| Brad Bishop | d89cb5f | 2019-04-10 09:02:41 -0400 | [diff] [blame^] | 1 | From 1e830cafa56c6e3e1b08d246eaf5496fe81a0032 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nancy Durgin <nancy.durgin@artifex.com> |
| 3 | Date: Tue, 27 Nov 2018 12:36:14 -0800 |
| 4 | Subject: [PATCH 5/7] Undef a bunch of internal things in gs_res.ps |
| 5 | |
| 6 | CVE: CVE-2019-6116 |
| 7 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| 8 | |
| 9 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> |
| 10 | --- |
| 11 | Resource/Init/gs_res.ps | 72 +++++++++++++++++++++++++-------------- |
| 12 | Resource/Init/gs_resmp.ps | 4 +-- |
| 13 | 2 files changed, 49 insertions(+), 27 deletions(-) |
| 14 | |
| 15 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps |
| 16 | index d9b3459..18d5452 100644 |
| 17 | --- a/Resource/Init/gs_res.ps |
| 18 | +++ b/Resource/Init/gs_res.ps |
| 19 | @@ -197,7 +197,7 @@ setglobal |
| 20 | /.findresource { % <key> <category> findresource <instance> |
| 21 | 2 copy dup /Category eq |
| 22 | { pop //Category 0 get begin } { .findcategory } ifelse |
| 23 | - /FindResource .resourceexec exch pop exch pop |
| 24 | + /FindResource //.resourceexec exec exch pop exch pop |
| 25 | } bind |
| 26 | end % .Instances of Category |
| 27 | def |
| 28 | @@ -223,7 +223,7 @@ def |
| 29 | not { /defineresource cvx /typecheck signaloperror } if |
| 30 | } if |
| 31 | } if |
| 32 | - /DefineResource .resourceexec |
| 33 | + /DefineResource //.resourceexec exec |
| 34 | 4 1 roll pop pop pop |
| 35 | } .errorexec |
| 36 | } bind executeonly odef |
| 37 | @@ -252,7 +252,7 @@ def |
| 38 | % without the check. |
| 39 | /resourcestatus cvx /typecheck signalerror |
| 40 | } if |
| 41 | - 2 copy .findcategory /ResourceStatus .resourceexec |
| 42 | + 2 copy .findcategory /ResourceStatus //.resourceexec exec |
| 43 | { 4 2 roll pop pop //true } { pop pop //false } ifelse |
| 44 | } stopped { |
| 45 | % Although resourcestatus is an operator, Adobe uses executable name |
| 46 | @@ -266,7 +266,7 @@ def |
| 47 | } if |
| 48 | 1 .argindex 1 index % catch stackunderflow |
| 49 | |
| 50 | - { .findcategory /UndefineResource .resourceexec pop pop |
| 51 | + { .findcategory /UndefineResource //.resourceexec exec pop pop |
| 52 | } stopped { |
| 53 | % Although undefineresource is an operator, Adobe uses executable name |
| 54 | % here but uses operator for the errors above. CET 23-33 |
| 55 | @@ -315,10 +315,10 @@ currentdict /pssystemparams known not { |
| 56 | /pssystemparams 10 dict readonly def |
| 57 | } if |
| 58 | pssystemparams begin |
| 59 | - .default_resource_dir |
| 60 | - /FontResourceDir (Font) .resource_dir_name |
| 61 | + //.default_resource_dir exec |
| 62 | + /FontResourceDir (Font) //.resource_dir_name exec |
| 63 | readonly .forcedef % pssys'params is r-o |
| 64 | - /GenericResourceDir () .resource_dir_name |
| 65 | + /GenericResourceDir () //.resource_dir_name exec |
| 66 | readonly .forcedef % pssys'params is r-o |
| 67 | pop % .default_resource_dir |
| 68 | /GenericResourcePathSep |
| 69 | @@ -387,13 +387,13 @@ status { |
| 70 | } bind def |
| 71 | /.localresourceforall { % <key> <value> <args> .localr'forall - |
| 72 | exch pop |
| 73 | - 2 copy 0 get .stringmatch { .enumerateresource } { pop pop } ifelse |
