From: Chris Liddell <chris.liddell@artifex.com>

Date: Sat, 29 Sep 2018 14:34:55 +0000 (+0100)

Subject: Bug 699816: Improve hiding of security critical custom operators

Bug 699816: Improve hiding of security critical custom operators

Make procedures that use .forceput/.forcedef/.forceundef into operators.

The result of this is that errors get reported against the "top" operator,

rather than the "called" operator within the procedure.

For example:

/myproc

{

  myop

} bind def

If 'myop' throws an error, the error handler will be passed the 'myop'

operator. Promoting 'myproc' to a operator means the error handler will be

passed 'myproc'.

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a54c9e61e7d02bbc620bcba9b1c208462a876afb

From: Chris Liddell <chris.liddell@artifex.com>

Date: Wed, 10 Oct 2018 22:25:51 +0000 (+0100)

Subject: Bug 699938: .loadfontloop must be an operator

Bug 699938: .loadfontloop must be an operator

In the fix for Bug 699816, I omitted to make .loadfontloop into an operator, to

better hide .forceundef and .putgstringcopy.

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a5a9bf8c6a63aa4ac6874234fe8cd63e72077291

From: Chris Liddell <chris.liddell@artifex.com>

Date: Wed, 28 Nov 2018 17:12:08 +0000 (+0000)

Subject: Bug 700290: Fix problems with DELAYBIND and font substitution

Bug 700290: Fix problems with DELAYBIND and font substitution

Judicious use of immediate evaluation for .setnativefontmapbuilt and

.putgstringcopy to avoid problems with DELAYBIND

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2756f0efae1d3966989b15a6526c5d80848b5015

---

diff -up ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_diskn.ps

--- ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/gs_diskn.ps	2018-12-10 14:51:03.208407266 +0100

@@ -53,7 +53,7 @@ systemdict begin

     exch .setglobal

   }

   if

-} .bind executeonly def % must be bound and hidden for .forceput

+} .bind executeonly odef % must be bound and hidden for .forceput

 % Modify .putdevparams to force regeneration of .searchabledevs list

 /.putdevparams {

diff -up ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_dps.ps

--- ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/gs_dps.ps	2018-12-10 14:51:03.208407266 +0100

@@ -71,7 +71,7 @@

   //true .setglobal

   //systemdict /savedinitialgstate gstate readonly put

   .setglobal

-} .bind def

+} .bind executeonly odef % must be bound and hidden for .forceput

 % Initialize local dictionaries and gstate when creating a new context.

 % Note that until this completes, we are in the anomalous situation of

diff -up ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_fntem.ps

--- ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/gs_fntem.ps	2018-12-10 14:51:03.209407249 +0100

@@ -432,7 +432,7 @@ currentdict end def

     exit

   } loop

   exch setglobal

-} bind def

+} .bind executeonly odef % must be bound and hidden for .forceput

 currentdict end /ProcSet defineresource pop

diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_fonts.ps

--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2018-17961	2018-12-10 14:51:03.002410648 +0100

+++ ghostscript-9.07/Resource/Init/gs_fonts.ps	2018-12-10 14:51:03.209407249 +0100

@@ -375,7 +375,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .

 % and the access path.

 /.setnativefontmapbuilt { % set whether we've been run

   systemdict exch /.nativefontmapbuilt exch .forceput

-} .bind executeonly def

+} .bind executeonly odef

 systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt

 /.buildnativefontmap {   % - .buildnativefontmap <bool>

   QUIET not {

@@ -404,7 +404,7 @@ systemdict /NONATIVEFONTMAP known .setna

     } forall

   } if

   % record that we've been run

-  //true .setnativefontmapbuilt

+  //true //.setnativefontmapbuilt

 } bind def

 % Create the dictionary that registers the .buildfont procedure

@@ -1082,7 +1082,7 @@ $error /SubstituteFont { } put

                 % Check to make sure the font was actually loaded.

         dup 3 index .fontknownget

-         { dup /PathLoad 4 index //.putgstringcopy exec

+         { dup /PathLoad 4 index //.putgstringcopy

            4 1 roll pop pop pop //true exit

          } if

@@ -1094,7 +1094,7 @@ $error /SubstituteFont { } put

          {            % Stack: origfontname fontdirectory path filefontname

            2 index 1 index .fontknownget

             {   % Yes.  Stack: origfontname fontdirectory path filefontname fontdict

-              dup 4 -1 roll /PathLoad exch //.putgstringcopy exec

+              dup 4 -1 roll /PathLoad exch //.putgstringcopy

                       % Stack: origfontname fontdirectory filefontname fontdict

               3 -1 roll pop exch

                       % Stack: origfontname fontdict filefontname

@@ -1122,9 +1122,8 @@ $error /SubstituteFont { } put

     } loop              % end of loop

- } bind executeonly def % must be bound and hidden for .putgstringcopy

-

-currentdict /.putgstringcopy .undef

+ } bind executeonly odef % must be bound and hidden for .putgstringcopy

+currentdict /.putgstringcopy .forceundef

 % Define a procedure to load all known fonts.

