fix stack smash in print/ghostscript

Stefan Sperling Tue, 17 Oct 2017 05:50:11 -0700

This bug prevents my printer from working in 6.2.

Oct 17 14:17:48 ted foo2zjs-wrapper: foo2zjs -r1200x600 -g9920x7016 -p9 -m1 -n1 
-d1 -s7 -z1  -u 192x96 -l 192x96 -L 0  -T3    -P 
Abort trap (core dumped)


The problem is that ghostscript (FLAVOR='a4 gtk') smashes the stack.

Trace with debug symbols:

Reading symbols from gs...done.
[New process 150397]
Core was generated by `gs'.
Program terminated with signal SIGABRT, Aborted.
#0  thrkill () at -:3
3       -: No such file or directory.
(gdb) bt
#0  thrkill () at -:3
#1  0x00000995ce24fd4b in _libc___stack_smash_handler (func=<optimized out>, 
damaged=<optimized out>)
    at /usr/src/lib/libc/sys/stack_protector.c:79
#2  0x00000993c1d04102 in gsdll_stdin (instance=0x0,
    buf=0x99688d4d240 "%!PS-Adobe-3.0\n%%BoundingBox: 0 0 596 
842\n%%HiResBoundingBox: 0 0 596.00 842.00\n%%Creator: GPL Ghostscript 907 
(ps2write)\n%%LanguageLevel: 2\n%%CreationDate: 
D:20171017141746+02'00'\n%%Pages: 1\n%%EndCom"..., len=1024) at 
./psi/dxmain.c:126
#3  0x00000995d2f6f718 in s_stdin_read_process (st=0x99688d4d0d0, 
ignore_pr=0x7f7ffffc24a0, pw=0x99688d4d140, last=0) at ./psi/ziodevsc.c:102
#4  0x00000995d2f5a8a7 in sreadbuf (s=0x99688d4d0d0, pbuf=0x99688d4d140) at 
./base/stream.c:815
#5  0x00000995d2f5996b in s_process_read_buf (s=0x99688d4d0d0) at 
./base/stream.c:741
#6  0x00000995d2f679a8 in zpeekstring (i_ctx_p=0x995f10c9368) at 
./psi/zfileio.c:706
#7  0x00000995d2f47700 in interp (pi_ctx_p=0x99618d91cc8, pref=0x7f7ffffc35e8, 
perror_object=0x7f7ffffc36e0) at ./psi/interp.c:1176
#8  0x00000995d2f45310 in gs_call_interp (pi_ctx_p=0x99618d91cc8, 
pref=0x7f7ffffc35e8, user_errors=1, pexit_code=0x7f7ffffc36f4,
    perror_object=0x7f7ffffc36e0) at ./psi/interp.c:501
#9  0x00000995d2f45124 in gs_interpret (pi_ctx_p=0x99618d91cc8, 
pref=0x7f7ffffc35e8, user_errors=1, pexit_code=0x7f7ffffc36f4,
    perror_object=0x7f7ffffc36e0) at ./psi/interp.c:459
#10 0x00000995d2f370bf in gs_main_interpret (minst=0x99618d91c30, 
pref=0x7f7ffffc35e8, user_errors=1, pexit_code=0x7f7ffffc36f4,
    perror_object=0x7f7ffffc36e0) at ./psi/imain.c:235
#11 0x00000995d2f37342 in gs_main_run_string_end (minst=0x99618d91c30, 
user_errors=1, pexit_code=0x7f7ffffc36f4, perror_object=0x7f7ffffc36e0)
    at ./psi/imain.c:609
#12 0x00000995d2f37161 in gs_main_run_string_with_length (minst=0x99618d91c30, 
str=0x995d356011e ".runstdin", length=9, user_errors=1,
    pexit_code=0x7f7ffffc36f4, perror_object=0x7f7ffffc36e0) at 
./psi/imain.c:567
#13 0x00000995d2f365a1 in gs_main_run_string (minst=0x99618d91c30, 
str=0x995d356011e ".runstdin", user_errors=1, pexit_code=0x7f7ffffc36f4,
    perror_object=0x7f7ffffc36e0) at ./psi/imain.c:549
#14 0x00000995d2f3a80a in run_string (minst=0x99618d91c30, str=0x995d356011e 
".runstdin", options=2) at ./psi/imainarg.c:865
#15 0x00000995d2f38efb in swproc (minst=0x99618d91c30, arg=0x7f7ffffc4dfb "", 
pal=0x7f7ffffc40f8) at ./psi/imainarg.c:293
#16 0x00000995d2f3891d in gs_main_init_with_args (minst=0x99618d91c30, argc=15, 
argv=0x995fe99ae00) at ./psi/imainarg.c:211
#17 0x00000995d2f3cded in gsapi_init_with_args (lib=0x995f524ca30, argc=15, 
argv=0x995fe99ae00) at ./psi/iapi.c:180
#18 0x00000993c1d03e92 in main (argc=14, argv=0x7f7ffffc4c28) at 
./psi/dxmain.c:1177

The function read_stdin_handler writes to an int input->count (32 bits)
via a gsize, i.e. unsigned long pointer (64 bits on amd64).

ok?

I would like to apply this fix to the 6.2-stable ports tree.

Index: Makefile
===================================================================
RCS file: /cvs/ports/print/ghostscript/gnu/Makefile,v
retrieving revision 1.109
diff -u -p -r1.109 Makefile
--- Makefile    4 May 2017 06:51:09 -0000       1.109
+++ Makefile    17 Oct 2017 12:35:07 -0000
@@ -6,7 +6,7 @@ VERSION=        9.07
 DISTNAME=      ghostscript-${VERSION}
 CATEGORIES=    print lang
 SHARED_LIBS=   gs      15.0
-REVISION=      4
+REVISION=      5
 
 MASTER_SITES=  http://downloads.ghostscript.com/public/
 
Index: patches/patch-psi_dxmain_c
===================================================================
RCS file: patches/patch-psi_dxmain_c
diff -N patches/patch-psi_dxmain_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-psi_dxmain_c  17 Oct 2017 12:38:57 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Fix a stack smash.
+
+Index: psi/dxmain.c
+--- psi/dxmain.c.orig
++++ psi/dxmain.c
+@@ -82,7 +82,9 @@ read_stdin_handler(GIOChannel *channel, GIOCondition c
+         input->count = 0;     /* EOF */
+     }
+     else if (condition & (G_IO_IN)) {
+-        g_io_channel_read_chars(channel, input->buf, input->len, (gsize 
*)&input->count, &error);
++        gsize gsz;
++        g_io_channel_read_chars(channel, input->buf, input->len, &gsz, 
&error);
++        input->count = (int)gsz;
+         if (error) {
+             g_print("%s\n", error->message);
+             g_error_free(error);

fix stack smash in print/ghostscript

Reply via email to