Brad Bishop | d89cb5f | 2019-04-10 09:02:41 -0400 | [diff] [blame^] | 1 | From d739565534e955c4336731e4ea4eebc895c09c5c Mon Sep 17 00:00:00 2001 |
| 2 | From: Chris Liddell <chris.liddell@artifex.com> |
| 3 | Date: Tue, 18 Dec 2018 10:42:10 +0000 |
| 4 | Subject: [PATCH 4/7] Harden some uses of .force* operators |
| 5 | |
| 6 | by adding a few immediate evalutions |
| 7 | |
| 8 | CVE: CVE-2019-6116 |
| 9 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| 10 | |
| 11 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> |
| 12 | --- |
| 13 | Resource/Init/gs_dps1.ps | 4 ++-- |
| 14 | Resource/Init/gs_fonts.ps | 20 ++++++++++---------- |
| 15 | Resource/Init/gs_init.ps | 6 +++--- |
| 16 | 3 files changed, 15 insertions(+), 15 deletions(-) |
| 17 | |
| 18 | diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps |
| 19 | index 4fae283..b75ea14 100644 |
| 20 | --- a/Resource/Init/gs_dps1.ps |
| 21 | +++ b/Resource/Init/gs_dps1.ps |
| 22 | @@ -74,7 +74,7 @@ level2dict begin |
| 23 | } odef |
| 24 | % undefinefont has to take local/global VM into account. |
| 25 | /undefinefont % <fontname> undefinefont - |
| 26 | - { .FontDirectory 1 .argindex .forceundef % FontDirectory is readonly |
| 27 | + { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly |
| 28 | .currentglobal |
| 29 | { % Current mode is global; delete from local directory too. |
| 30 | //systemdict /LocalFontDirectory .knownget |
| 31 | @@ -85,7 +85,7 @@ level2dict begin |
| 32 | % definition, copy it into the local directory. |
| 33 | //systemdict /SharedFontDirectory .knownget |
| 34 | { 1 index .knownget |
| 35 | - { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly |
| 36 | + { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly |
| 37 | if |
| 38 | } |
| 39 | if |
| 40 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps |
| 41 | index 290da0c..c13a2fc 100644 |
| 42 | --- a/Resource/Init/gs_fonts.ps |
| 43 | +++ b/Resource/Init/gs_fonts.ps |
| 44 | @@ -516,7 +516,7 @@ buildfontdict 3 /.buildfont3 cvx put |
| 45 | if |
| 46 | } |
| 47 | if |
| 48 | - dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly |
| 49 | + dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly |
| 50 | % If the font originated as a resource, register it. |
| 51 | currentfile .currentresourcefile eq { dup .registerfont } if |
| 52 | readonly |
| 53 | @@ -943,7 +943,7 @@ $error /SubstituteFont { } put |
| 54 | % Try to find a font using only the present contents of Fontmap. |
| 55 | /.tryfindfont { % <fontname> .tryfindfont <font> true |
| 56 | % <fontname> .tryfindfont false |
| 57 | - .FontDirectory 1 index .fontknownget |
| 58 | + //.FontDirectory 1 index .fontknownget |
| 59 | { % Already loaded |
| 60 | exch pop //true |
| 61 | } |
| 62 | @@ -975,7 +975,7 @@ $error /SubstituteFont { } put |
| 63 | { % Font with a procedural definition |
| 64 | exec % The procedure will load the font. |
| 65 | % Check to make sure this really happened. |
| 66 | - .FontDirectory 1 index .knownget |
| 67 | + //.FontDirectory 1 index .knownget |
| 68 | { exch pop //true exit } |
| 69 | if |
| 70 | } |
| 71 | @@ -1081,11 +1081,11 @@ $error /SubstituteFont { } put |
| 72 | % because it's different depending on language level. |
| 73 | .currentglobal exch /.setglobal .systemvar exec |
| 74 | % Remove the fake definition, if any. |
| 75 | - .FontDirectory 3 index .forceundef % readonly |
| 76 | - 1 index (r) file .loadfont .FontDirectory exch |
| 77 | + //.FontDirectory 3 index .forceundef % readonly |
| 78 | + 1 index (r) file .loadfont //.FontDirectory exch |
| 79 | /.setglobal .systemvar exec |
| 80 | } executeonly |
| 81 | - { .loadfont .FontDirectory |
| 82 | + { .loadfont //.FontDirectory |
| 83 | } |
| 84 | ifelse |
| 85 | % Stack: fontname fontfilename fontdirectory |
| 86 | @@ -1119,8 +1119,8 @@ $error /SubstituteFont { } put |
| 87 | % Stack: origfontname fontdirectory filefontname fontdict |
| 88 | 3 -1 roll pop |
| 89 | % Stack: origfontname filefontname fontdict |
| 90 | - dup /FontName get dup FontDirectory exch .forceundef |
| 91 | - GlobalFontDirectory exch .forceundef |
| 92 | + dup /FontName get dup //.FontDirectory exch .forceundef |
| 93 | + /GlobalFontDirectory .systemvar exch .forceundef |
| 94 | dup length dict .copydict dup 3 index /FontName exch put |
| 95 | 2 index exch definefont |
| 96 | exch |
| 97 | @@ -1176,10 +1176,10 @@ currentdict /.putgstringcopy .undef |
| 98 | { |
| 99 | { |
| 100 | pop dup type /stringtype eq { cvn } if |
| 101 | - .FontDirectory 1 index known not { |
| 102 | + //.FontDirectory 1 index known not { |
| 103 | 2 dict dup /FontName 3 index put |
| 104 | dup /FontType 1 put |
| 105 | - .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly |
| 106 | + //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly |
| 107 | } { |
| 108 | pop |
| 109 | } ifelse |
| 110 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps |
| 111 | index 56c0bd2..d9a0829 100644 |
| 112 | --- a/Resource/Init/gs_init.ps |
| 113 | +++ b/Resource/Init/gs_init.ps |
| 114 | @@ -1168,8 +1168,8 @@ errordict /unknownerror .undef |
| 115 | }ifelse |
| 116 | }forall |
| 117 | noaccess pop |
| 118 | - systemdict /.setsafeerrors .forceundef |
| 119 | - systemdict /.SAFERERRORLIST .forceundef |
| 120 | + //systemdict /.setsafeerrors .forceundef |
| 121 | + //systemdict /.SAFERERRORLIST .forceundef |
| 122 | } bind executeonly odef |
| 123 | |
| 124 | SAFERERRORS {.setsafererrors} if |
| 125 | @@ -2114,7 +2114,7 @@ currentdict /tempfilepaths undef |
| 126 | |
| 127 | /.locksafe { |
| 128 | .locksafe_userparams |
| 129 | - systemdict /getenv {pop //false} .forceput |
| 130 | + //systemdict /getenv {pop //false} .forceput |
| 131 | % setpagedevice has the side effect of clearing the page, but |
| 132 | % we will just document that. Using setpagedevice keeps the device |
| 133 | % properties and pagedevice .LockSafetyParams in agreement even |
| 134 | -- |
| 135 | 2.18.1 |
| 136 | |