1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
From d739565534e955c4336731e4ea4eebc895c09c5c Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 18 Dec 2018 10:42:10 +0000
Subject: [PATCH 4/7] Harden some uses of .force* operators
by adding a few immediate evalutions
CVE: CVE-2019-6116
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
Resource/Init/gs_dps1.ps | 4 ++--
Resource/Init/gs_fonts.ps | 20 ++++++++++----------
Resource/Init/gs_init.ps | 6 +++---
3 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
index 4fae283..b75ea14 100644
--- a/Resource/Init/gs_dps1.ps
+++ b/Resource/Init/gs_dps1.ps
@@ -74,7 +74,7 @@ level2dict begin
} odef
% undefinefont has to take local/global VM into account.
/undefinefont % <fontname> undefinefont -
- { .FontDirectory 1 .argindex .forceundef % FontDirectory is readonly
+ { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly
.currentglobal
{ % Current mode is global; delete from local directory too.
//systemdict /LocalFontDirectory .knownget
@@ -85,7 +85,7 @@ level2dict begin
% definition, copy it into the local directory.
//systemdict /SharedFontDirectory .knownget
{ 1 index .knownget
- { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
+ { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
if
}
if
diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
index 290da0c..c13a2fc 100644
--- a/Resource/Init/gs_fonts.ps
+++ b/Resource/Init/gs_fonts.ps
@@ -516,7 +516,7 @@ buildfontdict 3 /.buildfont3 cvx put
if
}
if
- dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
+ dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
% If the font originated as a resource, register it.
currentfile .currentresourcefile eq { dup .registerfont } if
readonly
@@ -943,7 +943,7 @@ $error /SubstituteFont { } put
% Try to find a font using only the present contents of Fontmap.
/.tryfindfont { % <fontname> .tryfindfont <font> true
% <fontname> .tryfindfont false
- .FontDirectory 1 index .fontknownget
+ //.FontDirectory 1 index .fontknownget
{ % Already loaded
exch pop //true
}
@@ -975,7 +975,7 @@ $error /SubstituteFont { } put
{ % Font with a procedural definition
exec % The procedure will load the font.
% Check to make sure this really happened.
- .FontDirectory 1 index .knownget
+ //.FontDirectory 1 index .knownget
{ exch pop //true exit }
if
}
@@ -1081,11 +1081,11 @@ $error /SubstituteFont { } put
% because it's different depending on language level.
.currentglobal exch /.setglobal .systemvar exec
% Remove the fake definition, if any.
- .FontDirectory 3 index .forceundef % readonly
- 1 index (r) file .loadfont .FontDirectory exch
+ //.FontDirectory 3 index .forceundef % readonly
+ 1 index (r) file .loadfont //.FontDirectory exch
/.setglobal .systemvar exec
} executeonly
- { .loadfont .FontDirectory
+ { .loadfont //.FontDirectory
}
ifelse
% Stack: fontname fontfilename fontdirectory
@@ -1119,8 +1119,8 @@ $error /SubstituteFont { } put
% Stack: origfontname fontdirectory filefontname fontdict
3 -1 roll pop
% Stack: origfontname filefontname fontdict
- dup /FontName get dup FontDirectory exch .forceundef
- GlobalFontDirectory exch .forceundef
+ dup /FontName get dup //.FontDirectory exch .forceundef
+ /GlobalFontDirectory .systemvar exch .forceundef
dup length dict .copydict dup 3 index /FontName exch put
2 index exch definefont
exch
@@ -1176,10 +1176,10 @@ currentdict /.putgstringcopy .undef
{
{
pop dup type /stringtype eq { cvn } if
- .FontDirectory 1 index known not {
+ //.FontDirectory 1 index known not {
2 dict dup /FontName 3 index put
dup /FontType 1 put
- .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
+ //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
} {
pop
} ifelse
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 56c0bd2..d9a0829 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -1168,8 +1168,8 @@ errordict /unknownerror .undef
}ifelse
}forall
noaccess pop
- systemdict /.setsafeerrors .forceundef
- systemdict /.SAFERERRORLIST .forceundef
+ //systemdict /.setsafeerrors .forceundef
+ //systemdict /.SAFERERRORLIST .forceundef
} bind executeonly odef
SAFERERRORS {.setsafererrors} if
@@ -2114,7 +2114,7 @@ currentdict /tempfilepaths undef
/.locksafe {
.locksafe_userparams
- systemdict /getenv {pop //false} .forceput
+ //systemdict /getenv {pop //false} .forceput
% setpagedevice has the side effect of clearing the page, but
% we will just document that. Using setpagedevice keeps the device
% properties and pagedevice .LockSafetyParams in agreement even
--
2.18.1
|
