From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 22 Apr 2024 13:33:47 +0100
Subject: OPVP device - prevent unsafe parameter change with SAFER
Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7145885041bb52cc23964f0aa2aec1b1c82b5908
Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707754
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-33871

Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library"

The "Driver" parameter for the "opvp"/"oprp" device specifies the name
of a dynamic library and allows any library to be loaded.

The patch does not allow changing this parameter after activating path
control.

This addresses CVE-2024-33871
---
 contrib/opvp/gdevopvp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 74200cf9d47b..80eb23b1739d 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
     code = param_read_string(plist, pname, &vdps);
     switch (code) {
     case 0:
+        if (gs_is_path_control_active(dev->memory)
+            && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
+                || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
+            param_signal_error(plist, pname, gs_error_invalidaccess);
+            return_error(gs_error_invalidaccess);
+        }
         buff = realloc(buff, vdps.size + 1);
         memcpy(buff, vdps.data, vdps.size);
         buff[vdps.size] = 0;
-- 
2.43.0