$NetBSD: patch-ab,v 1.2 2010/04/28 07:32:41 obache Exp $ * Set absolute path for GS cmmand. * Fixes CVE-2005-2536 and SA20012 Debian's security patch (also used in FreeBSD). --- main.c.orig 2004-01-09 10:17:38.000000000 +0000 +++ main.c @@ -48,7 +48,7 @@ extern BUNDLE ocr, rot270, rot90; static BOOLEAN cork = FALSE; static BOOLEAN debug = FALSE; -static const char *gs_cmd = "gs"; +static const char *gs_cmd = "@GS_CMD@"; static const char *outfile = ""; static char *cmd; /* = argv[0] */ @@ -126,12 +126,14 @@ static char *cmdfile = NULL, *gsoutfile static int cleanup(void) { int gsstatus, status = 0; pstotextExit(instance); - if (gs!=NULL) { #ifdef VMS + if (gs!=NULL) { gsstatus = fclose(gs); + } #else - gsstatus = pclose(gs); + waitpid(-1, &gsstatus, 0); #endif + if (gsstatus) { if (WIFEXITED(gsstatus)) { if (WEXITSTATUS(gsstatus)!=0) status = 3; else if (WIFSIGNALED(gsstatus)) status = 4; @@ -166,8 +168,13 @@ static void handler(int x) { static int do_it(char *path) { /* If "path" is NULL, then "stdin" should be processed. */ - char *gs_cmdline; - char *input; + char *gs_argv[32]; + int gs_argc=0; +#ifdef DEBUG + int i; +#endif + int fd[2]; + pid_t p; int status; char norotate[] = ""; FILE *fileout; @@ -201,47 +208,31 @@ static int do_it(char *path) { exit(1); } - if (path==NULL) { - input = (char*)malloc(2); - if (input == NULL) { - fprintf(stderr,"No memory available\n"); - cleanup(); - exit(1); + gs_argv[gs_argc++] = "gs"; + gs_argv[gs_argc++] = "-r72"; + gs_argv[gs_argc++] = "-dNODISPLAY"; + gs_argv[gs_argc++] = "-dFIXEDMEDIA"; + gs_argv[gs_argc++] = "-dDELAYBIND"; + gs_argv[gs_argc++] = "-dWRITESYSTEMDICT"; + if (!debug) { + gs_argv[gs_argc++] = "-q"; + } + gs_argv[gs_argc++] = "-dNOPAUSE"; + gs_argv[gs_argc++] = "-dSAFER"; + if (rotate_path && strcmp(rotate_path, "")) { + gs_argv[gs_argc++] = rotate_path; } - strcpy(input, "-"); - } else { - input = (char*)malloc(strlen(path) + 6); - if (input == NULL) { - fprintf(stderr,"No memory available\n"); - cleanup(); - exit(1); + if (ocr_path && strcmp(ocr_path, "")) { + gs_argv[gs_argc++] = ocr_path; } - strcpy(input, "-- '"); strcat(input, path); strcat(input, "'"); + if (path == NULL ) { + gs_argv[gs_argc++] = "-"; } - - gs_cmdline = (char*)malloc(strlen(gs_cmd)+strlen(rotate_path)+ - strlen(ocr_path) + strlen(input) + 128); - - if (gs_cmdline == NULL) { - fprintf(stderr, "No memory available\n"); - cleanup(); - exit(1); + else { + gs_argv[gs_argc++] = "--"; + gs_argv[gs_argc++] = path; } - - sprintf( - gs_cmdline, -#ifdef VMS - "%s -r72 \"-dNODISPLAY\" \"-dFIXEDMEDIA\" \"-dDELAYBIND\" \"-dWRITESYSTEMDICT\" %s \"-dNOPAUSE\" %s %s %s", -#else - "%s -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT %s -dNOPAUSE %s %s %s", -#endif - gs_cmd, - (debug ? "" : "-q"), - rotate_path, - ocr_path, - input - ); - if (debug) fprintf(stderr, "%s\n", gs_cmdline); + gs_argv[gs_argc++] = NULL; #ifdef VMS cmdfile = tempnam("SYS$SCRATCH:","PS2TGS"); gsoutfile = tempnam("SYS$SCRATCH:","GSRES"); @@ -259,8 +250,25 @@ static int do_it(char *path) { exit(1); } #else - gs = popen(gs_cmdline, "r"); - if (gs==0) {perror(cmd); exit(1);} + if (pipe(fd)) { + perror("pipe failed: "); exit(1); + }; + p = fork(); + if (p == -1) { + perror("fork failed: "); exit(1); + } + if (p == 0) { /* child */ + close(fd[0]); + dup2(fd[1], 1); /* Redirect stdout into pipe to parent */ + execvp(gs_cmd, gs_argv); + perror("execvp: "); status=cleanup(); exit(1); + } else { /* parent */ + close(fd[1]); + gs = fdopen(fd[0], "r"); + if (gs == NULL) { + perror("fdopen: "); status=cleanup(); exit(1); + } + } #endif status = pstotextInit(&instance); if (status!=0) {