 % This isn't likely to be very useful.

diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_lev2.ps

--- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/gs_lev2.ps	2018-12-10 14:51:03.210407233 +0100

@@ -163,9 +163,10 @@ end

         % Set them again to the new values.  From here on, we are safe,

         % since a context switch will consult userparams.

   .setuserparams

-} .bind def

+} .bind executeonly odef % must be bound and hidden for .forceput

 /setuserparams {		% <dict> setuserparams -

-    .setuserparams2

+    {.setuserparams2} stopped

+    {/setuserparams load $error /errorname get signalerror} if

 } .bind odef

 % Initialize user parameters managed here.

 /JobName () .definepsuserparam

@@ -414,7 +415,9 @@ psuserparams /ProcessDSCComment {.checkp

 % VMReclaim and VMThreshold are user parameters.

 /setvmthreshold {		% <int> setvmthreshold -

-  mark /VMThreshold 2 .argindex .dicttomark .setuserparams2 pop

+  mark /VMThreshold 2 .argindex .dicttomark {.setuserparams2} stopped

+  {pop /setvmthreshold load $error /errorname get signalerror}

+  {pop} ifelse

 } odef

 /vmreclaim {			% <int> vmreclaim -

   dup 0 gt {

@@ -426,7 +429,9 @@ psuserparams /ProcessDSCComment {.checkp

     ifelse

   } {

     % VMReclaim userparam controls enable/disable GC

-    mark /VMReclaim 2 index .dicttomark .setuserparams2 pop

+    mark /VMReclaim 2 index .dicttomark {.setuserparams2} stopped

+    {pop /vmreclaim load $error /errorname get signalerror}

+    {pop} ifelse

   } ifelse

 } odef

 -1 setvmthreshold

diff -up ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_pdfwr.ps

--- ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/gs_pdfwr.ps	2018-12-10 14:51:03.210407233 +0100

@@ -547,8 +547,7 @@ currentdict /.pdfmarkparams .undef

   } {

     pop

   } ifelse

-}

-bind def

+} .bind executeonly odef % must be bound and hidden for .forceput

 % Use the DSC processing hook to pass DSC comments to the driver.

 % We use a pseudo-parameter named DSC whose value is an array:

diff -up ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_setpd.ps

--- ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-17961	2018-12-10 14:51:03.194407496 +0100

+++ ghostscript-9.07/Resource/Init/gs_setpd.ps	2018-12-10 14:51:03.210407233 +0100

@@ -544,6 +544,20 @@ NOMEDIAATTRS {

 % in the <failed> dictionary with the policy value,

 % and we replace the key in the <merged> dictionary with its prior value

 % (or remove it if it had no prior value).

+

+% Making this an operator means we can properly hide

+% the contents - specifically .forceput

+/1Policy

+{

+  % Roll back the failed request to its previous status.

+  SETPDDEBUG { (Rolling back.) = pstack flush } if

+  3 index 2 index 3 -1 roll .forceput

+  4 index 1 index .knownget

+   { 4 index 3 1 roll .forceput }

+   { 3 index exch .undef }

+  ifelse

+} bind executeonly odef

+

 /.policyprocs mark

 % These procedures are called with the following on the stack:

 %   <orig> <merged> <failed> <Policies> <key> <policy>

@@ -567,14 +581,7 @@ NOMEDIAATTRS {

         /setpagedevice .systemvar /configurationerror signalerror

       } ifelse

   } bind

-  1 {		% Roll back the failed request to its previous status.

-SETPDDEBUG { (Rolling back.) = pstack flush } if

-        3 index 2 index 3 -1 roll .forceput

-        4 index 1 index .knownget

-         { 4 index 3 1 roll .forceput }

-         { 3 index exch .undef }

-        ifelse

-  } .bind

+  1 /1Policy load

   7 {		% For PageSize only, just impose the request.

         1 index /PageSize eq

          { pop pop 1 index /PageSize 7 put }

@@ -582,6 +589,8 @@ SETPDDEBUG { (Rolling back.) = pstack fl

         ifelse

   } bind

 .dicttomark readonly def

+currentdict /1Policy undef

+

 /.applypolicies		% <orig> <merged> <failed> .applypolicies

                         %   <orig> <merged'> <failed'>

  { 1 index /Policies get 1 index

diff -up ghostscript-9.07/Resource/Init/gs_typ32.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_typ32.ps

--- ghostscript-9.07/Resource/Init/gs_typ32.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/gs_typ32.ps	2018-12-10 14:51:03.211407216 +0100

@@ -79,15 +79,19 @@ systemdict /.removeglyphs .undef

 .dicttomark /ProcSet defineresource pop

 /.cidfonttypes where { pop } { /.cidfonttypes 6 dict def } ifelse

-.cidfonttypes begin

-

-4	% CIDFontType 4 = FontType 32

-{ dup /FontType 32 .forceput

+/CIDFontType4

+{

+  dup /FontType 32 .forceput

   dup /CharStrings 20 dict .forceput

   1 index exch .buildfont32 exch pop

-} bind def

+} .bind executeonly odef

+.cidfonttypes begin

+

+

+4 /CIDFontType4 load def % CIDFontType 4 = FontType 32

 end		% .cidfonttypes

+currentdict /CIDFontType4 .forceundef

 % Define the BuildGlyph procedure.

