| From 274b2cc08b0d10a4cac3fe8b50022889f22580cb Mon Sep 17 00:00:00 2001 |
| From: Chris Liddell <chris.liddell@artifex.com> |
| Date: Thu, 20 Sep 2018 16:35:28 +0100 |
| Subject: [PATCH 1/5] Bug 699795: add operand checking to |
| .setnativefontmapbuilt |
| |
| .setnativefontmapbuilt .forceputs a value into systemdict - it is intended |
| to be a boolean, but in this case was being called with a compound object |
| (a dictionary). Such an object, in local VM, being forced into systemdict |
| would then confuse the garbager, since it could be restored away with the |
| reference remaining. |
| |
| This adds operand checking, so .setnativefontmapbuilt will simply ignore |
| anything other than a boolean value, and also removes the definition of |
| .setnativefontmapbuilt after use, since it is only used in two, closely |
| related places. |
| |
| CVE: CVE-2018-17961 |
| Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> |
| --- |
| Resource/Init/gs_fonts.ps | 11 ++++++++--- |
| 1 file changed, 8 insertions(+), 3 deletions(-) |
| |
| diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps |
| index 38f0f6c..45b6613 100644 |
| --- a/Resource/Init/gs_fonts.ps |
| +++ b/Resource/Init/gs_fonts.ps |
| @@ -372,9 +372,13 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if |
| % of strings: what the system thinks is the ps name, |
| % and the access path. |
| /.setnativefontmapbuilt { % set whether we've been run |
| - systemdict exch /.nativefontmapbuilt exch .forceput |
| + dup type /booleantype eq { |
| + systemdict exch /.nativefontmapbuilt exch .forceput |
| + } |
| + {pop} |
| + ifelse |
| } .bind executeonly def |
| -systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt |
| +systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec |
| /.buildnativefontmap { % - .buildnativefontmap <bool> |
| systemdict /.nativefontmapbuilt .knownget not |
| { //false} if |
| @@ -415,9 +419,10 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt |
| } forall |
| } if |
| % record that we've been run |
| - //true .setnativefontmapbuilt |
| + //true //.setnativefontmapbuilt exec |
| } ifelse |
| } bind def |
| +currentdict /.setnativefontmapbuilt .forceundef |
| |
| % Create the dictionary that registers the .buildfont procedure |
| % (called by definefont) for each FontType. |
| -- |
| 2.7.4 |
| |