| 74 | + 2 copy 0 get .stringmatch { //.enumerateresource exec } { pop pop } ifelse |
| 75 | } bind def |
| 76 | /.globalresourceforall { % <key> <value> <args> .globalr'forall - |
| 77 | exch pop |
| 78 | 2 copy 0 get .stringmatch { |
| 79 | dup 3 get begin .LocalInstances end 2 index known not { |
| 80 | - .enumerateresource |
| 81 | + //.enumerateresource exec |
| 82 | } { |
| 83 | pop pop |
| 84 | } ifelse |
| 85 | @@ -408,7 +408,7 @@ status { |
| 86 | 3 index known { |
| 87 | pop pop pop |
| 88 | } { |
| 89 | - 2 index known { pop pop } { .enumerateresource } ifelse |
| 90 | + 2 index known { pop pop } { //.enumerateresource exec } ifelse |
| 91 | } ifelse |
| 92 | } bind def |
| 93 | |
| 94 | @@ -468,19 +468,19 @@ status { |
| 95 | % .knownget doesn't fail on null |
| 96 | /findresource cvx /typecheck signaloperror |
| 97 | } if |
| 98 | - dup .getvminstance { |
| 99 | + dup //.getvminstance exec { |
| 100 | exch pop 0 get |
| 101 | } { |
| 102 | dup ResourceStatus { |
| 103 | pop 1 gt { |
| 104 | - .DoLoadResource .getvminstance not { |
| 105 | - /findresource cvx .undefinedresource |
| 106 | + .DoLoadResource //.getvminstance exec not { |
| 107 | + /findresource cvx //.undefinedresource exec |
| 108 | } if 0 get |
| 109 | } { |
| 110 | .GetInstance pop 0 get |
| 111 | } ifelse |
| 112 | } { |
| 113 | - /findresource cvx .undefinedresource |
| 114 | + /findresource cvx //.undefinedresource exec |
| 115 | } ifelse |
| 116 | } ifelse |
| 117 | } bind executeonly |
| 118 | @@ -621,7 +621,7 @@ status { |
| 119 | .currentglobal not .setglobal |
| 120 | vmstatus pop exch pop add |
| 121 | } repeat |
| 122 | -} bind def |
| 123 | +} bind executeonly odef |
| 124 | /.DoLoadResource { |
| 125 | % .LoadResource may push entries on the operand stack. |
| 126 | % It is an undocumented feature of Adobe implementations, |
| 127 | @@ -633,8 +633,8 @@ status { |
| 128 | {.LoadResource} 4 1 roll 4 .execn |
| 129 | % Stack: ... count key memused |
| 130 | .vmused exch sub |
| 131 | - 1 index .getvminstance not { |
| 132 | - pop dup .undefinedresource % didn't load |
| 133 | + 1 index //.getvminstance exec not { |
| 134 | + pop dup //.undefinedresource exec % didn't load |
| 135 | } if |
| 136 | dup 1 1 put |
| 137 | 2 3 -1 roll put |
| 138 | @@ -648,7 +648,7 @@ status { |
| 139 | { //true setglobal { .runresource } stopped //false setglobal { stop } if } |
| 140 | ifelse |
| 141 | } |
| 142 | - { dup .undefinedresource |
| 143 | + { dup //.undefinedresource exec |
| 144 | } |
| 145 | ifelse |
| 146 | } bind |
| 147 | @@ -758,7 +758,7 @@ counttomark 2 idiv |
| 148 | /FindResource |
| 149 | { .Instances 1 index .knownget |
| 150 | { exch pop } |
| 151 | - { /findresource cvx .undefinedresource } |
| 152 | + { /findresource cvx //.undefinedresource exec } |
| 153 | ifelse |
| 154 | } bind executeonly |
| 155 | /ResourceStatus |
| 156 | @@ -862,7 +862,7 @@ userdict /.localcsdefaults //false put |
| 157 | 2 copy /Generic /Category findresource /DefineResource get exec |
| 158 | exch pop |
| 159 | exch //.defaultcsnames exch .knownget { |
| 160 | - 1 index .definedefaultcs |
| 161 | + 1 index //.definedefaultcs exec |
| 162 | currentglobal not { .userdict /.localcsdefaults //true put } if |
| 163 | } if |
| 164 | } bind executeonly |
| 165 | @@ -872,13 +872,13 @@ userdict /.localcsdefaults //false put |
