From 693baf02152119af6e6afd30bb8ec76d14f84bbf Mon Sep 17 00:00:00 2001

From: Ken Sharp <ken.sharp@artifex.com>

Date: Thu, 8 Nov 2018 14:43:32 +0000

Subject: [PATCH] PS interpreter - check the Implementation of a Pattern before

 use

Bug #700141 "Type confusion in setpattern"

As the bug thread says, we were not checking that the Implementation

of a pattern dictionary was a structure type, leading to a crash when

we tried to treat it as one.

Here we make the st_pattern1_instance and st_pattern2_instance

structures public definitions and in zsetcolor we check the object

stored under the Implementation key in the supplied dictionary to see if

its a t_struct or t_astruct type, and if it is that its a

st_pattern1_instance or st_pattern2_instance structure.

If either check fails we throw a typecheck error.

We need to make the st_pattern1_instance and st_pattern2_instance

definitions public as they are defined in the graphics library and we

need to check in the interpreter.

---

 base/gsptype1.c |  2 +-

 base/gsptype2.c |  6 +++---

 base/gsptype2.h |  4 ++--

 base/gxcolor2.h |  4 ++--

 psi/zcolor.c    | 11 ++++++++---

 5 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/base/gsptype1.c b/base/gsptype1.c

index 27fdd5a..e98dde1 100644

--- a/base/gsptype1.c

+++ b/base/gsptype1.c

@@ -50,7 +50,7 @@

 /* GC descriptors */

 private_st_pattern1_template();

-private_st_pattern1_instance();

+public_st_pattern1_instance();

 /* GC procedures */

 static ENUM_PTRS_BEGIN(pattern1_instance_enum_ptrs) {

diff --git a/base/gsptype2.c b/base/gsptype2.c

index 791e538..c53eb2e 100644

--- a/base/gsptype2.c

+++ b/base/gsptype2.c

@@ -33,7 +33,7 @@

 /* GC descriptors */

 private_st_pattern2_template();

-private_st_pattern2_instance();

+public_st_pattern2_instance();

 /* GC procedures */

 static ENUM_PTRS_BEGIN(pattern2_instance_enum_ptrs) {

@@ -206,10 +206,10 @@ gs_pattern2_set_color(const gs_client_color * pcc, gs_gstate * pgs)

     pinst->saved->overprint_mode = pgs->overprint_mode;

     pinst->saved->overprint = pgs->overprint;

-    

+

     num_comps = pgs->device->color_info.num_components;

     for (k = 0; k < num_comps; k++) {

-        pgs->color_component_map.color_map[k] = 

+        pgs->color_component_map.color_map[k] =

             pinst->saved->color_component_map.color_map[k];

     }

     code = pcs->type->set_overprint(pcs, pgs);

diff --git a/base/gsptype2.h b/base/gsptype2.h

index f0f26d1..4186201 100644

--- a/base/gsptype2.h

+++ b/base/gsptype2.h

@@ -57,8 +57,8 @@ typedef struct gs_pattern2_instance_s {

     bool shfill;

 } gs_pattern2_instance_t;

-#define private_st_pattern2_instance() /* in gsptype2.c */\

-  gs_private_st_composite(st_pattern2_instance, gs_pattern2_instance_t,\

+#define public_st_pattern2_instance() /* in gsptype2.c */\

+  gs_public_st_composite(st_pattern2_instance, gs_pattern2_instance_t,\

     "gs_pattern2_instance_t", pattern2_instance_enum_ptrs,\

     pattern2_instance_reloc_ptrs)

diff --git a/base/gxcolor2.h b/base/gxcolor2.h

index 62ec05e..d5b1095 100644

--- a/base/gxcolor2.h

+++ b/base/gxcolor2.h

@@ -92,8 +92,8 @@ struct gs_pattern1_instance_s {

     gx_bitmap_id id;		/* key for cached bitmap (= id of mask) */

 };

-#define private_st_pattern1_instance() /* in gsptype1.c */\

-  gs_private_st_composite(st_pattern1_instance, gs_pattern1_instance_t,\

+#define public_st_pattern1_instance() /* in gsptype1.c */\

+  gs_public_st_composite(st_pattern1_instance, gs_pattern1_instance_t,\

     "gs_pattern1_instance_t", pattern1_instance_enum_ptrs,\

     pattern1_instance_reloc_ptrs)

diff --git a/psi/zcolor.c b/psi/zcolor.c

index 7a00d4e..fe81e79 100644

--- a/psi/zcolor.c

+++ b/psi/zcolor.c

@@ -65,6 +65,8 @@ static const float default_0_1[] = {0, 1, 0, 1, 0, 1, 0, 1};

 /* imported from gsht.c */

 extern  void    gx_set_effective_transfer(gs_gstate *);

+extern_st(st_pattern1_instance);

+extern_st(st_pattern2_instance);

 /* Essential forward declarations */

 static int validate_spaces(i_ctx_t *i_ctx_p, ref *arr, int *depth);

@@ -289,6 +291,9 @@ zsetcolor(i_ctx_t * i_ctx_p)

                 code = array_get(imemory, pImpl, 0, &pPatInst);

                 if (code < 0)

                     return code;

+                if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))

+                    return_error(gs_error_typecheck);

+

                 cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);

                 n_numeric_comps = ( pattern_instance_uses_base_space(cc.pattern)

                       ? n_comps - 1

@@ -4421,7 +4426,7 @@ static int setindexedspace(i_ctx_t * i_ctx_p, ref *r, int *stage, int *cont, int

         /* If we have a named color profile and the base space is DeviceN or

            Separation use a different set of procedures to ensure the named

            color remapping code is used */

-        if (igs->icc_manager->device_named != NULL && 

+        if (igs->icc_manager->device_named != NULL &&

             (base_type == gs_color_space_index_Separation ||

              base_type == gs_color_space_index_DeviceN))

             pcs = gs_cspace_alloc(imemory, &gs_color_space_type_Indexed_Named);

@@ -5573,7 +5578,7 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace)

         return 0;

     /* As a quick check see if current is same as new */

-    if (ICCdict1.value.bytes == ICCdict2.value.bytes) 

+    if (ICCdict1.value.bytes == ICCdict2.value.bytes)

          return 1;

     /* Need to check all the various parts */

@@ -5593,7 +5598,7 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace)

     code2 = dict_find_string(&ICCdict2, "DataSource", &tempref2);

     if (code2 <= 0)

         return 0;

-    if (r_size(tempref1) != r_size(tempref2)) 

+    if (r_size(tempref1) != r_size(tempref2))

         return 0;

     buff_size = r_size(tempref1);

-- 

2.17.2