 % Since Type 32 fonts are indexed by CID, there is no BuildChar procedure.

diff -up ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_type1.ps

--- ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/gs_type1.ps	2018-12-10 14:51:03.211407216 +0100

@@ -215,7 +215,7 @@ currentdict /closesourcedict .undef

   } if

   2 copy /WeightVector exch .forceput

   .setweightvector

-} .bind executeonly def

+} .bind executeonly odef

 end

 % Register the font types for definefont.

diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_base.ps

--- ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/pdf_base.ps	2018-12-10 14:51:03.211407216 +0100

@@ -177,7 +177,7 @@ currentdict /num-chars-dict .undef

       } ifelse

     } ifelse

   } ifelse

-} bind def

+} bind executeonly odef

 /PDFScanRules_true << /PDFScanRules //true >> def

 /PDFScanRules_null << /PDFScanRules //null >> def

 /.pdfrun {			% <file> <opdict> .pdfrun -

diff -up ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_draw.ps

--- ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2018-17961	2018-12-10 14:51:03.177407775 +0100

+++ ghostscript-9.07/Resource/Init/pdf_draw.ps	2018-12-10 14:51:03.212407200 +0100

@@ -948,7 +948,7 @@ currentdict end readonly def

   Q

   PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if

   PDFfile exch setfileposition

-} bdef

+}bind executeonly odef

 /resolvepattern {	% <patternstreamdict> resolvepattern <patterndict>

                 % Don't do the resolvestream now: just capture the data

@@ -1809,7 +1809,7 @@ currentdict /last-ditch-bpc-csp undef

   } if

   pop

   /pdfemptycount exch store

-} bdef

+} bind executeonly odef

 /_dops_save 1 array def

diff -up ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_font.ps

--- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/pdf_font.ps	2018-12-10 14:51:03.213407183 +0100

@@ -641,7 +641,7 @@ currentdict end readonly def

     } if

   } if

   pop pop pop

-} bind def

+} bind executeonly odef

 % ---------------- Descriptors ---------------- %

@@ -1097,7 +1097,7 @@ currentdict /eexec_pdf_param_dict .undef

     } bdef

     dup currentdict Encoding .processToUnicode

     currentdict end .completefont exch pop

-} bdef

+} bind executeonly odef

 /.adjustcharwidth {	% <wx> <wy> .adjustcharwidth <wx'> <wy'>

   % Enforce the metrics, in glyph space, to the values found in the PDF Font object

   % - force wy == 0 (assumed, and not stored in the PDF font)

@@ -1794,7 +1794,7 @@ currentdict /CMap_read_dict undef

     } if

     /findresource cvx /undefined signalerror

   } loop

-} bdef

+} bind executeonly odef

 /buildCIDType0 {	% <CIDFontType0-font-resource> buildCIDType0 <font>

   dup /BaseFont get findCIDFont exch pop

@@ -1964,7 +1964,7 @@ currentdict /CMap_read_dict undef

   /Type0 //buildType0

   /Type1 //buildType1

   /MMType1 //buildType1

-  /Type3 //buildType3

+  /Type3 /buildType3 load

   /TrueType //buildTrueType

   /CIDFontType0 //buildCIDType0

   /CIDFontType2 //buildCIDType2

diff -up ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_main.ps

--- ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2018-17961	2018-12-10 14:51:03.168407922 +0100

+++ ghostscript-9.07/Resource/Init/pdf_main.ps	2018-12-10 14:51:03.213407183 +0100

@@ -382,7 +382,7 @@ currentdict /runpdfstring .undef

     } forall

     pop

   } ifelse

-} bind def

+} bind executeonly odef

 currentdict /pdf_collection_files .undef

@@ -1878,7 +1878,7 @@ currentdict /PDF2PS_matrix_key undef

   Repaired		% pass Repaired state around the restore

   PDFSave restore

   /Repaired exch def

-} bind def

+} bind executeonly odef

 % Display the contents of a page (including annotations).

 /showpagecontents {	% <pagedict> showpagecontents -

diff -up ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_ops.ps

--- ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2018-17961	2013-02-14 08:58:16.000000000 +0100

+++ ghostscript-9.07/Resource/Init/pdf_ops.ps	2018-12-10 14:51:03.214407167 +0100

@@ -128,7 +128,7 @@ nodict readonly pop

   { (\n   **** File has unbalanced q/Q operators \(too many Q's\) ****\n)

     pdfformaterror

   } if

-} bdef

+} bind executeonly odef

 % Save PDF gstate

 /qstate {       % - qstate <qstate>

@@ -282,7 +282,7 @@ nodict readonly pop

 } bdef

 /ca { /FillConstantAlpha gput } bdef

 /CA { /StrokeConstantAlpha gput } bdef

-/SMask { /SoftMask gput } bdef

+/SMask { /SoftMask gput } bind executeonly odef

 /AIS { /AlphaIsShape gput } bdef

 /BM {

   /.setblendmode where {