5 files changed, 65 insertions, 60 deletions

diff --git a/base/gdevpipe.c b/base/gdevpipe.c
index 96d71f5d8..5bdc485be 100644
--- a/base/gdevpipe.c
+++ b/base/gdevpipe.c
@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
 #else
     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
     gs_fs_list_t *fs = ctx->core->fs;
+    /* The pipe device can be reached in two ways, explicltly with %pipe%
+       or implicitly with "|", so we have to check for both
+     */
+    char f[gp_file_name_sizeof];
+    const char *pipestr = "|";
+    const size_t pipestrlen = strlen(pipestr);
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+    int code1;
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    code1 = gp_validate_path(mem, f, access);
+
+    memcpy(f, pipestr, pipestrlen);
+    memcpy(f + pipestrlen, fname, nlen + 1);
 
-    if (gp_validate_path(mem, fname, access) != 0)
+    if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
         return gs_error_invalidfileaccess;
 
     /*
diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
index 2b964ed74..8d87ceadc 100644
--- a/base/gp_mshdl.c
+++ b/base/gp_mshdl.c
@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
     long hfile; /* Correct for Win32, may be wrong for Win64 */
     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
     gs_fs_list_t *fs = ctx->core->fs;
+    char f[gp_file_name_sizeof];
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
 
-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, f, access) != 0)
         return gs_error_invalidfileaccess;
 
     /* First we try the open_handle method. */
diff --git a/base/gp_msprn.c b/base/gp_msprn.c
index ed4827968..746a974f7 100644
--- a/base/gp_msprn.c
+++ b/base/gp_msprn.c
@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
     uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
 
-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(pname, iodev->dname, preflen);
+    memcpy(pname + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, pname, access) != 0)
         return gs_error_invalidfileaccess;
 
     /* First we try the open_printer method. */
diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
index f852c71fc..ba54cde66 100644
--- a/base/gp_os2pr.c
+++ b/base/gp_os2pr.c
@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
            FILE ** pfile, char *rfname, uint rnamelen)
 {
     os2_printer_t *pr = (os2_printer_t *)iodev->state;
-    char driver_name[256];
+    char driver_name[gp_file_name_sizeof];
     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const int size_t = strlen(fname);
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(driver_name, iodev->dname, preflen);
+    memcpy(driver_name + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, driver_name, access) != 0)
+        return gs_error_invalidfileaccess;
 
     /* First we try the open_printer method. */
     /* Note that the loop condition here ensures we don't
diff --git a/base/gslibctx.c b/base/gslibctx.c
index 6dfed6cd5..318039fad 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
 int
 gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
 {
-    char *fp, f[gp_file_name_sizeof];
-    const int pipe = 124; /* ASCII code for '|' */
-    const int len = strlen(fname);
-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
 
     /* Be sure the string copy will fit */
-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
         return gs_error_rangecheck;
     strcpy(f, fname);
-    fp = f;
     /* Try to rewrite any %d (or similar) in the string */
     rewrite_percent_specifiers(f);
-    for (i = 0; i < len; i++) {
-        if (f[i] == pipe) {
-           fp = &f[i + 1];
-           /* Because we potentially have to check file permissions at two levels
-              for the output file (gx_device_open_output_file and the low level
-              fopen API, if we're using a pipe, we have to add both the full string,
-              (including the '|', and just the command to which we pipe - since at
-              the pipe_fopen(), the leading '|' has been stripped.
-            */
-           code = gs_add_control_path(mem, gs_permit_file_writing, f);
-           if (code < 0)
-               return code;
-           code = gs_add_control_path(mem, gs_permit_file_control, f);
-           if (code < 0)
-               return code;
-           break;
-        }
-        if (!IS_WHITESPACE(f[i]))
-            break;
-    }
-    code = gs_add_control_path(mem, gs_permit_file_control, fp);
+
+    code = gs_add_control_path(mem, gs_permit_file_control, f);
     if (code < 0)
         return code;
-    return gs_add_control_path(mem, gs_permit_file_writing, fp);
+    return gs_add_control_path(mem, gs_permit_file_writing, f);
 }
 
 int
 gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
 {
-    char *fp, f[gp_file_name_sizeof];
-    const int pipe = 124; /* ASCII code for '|' */
-    const int len = strlen(fname);
-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
 
     /* Be sure the string copy will fit */
-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
         return gs_error_rangecheck;
     strcpy(f, fname);
-    fp = f;
     /* Try to rewrite any %d (or similar) in the string */
-    for (i = 0; i < len; i++) {
-        if (f[i] == pipe) {
-           fp = &f[i + 1];
-           /* Because we potentially have to check file permissions at two levels
-              for the output file (gx_device_open_output_file and the low level
-              fopen API, if we're using a pipe, we have to add both the full string,
-              (including the '|', and just the command to which we pipe - since at
-              the pipe_fopen(), the leading '|' has been stripped.
-            */
-           code = gs_remove_control_path(mem, gs_permit_file_writing, f);
-           if (code < 0)
-               return code;
-           code = gs_remove_control_path(mem, gs_permit_file_control, f);
-           if (code < 0)
-               return code;
-           break;
-        }
-        if (!IS_WHITESPACE(f[i]))
-            break;
-    }
-    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+    rewrite_percent_specifiers(f);
+
+    code = gs_remove_control_path(mem, gs_permit_file_control, f);
     if (code < 0)
         return code;
-    return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+    return gs_remove_control_path(mem, gs_permit_file_writing, f);
 }
 
 int