of declaring dependencies in the following style:
foo_h=$(BLAH)/foo.h $(std_h)
bar_h=$(BLAH)/bar.h $(foo_h) $(std_h)
baz_h=$(BLAH)/baz.h $(foo_h) $(std_h)
means that a .obj file that depends on $(foo_h) $(bar_h) and $(baz_h)
ends up depending on foo.h twice, and std.h three times.
I have therefore changed the style of dependencies used to be more
standard.
We still define:
foo_h=$(BLAH)/foo.h
so each .obj file rule can depend on $(foo_h) etc as required, but the
dependencies between each .h file are expressed in normal rules at the
end of the file in a dedicated "# Dependencies" section that we can now
autogenerate.
|
| |
|
|
|
|
|
|
| |
When we 'wrap' a file to allow thread safe file access for multithreaded clist
operation, we replace the original file name with a special 'encoded' file
name - we shouldn't do the replacement if the underlying file fails to open
since it means the error message shows the encoded file name, rather than the
name of the 'real' file.
|
| |
|
|
|
|
|
|
|
| |
Also update copyright dates.
Remove gs_cmdl.ps as we no longer use it, and remove its entry from
psfiles.htm.
Remove xfonts.htm as this feature (xfont support) is long, long gone.
|
| |
|
|
|
|
|
| |
This fixes the unknownerror reported by the bug, but does not totally fix
the use of # false .outputpage with the clist since the data after the
first cmd_opv_end_page is not rendered to the page (stops the clist reader).
The bug is left open for that reason and has been marked bountiable.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cleanup code, I assumed that by the time that code was called, rendering
would be complete - specifcally, background rendering would be complete.
This may be true when background rendering is one thread, but is definitely not
guaranteed when we have bgprint *and* multithreaded rendering.
Rather nicely, accounting for this actually makes the code tidier.
Also, add a check that we successfully created a clist IFILE object before
storing a value in it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The use of fseek(...SEEK_END)...ftell to determine the file size is not
thread safe because reading changes the current position. On Windows, the
ReadFile changes the position of the 'fd' attached to the stream and handle,
and the ftell uses 'lseek(fd, 0, SEEK_CUR)' to get the current position
which may have moved due to reads on other threads.
On unix, similar conditions can occur sharing the FILE * stream. Also on
unix, we must assume that without PREAD support, we cannot share the file
descriptor since reading requires "ftell..seek..read..seek" sequences that
are not thread safe without locking (that is not yet implemented, and may
impact performance).
Maintain the filesize while writing the file in the IFILE wrapper stucture
and use that for the file size instead of fseek..ftell to avoid the position
change that could happen on the clist file due to a read by a different
thread on that same file fd.
This was a rare problem because only cl_cache_read_init used the seek..tell
mechanism to get the filesize, and this only happens in a thread on the
first read (to either the bfile or the cfile) which is a narrow window.
|
| |
|
|
|
|
|
| |
valgrind reported overlapping memory regions in a memcpy, so change it to
memmove which copes with such cases.
No cluster differences.
|
|
|
Squashed into one commit (see branch for details of the evolution of the
branch).
This brings gpcl6 and gxps into the Ghostscript build system, and a shared
set of graphics library object files for all the interpreters.
Also, brings the same configuration options to the pcl and xps products as we
have for Ghostscript.
|
