master

分支 (1)

管理

管理

master

ghostscript
/
CVE-2024-33871-OPVP-device-prevent-un...

From 1491628604f16e0100feffbd6580b03ec0f5a976 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 3 Jun 2024 16:13:55 +0800
Subject: [PATCH] OPVP device - prevent unsafe parameter change with SAFER

Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library"

The "Driver" parameter for the "opvp"/"oprp" device specifies the name
of a dynamic library and allows any library to be loaded.

The patch does not allow changing this parameter after activating path
control.

This addresses CVE-2024-33871
---
 contrib/opvp/gdevopvp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 74200cf..80eb23b 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
     code = param_read_string(plist, pname, &vdps);
     switch (code) {
     case 0:
+        if (gs_is_path_control_active(dev->memory)
+            && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
+                || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
+            param_signal_error(plist, pname, gs_error_invalidaccess);
+            return_error(gs_error_invalidaccess);
+        }
         buff = realloc(buff, vdps.size + 1);
         memcpy(buff, vdps.data, vdps.size);
         buff[vdps.size] = 0;
--
2.39.3