base/Makefile.in | 6 0 + 6 - 0 !
base/gdevpdfk.c | 5 2 + 3 - 0 !
base/gs.mak | 11 0 + 11 - 0 !
base/ijs.mak | 2 1 + 1 - 0 !
base/macos-mcp.mak | 3 1 + 2 - 0 !
base/macosx.mak | 1 0 + 1 - 0 !
base/openvms.mak | 3 1 + 2 - 0 !
base/openvms.mmk | 8 1 + 7 - 0 !
base/ugcclib.mak | 1 0 + 1 - 0 !
base/unix-gcc.mak | 5 0 + 5 - 0 !
base/unixansi.mak | 5 0 + 5 - 0 !
base/winlib.mak | 1 0 + 1 - 0 !
psi/os2.mak | 2 1 + 1 - 0 !
psi/winint.mak | 2 1 + 1 - 0 !
psi/zicc.c | 2 1 + 1 - 0 !
15 files changed, 9 insertions(+), 48 deletions(-)

 get rid of 'icclib' since we now use lcms2 (or optionally lcms).

Resource/Init/pdf_draw.ps | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 correctly restore ps stack when pdf stream run aborts.
 Fix "File has unbalanced q/Q operators (too many Q's)" endless loop.

base/gdevpdfe.c | 65 59 + 6 - 0 !
1 file changed, 59 insertions(+), 6 deletions(-)

 pdfwrite - convert non-utf-16be doc info to utf-8

cups/gstoraster.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 make colord-supplied icc profile getting applied by gstoraster

Resource/Init/pdf_base.ps | 30 22 + 8 - 0 !
1 file changed, 22 insertions(+), 8 deletions(-)

 pdf interpreter - ignore invalid /decodeparams for streams
 Fix "File has unbalanced q/Q operators (too many Q's)" endless loop.
 .
 The PDF file is invalid, it has a /Filters array with 2 elements, and a
 /DecodeParams array with 1 element. The DecodeParams array must have
 either the same number of elements as the Filters, or not be present
 (default).
 .
 We now test the length of each array and ignore the DecodeParams if the
 lengths are not the same (as we have no way to know which Params relate
 to which Filter)

Resource/Init/gs_fonts.ps | 20 14 + 6 - 0 !
1 file changed, 14 insertions(+), 6 deletions(-)

 bug 695031: don't assume we can read a font file
X-Git-Tag: ghostpdl-9.12rc1~50

doc/Devices.htm | 29 29 + 0 - 0 !
1 file changed, 29 insertions(+)

 document inkcov device

base/Makefile.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 set docdir appropriately for debian

man/gs.1 | 15 8 + 7 - 0 !
1 file changed, 8 insertions(+), 7 deletions(-)

 fixes for gs.1 (debian specific path adjustments)

base/unix-aux.mak | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 check multiarch paths

man/gs.1 | 22 6 + 16 - 0 !
1 file changed, 6 insertions(+), 16 deletions(-)

 remove non-debian paths from documentation

man/gs.1 | 26 13 + 13 - 0 !
1 file changed, 13 insertions(+), 13 deletions(-)

 fix debian paths in documentation

man/gs.1 | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 suggest install of ghostscript-doc in documentation

psi/imainarg.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 suggest install of ghostscript-doc in code

man/gs.1 | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 mention ghostscipt-x affect on default device in docs

base/gsmalloc.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 cve-2015-3228: integer overflow

Resource/Init/gs_init.ps | 1 1 + 0 - 0 !
psi/zfile.c | 35 19 + 16 - 0 !
2 files changed, 20 insertions(+), 16 deletions(-)

 cve-2013-5653: information disclosure through getenv, filenameforall

base/gsicc_manage.c | 9 6 + 3 - 0 !
base/gslibctx.c | 11 11 + 0 - 0 !
base/gslibctx.h | 7 7 + 0 - 0 !
psi/imain.c | 2 2 + 0 - 0 !
psi/int.mak | 3 2 + 1 - 0 !
psi/zfile.c | 19 19 + 0 - 0 !
psi/zfile.h | 7 7 + 0 - 0 !
7 files changed, 54 insertions(+), 4 deletions(-)

 cve-2016-7976: various userparams allow %pipe% in paths, allowing remote shell command execution

psi/zfile.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 cve-2016-7977: .libfile doesn't check permitfilereading array, allowing remote file disclosure

base/gsdevice.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 cve-2016-7978: reference leak in .setdevice allows use-after-free and remote code execution

psi/zdscpars.c | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 cve-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution

psi/zht2.c | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 cve-2016-8602: check for sufficient params in .sethalftone5 and param types