| 166 | //.defaultcsnames 1 index .knownget { |
| 167 | % Stack: resname index |
| 168 | currentglobal { |
| 169 | - .undefinedefaultcs pop |
| 170 | + //.undefinedefaultcs exec pop |
| 171 | } { |
| 172 | % We removed the local definition, but there might be a global one. |
| 173 | exch .GetInstance { |
| 174 | - 0 get .definedefaultcs |
| 175 | + 0 get //.definedefaultcs exec |
| 176 | } { |
| 177 | - .undefinedefaultcs |
| 178 | + //.undefinedefaultcs exec |
| 179 | } ifelse |
| 180 | % Recompute .localcsdefaults by scanning. This is rarely needed. |
| 181 | .userdict /.localcsdefaults //false //.defaultcsnames { |
| 182 | @@ -997,7 +997,7 @@ currentdict /.fontstatusaux .undef |
| 183 | /Generic /Category findresource /UndefineResource get exec |
| 184 | } bind executeonly |
| 185 | /FindResource { |
| 186 | - dup .getvminstance { |
| 187 | + dup //.getvminstance exec { |
| 188 | exch pop 0 get |
| 189 | } { |
| 190 | dup ResourceStatus { |
| 191 | @@ -1024,7 +1024,7 @@ currentdict /.fontstatusaux .undef |
| 192 | % stack: name font vmused |
| 193 | % findfont has the prerogative of not calling definefont |
| 194 | % in certain obscure cases of font substitution. |
| 195 | - 2 index .getvminstance { |
| 196 | + 2 index //.getvminstance exec { |
| 197 | dup 1 1 put |
| 198 | 2 3 -1 roll put |
| 199 | } { |
| 200 | @@ -1159,3 +1159,25 @@ end % level2dict |
| 201 | |
| 202 | %% Replace 1 (gs_resmp.ps) |
| 203 | (gs_resmp.ps) dup runlibfile VMDEBUG |
| 204 | + |
| 205 | +[ |
| 206 | + /.default_resource_dir |
| 207 | + /.resource_dir_name |
| 208 | +] |
| 209 | +{systemdict exch .forceundef} forall |
| 210 | + |
| 211 | +[ |
| 212 | + /.definedefaultcs |
| 213 | + /.undefinedefaultcs |
| 214 | + /.defaultcsnames |
| 215 | + /.enumerateresource |
| 216 | + /.externalresourceforall |
| 217 | + /.getvminstance |
| 218 | + /.globalresourceforall |
| 219 | + /.localresourceforall |
| 220 | + /resourceforall1 |
| 221 | + /.resourceexec |
| 222 | + /.undefinedresource |
| 223 | + /.vmused |
| 224 | +] |
| 225 | +{level2dict exch .forceundef} forall |
| 226 | diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps |
| 227 | index 9bb4263..cb948d1 100644 |
| 228 | --- a/Resource/Init/gs_resmp.ps |
| 229 | +++ b/Resource/Init/gs_resmp.ps |
| 230 | @@ -230,7 +230,7 @@ currentpacking //false setpacking |
| 231 | } { |
| 232 | dup dup .map exch .knownget { % /Name /Name <<record>> |
| 233 | dup dup /RecordVirtualMethods get /IsActive get exec { |
| 234 | - 1 index .getvminstance { % /Name /Name <<record>> holder |
| 235 | + 1 index //.getvminstance exec { % /Name /Name <<record>> holder |
| 236 | 1 get 1 eq |
| 237 | } { |
| 238 | //true |
| 239 | @@ -242,7 +242,7 @@ currentpacking //false setpacking |
| 240 | DefineResource exec % size bStatusIs1 /Name Instance |
| 241 | % Make ResourceStatus to return correct values for this instance : |
| 242 | % Hack: we replace status values in the instance holder : |
| 243 | - exch .getvminstance pop % size bStatusIs1 Instance holder |
| 244 | + exch //.getvminstance exec pop % size bStatusIs1 Instance holder |
| 245 | dup 5 -1 roll 2 exch put % bStatusIs1 Instance holder |
| 246 | 3 2 roll { % Instance holder |
| 247 | 1 1 put % Instance |
| 248 | -- |
| 249 | 2.18.1 |
| 250 | |