|
 |
8812f8 |
From: Ken Sharp <ken.sharp@artifex.com>
|
|
|
8812f8 |
Date: Thu, 23 Aug 2018 13:12:48 +0000 (+0100)
|
|
|
8812f8 |
Subject: Fix Bug 699660 "shading_param incomplete type checking"
|
|
|
8812f8 |
|
|
|
8812f8 |
Fix Bug 699660 "shading_param incomplete type checking"
|
|
|
8812f8 |
|
|
|
8812f8 |
Its possible to pass a t_struct parameter to .shfill which is not a
|
|
|
8812f8 |
shading function built by .buildshading. This could then lead to memory
|
|
|
8812f8 |
corruption or a segmentation fault by treating the object passed in
|
|
|
8812f8 |
as if it were a shading.
|
|
|
8812f8 |
|
|
|
8812f8 |
Its non-trivial to check the t_struct, because this function can take
|
|
|
8812f8 |
7 different kinds of structures as a parameter. Checking these is
|
|
|
8812f8 |
possible, of course, but would add a performance penalty.
|
|
|
8812f8 |
|
|
|
8812f8 |
However, we can note that we never call .shfill without first calling
|
|
|
8812f8 |
.buildshading, and we never call .buildshading without immediately
|
|
|
8812f8 |
calling .shfill. So we can treat these as an atomic operation. The
|
|
|
8812f8 |
.buildshading function takes all its parameters as PostScript objects
|
|
|
8812f8 |
and validates them, so that should be safe.
|
|
|
8812f8 |
|
|
|
8812f8 |
This allows us to 'hide' the .shfill operator preventing the possibility
|
|
|
8812f8 |
of passing an invalid parameter.
|
|
|
8812f8 |
|
|
|
8812f8 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
|
|
|
8812f8 |
|
|
|
8812f8 |
From: Ken Sharp <ken.sharp@artifex.com>
|
|
|
8812f8 |
Date: Fri, 24 Aug 2018 11:44:26 +0000 (+0100)
|
|
|
8812f8 |
Subject: Hide the .shfill operator
|
|
|
8812f8 |
|
|
|
8812f8 |
Hide the .shfill operator
|
|
|
8812f8 |
|
|
|
8812f8 |
Commit 0b6cd1918e1ec4ffd087400a754a845180a4522b was supposed to make
|
|
|
8812f8 |
the .shfill operator unobtainable, but I accidentally left a comment
|
|
|
8812f8 |
in the line doing so.
|
|
|
8812f8 |
|
|
|
8812f8 |
Fix it here, without this the operator can still be exploited.
|
|
|
8812f8 |
|
|
|
8812f8 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
|
|
|
8812f8 |
---
|
|
|
8812f8 |
|
|
|
09061c |
diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-15909 ghostscript-9.07/Resource/Init/gs_init.ps
|
|
|
09061c |
--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-15909 2018-12-10 11:23:36.732179705 +0100
|
|
|
09061c |
+++ ghostscript-9.07/Resource/Init/gs_init.ps 2018-12-10 11:23:36.738179607 +0100
|
|
|
8812f8 |
@@ -2136,8 +2136,8 @@ SAFER { .setsafe } if
|
|
|
8812f8 |
/.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize
|
|
|
8812f8 |
/.oserrno /.setoserrno /.oserrorstring /.getCPSImode
|
|
|
8812f8 |
/.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
|
|
|
8812f8 |
-/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
|
|
|
8812f8 |
-/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
|
|
|
8812f8 |
+/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
|
|
|
8812f8 |
+/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
|
|
|
8812f8 |
/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
|
|
|
8812f8 |
/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
|
|
|
8812f8 |
/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
|
|
|
09061c |
diff -up ghostscript-9.07/Resource/Init/gs_ll3.ps.cve-2018-15909 ghostscript-9.07/Resource/Init/gs_ll3.ps
|
|
|
09061c |
--- ghostscript-9.07/Resource/Init/gs_ll3.ps.cve-2018-15909 2013-02-14 08:58:16.000000000 +0100
|
|
|
09061c |
+++ ghostscript-9.07/Resource/Init/gs_ll3.ps 2018-12-10 11:23:36.739179591 +0100
|
|
|
8812f8 |
@@ -406,6 +406,11 @@ systemdict /.reuseparamdict mark
|
|
|
8812f8 |
/shfill .systemvar /undefined signalerror
|
|
|
8812f8 |
} ifelse
|
|
|
8812f8 |
} bind def
|
|
|
8812f8 |
+
|
|
|
8812f8 |
+/.buildshading_and_shfill {
|
|
|
8812f8 |
+ .buildshading .shfill
|
|
|
8812f8 |
+} bind def
|
|
|
8812f8 |
+
|
|
|
8812f8 |
systemdict /.reuseparamdict undef
|
|
|
8812f8 |
|
|
|
8812f8 |
/.buildpattern2 { % <template> <matrix> .buildpattern2
|
|
|
8812f8 |
@@ -430,7 +435,7 @@ systemdict /.reuseparamdict undef
|
|
|
8812f8 |
% Currently, .shfill requires that the color space
|
|
|
8812f8 |
% in the pattern be the current color space.
|
|
|
8812f8 |
% Disable overprintmode for shfill
|
|
|
8812f8 |
- { dup gsave 0 .setoverprintmode .buildshading .shfill } stopped
|
|
|
8812f8 |
+ { dup gsave 0 .setoverprintmode .buildshading_and_shfill } stopped
|
|
|
8812f8 |
grestore {
|
|
|
8812f8 |
/$error .systemvar /errorinfo 2 copy known {
|
|
|
8812f8 |
pop pop
|
|
|
09061c |
diff -up ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2018-15909 ghostscript-9.07/Resource/Init/pdf_draw.ps
|
|
|
09061c |
--- ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2018-15909 2013-02-14 08:58:16.000000000 +0100
|
|
|
09061c |
+++ ghostscript-9.07/Resource/Init/pdf_draw.ps 2018-12-10 11:32:31.155445637 +0100
|
|
|
09061c |
@@ -1131,9 +1131,8 @@ drawopdict begin
|
|
|
8812f8 |
exch
|
|
|
8812f8 |
pop
|
|
|
8812f8 |
} {
|
|
|
8812f8 |
- .buildshading
|
|
|
8812f8 |
+ .buildshading_and_shfill
|
|
|
8812f8 |
} ifelse
|
|
|
09061c |
- .shfill
|
|
|
8812f8 |
} stopped {
|
|
|
09061c |
pop
|
|
|
09061c |
( **** Warning: Dropping incorrect smooth shading object.\n)
|