File CVE-2023-36664.patch of Package ghostscript.29958

--- base/gpmisc.c.orig	2020-03-19 09:21:42.000000000 +0100
+++ base/gpmisc.c	2023-06-29 11:46:31.303189291 +0200
@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *
              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
           prefix_len = 0;
     }
-    rlen = len+1;
-    bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path");
-    if (bufferfull == NULL)
-        return gs_error_VMerror;
 
-    buffer = bufferfull + prefix_len;
-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
-        return gs_error_invalidfileaccess;
-    buffer[rlen] = 0;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len+1;
+        bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+        if (bufferfull == NULL)
+            return gs_error_VMerror;
 
+        buffer = bufferfull + prefix_len;
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
     while (1) {
         switch (mode[0])
         {
--- base/gslibctx.c.orig	2021-09-10 09:25:42.058108741 +0200
+++ base/gslibctx.c	2023-06-29 12:27:19.647950630 +0200
@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_
             return gs_error_rangecheck;
     }
 
-    rlen = len+1;
-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
-    if (buffer == NULL)
-        return gs_error_VMerror;
-
-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
-        return gs_error_invalidfileaccess;
-    buffer[rlen] = 0;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len + 1;
+
+        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
 
     n = control->num;
     for (i = 0; i < n; i++)
@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memo
             return gs_error_rangecheck;
     }
 
-    rlen = len+1;
-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
-    if (buffer == NULL)
-        return gs_error_VMerror;
-
-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
-        return gs_error_invalidfileaccess;
-    buffer[rlen] = 0;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len+1;
+
+        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
 
     n = control->num;
     for (i = 0; i < n; i++) {
openSUSE Build Service is sponsored by