blob: f175da0cafbb082e7998445d47eb81d0d21abb0e [file] [log] [blame]
From 274b2cc08b0d10a4cac3fe8b50022889f22580cb Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 20 Sep 2018 16:35:28 +0100
Subject: [PATCH 1/5] Bug 699795: add operand checking to
.setnativefontmapbuilt
.setnativefontmapbuilt .forceputs a value into systemdict - it is intended
to be a boolean, but in this case was being called with a compound object
(a dictionary). Such an object, in local VM, being forced into systemdict
would then confuse the garbager, since it could be restored away with the
reference remaining.
This adds operand checking, so .setnativefontmapbuilt will simply ignore
anything other than a boolean value, and also removes the definition of
.setnativefontmapbuilt after use, since it is only used in two, closely
related places.
CVE: CVE-2018-17961
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
Resource/Init/gs_fonts.ps | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
index 38f0f6c..45b6613 100644
--- a/Resource/Init/gs_fonts.ps
+++ b/Resource/Init/gs_fonts.ps
@@ -372,9 +372,13 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
% of strings: what the system thinks is the ps name,
% and the access path.
/.setnativefontmapbuilt { % set whether we've been run
- systemdict exch /.nativefontmapbuilt exch .forceput
+ dup type /booleantype eq {
+ systemdict exch /.nativefontmapbuilt exch .forceput
+ }
+ {pop}
+ ifelse
} .bind executeonly def
-systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
+systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec
/.buildnativefontmap { % - .buildnativefontmap <bool>
systemdict /.nativefontmapbuilt .knownget not
{ //false} if
@@ -415,9 +419,10 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
} forall
} if
% record that we've been run
- //true .setnativefontmapbuilt
+ //true //.setnativefontmapbuilt exec
} ifelse
} bind def
+currentdict /.setnativefontmapbuilt .forceundef
% Create the dictionary that registers the .buildfont procedure
% (called by definefont) for each FontType.
--
2.7.4