Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From 274b2cc08b0d10a4cac3fe8b50022889f22580cb Mon Sep 17 00:00:00 2001 |
| 2 | From: Chris Liddell <chris.liddell@artifex.com> |
| 3 | Date: Thu, 20 Sep 2018 16:35:28 +0100 |
| 4 | Subject: [PATCH 1/5] Bug 699795: add operand checking to |
| 5 | .setnativefontmapbuilt |
| 6 | |
| 7 | .setnativefontmapbuilt .forceputs a value into systemdict - it is intended |
| 8 | to be a boolean, but in this case was being called with a compound object |
| 9 | (a dictionary). Such an object, in local VM, being forced into systemdict |
| 10 | would then confuse the garbager, since it could be restored away with the |
| 11 | reference remaining. |
| 12 | |
| 13 | This adds operand checking, so .setnativefontmapbuilt will simply ignore |
| 14 | anything other than a boolean value, and also removes the definition of |
| 15 | .setnativefontmapbuilt after use, since it is only used in two, closely |
| 16 | related places. |
| 17 | |
| 18 | CVE: CVE-2018-17961 |
| 19 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| 20 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> |
| 21 | --- |
| 22 | Resource/Init/gs_fonts.ps | 11 ++++++++--- |
| 23 | 1 file changed, 8 insertions(+), 3 deletions(-) |
| 24 | |
| 25 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps |
| 26 | index 38f0f6c..45b6613 100644 |
| 27 | --- a/Resource/Init/gs_fonts.ps |
| 28 | +++ b/Resource/Init/gs_fonts.ps |
| 29 | @@ -372,9 +372,13 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if |
| 30 | % of strings: what the system thinks is the ps name, |
| 31 | % and the access path. |
| 32 | /.setnativefontmapbuilt { % set whether we've been run |
| 33 | - systemdict exch /.nativefontmapbuilt exch .forceput |
| 34 | + dup type /booleantype eq { |
| 35 | + systemdict exch /.nativefontmapbuilt exch .forceput |
| 36 | + } |
| 37 | + {pop} |
| 38 | + ifelse |
| 39 | } .bind executeonly def |
| 40 | -systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt |
| 41 | +systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec |
| 42 | /.buildnativefontmap { % - .buildnativefontmap <bool> |
| 43 | systemdict /.nativefontmapbuilt .knownget not |
| 44 | { //false} if |
| 45 | @@ -415,9 +419,10 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt |
| 46 | } forall |
| 47 | } if |
| 48 | % record that we've been run |
| 49 | - //true .setnativefontmapbuilt |
| 50 | + //true //.setnativefontmapbuilt exec |
| 51 | } ifelse |
| 52 | } bind def |
| 53 | +currentdict /.setnativefontmapbuilt .forceundef |
| 54 | |
| 55 | % Create the dictionary that registers the .buildfont procedure |
| 56 | % (called by definefont) for each FontType. |
| 57 | -- |
| 58 | 2.7.4 |
| 59 | |