Resource/Init/gs_init.ps | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

  fix .locksafe
 Apparently we need to .forceput the definition of getenve into
 systemdict, at least when running GSView 5.0.
 .
 Discovered when trying to investigate a customer bug report using
 GSView 5.

base/gxfill.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] bug 697453: avoid divide by 0 in scan conversion code.

Arithmetic overflow due to extreme values in the scan conversion
code can cause a division by 0.

Avoid this with a simple extra check.

  dx_old=cf814d81
  endp->x_next=b0e859b9
  alp->x_next=8069a73a

leads to dx_den = 0

base/gsdevmem.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 [patch] fix crash with bad data supplied to makeimagedevice

Bug #697450 "Null pointer dereference in gx_device_finalize()"

The problem here is that the code to finalise a device unconditionally
frees the icc_struct member of the device structure. However this
particular (weird) device is not setup as a normal device, probably
because its very, very ancient. Its possible for the initialisation
of the device to abort with an error before calling gs_make_mem_device()
which is where the icc_struct member gets allocated (or set to NULL).

If that happens, then the cleanup code tries to free the device, which
calls finalize() which tries to free a garbage pointer.

Setting the device memory to 0x00 after we allocate it means that the
icc_struct member will be NULL< and our memory manager allows for that
happily enough, which avoids the problem.

psi/iparam.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch] bug 697548: use the correct param list enumerator

When we encountered dictionary in a ref_param_list, we were using the enumerator
for the "parent" param_list, rather than the enumerator for the param_list
we just created for the dictionary. That parent was usually the stack
list enumerator, and caused a segfault.

Using the correct enumerator works better.

base/gdevmem.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] ensure a device has raster memory, before trying to read it.

Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"

This is only possible by abusing/mis-using Ghostscript-specific
language extensions, so cannot happen in a general PostScript program.

Nevertheless, Ghostscript should not crash. So this commit checks the
memory device to see if raster memory has been allocated, before trying
to read from it.

psi/zmisc3.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch 1/2] bug 697799: have .eqproc check its parameters

The Ghostscript custom operator .eqproc was not check the number or type of
the parameters it was given.

psi/zfrsd.c | 22 15 + 7 - 0 !
1 file changed, 15 insertions(+), 7 deletions(-)

 [patch 2/2] bug 697799: have .rsdparams check its parameters

The Ghostscript internal operator .rsdparams wasn't checking the number or
type of the operands it was being passed. Do so.

base/gsalloc.c | 42 28 + 14 - 0 !
1 file changed, 28 insertions(+), 14 deletions(-)

 bug 697985: bounds check the array allocations methods

base/ttinterp.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 bug 698024: bounds check zone pointer in ins_mirp()

base/ttinterp.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 bug 698026: bounds check zone pointers in ins_ip()

base/ttinterp.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 bug 698055: bounds check zone pointer in ins_mdrp

base/gxttfb.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 bug 698056: make bounds check in gx_ttfreader__read more robust

base/ttinterp.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 bug 698063: bounds check ins_jmpr

psi/ztoken.c | 14 13 + 1 - 0 !
1 file changed, 13 insertions(+), 1 deletion(-)

 bug 698158: prevent trying to reloc a freed object

base/gxht_thresh.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 fix bug 696398: segfault with fuzzing file.

base/gxht_thresh.c | 13 10 + 3 - 0 !
base/gxipixel.c | 2 1 + 1 - 0 !
2 files changed, 11 insertions(+), 4 deletions(-)

 fix bug 697459 buffer overflow in fill_threshold_buffer

base/gdevpdts.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 pdfwrite - guard against trying to output an infinite number