|
 |
7c5933 |
From: Ken Sharp <ken.sharp@artifex.com>
|
|
|
7c5933 |
Date: Wed, 14 Nov 2018 09:25:13 +0000 (+0000)
|
|
|
7c5933 |
Subject: Bug #700169 - unchecked type
|
|
|
7c5933 |
|
|
|
7c5933 |
Bug #700169 - unchecked type
|
|
|
7c5933 |
|
|
|
7c5933 |
Bug #700169 "Type confusion in setcolorspace"
|
|
|
7c5933 |
|
|
|
7c5933 |
In seticc() we extract "Name" from a dictionary, if it succeeds we then
|
|
|
7c5933 |
use it as a string, without checking the type to see if it is in fact
|
|
|
7c5933 |
a string.
|
|
|
7c5933 |
|
|
|
7c5933 |
Add a check on the type, and add a couple to check that 'N' is an integer
|
|
|
7c5933 |
in a few places too.
|
|
|
7c5933 |
|
|
|
7c5933 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=67d760ab775dae4efe803b5944b0439aa3c0b04a
|
|
|
7c5933 |
|
|
|
7c5933 |
From: Ken Sharp <ken.sharp@artifex.com>
|
|
|
7c5933 |
Date: Wed, 14 Nov 2018 09:31:10 +0000 (+0000)
|
|
|
7c5933 |
Subject: PS interpreter - add some type checking
|
|
|
7c5933 |
|
|
|
7c5933 |
PS interpreter - add some type checking
|
|
|
7c5933 |
|
|
|
7c5933 |
These were 'probably' safe anyway, since they mostly treat the objects
|
|
|
7c5933 |
as integers without checking, which at least can't result in a crash.
|
|
|
7c5933 |
|
|
|
7c5933 |
Nevertheless, we ought to check.
|
|
|
7c5933 |
|
|
|
7c5933 |
The return from comparedictkeys could be wrong if one of the keys had
|
|
|
7c5933 |
a value which was not an array, it could incorrectly decide the two
|
|
|
7c5933 |
were in fact the same.
|
|
|
7c5933 |
|
|
|
7c5933 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=548bb434e81dadcc9f71adf891a3ef5bea8e2b4e
|
|
|
7c5933 |
---
|
|
|
7c5933 |
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zbfont.c.cve-2018-19476 ghostscript-9.07/psi/zbfont.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zbfont.c.cve-2018-19476 2019-01-14 16:06:09.944218434 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zbfont.c 2019-01-14 16:08:36.868448531 +0100
|
|
|
7c5933 |
@@ -618,6 +618,9 @@ sub_font_params(gs_memory_t *mem, const
|
|
|
7c5933 |
return_error(e_invalidfont);
|
|
|
7c5933 |
if (dict_find_string(op, "OrigFont", &porigfont) <= 0)
|
|
|
7c5933 |
porigfont = NULL;
|
|
|
7c5933 |
+ if (porigfont != NULL && !r_has_type(porigfont, t_dictionary))
|
|
|
7c5933 |
+ return_error(gs_error_typecheck);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
if (pomat!= NULL) {
|
|
|
7c5933 |
if (porigfont == NULL ||
|
|
|
7c5933 |
dict_find_string(porigfont, "FontMatrix", &pmatrix) <= 0 ||
|
|
|
7c5933 |
@@ -628,8 +631,8 @@ sub_font_params(gs_memory_t *mem, const
|
|
|
7c5933 |
/* Use the FontInfo/OrigFontName key preferrentially (created by MS PSCRIPT driver) */
|
|
|
7c5933 |
if ((dict_find_string((porigfont != NULL ? porigfont : op), "FontInfo", &pfontinfo) > 0) &&
|
|
|
7c5933 |
r_has_type(pfontinfo, t_dictionary) &&
|
|
|
7c5933 |
- (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0)) {
|
|
|
7c5933 |
- if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) &&
|
|
|
7c5933 |
+ (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string))) {
|
|
|
7c5933 |
+ if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string)) &&
|
|
|
7c5933 |
r_size(pfontstyle) > 0) {
|
|
|
7c5933 |
const byte *tmpStr1 = pfontname->value.const_bytes;
|
|
|
7c5933 |
const byte *tmpStr2 = pfontstyle->value.const_bytes;
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zcolor.c.cve-2018-19476 ghostscript-9.07/psi/zcolor.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zcolor.c.cve-2018-19476 2019-01-14 16:09:23.141891105 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zcolor.c 2019-01-14 16:27:03.317052840 +0100
|
|
|
7c5933 |
@@ -2059,7 +2059,12 @@ static int comparedictkey(i_ctx_t * i_ct
|
|
|
7c5933 |
if (r_type(tempref1) == t_null)
|
|
|
7c5933 |
return 1;
|
|
|
7c5933 |
|
|
|
7c5933 |
- return comparearrays(i_ctx_p, tempref1, tempref2);
|
|
|
7c5933 |
+ code = comparearrays(i_ctx_p, tempref1, tempref2);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
+ if (code > 0)
|
|
|
7c5933 |
+ return 1;
|
|
|
7c5933 |
+ else
|
|
|
7c5933 |
+ return 0;
|
|
|
7c5933 |
}
|
|
|
7c5933 |
|
|
|
7c5933 |
/* Check that the WhitePoint of a CIE space is valid */
|
|
|
7c5933 |
@@ -5469,6 +5474,9 @@ static int seticcspace(i_ctx_t * i_ctx_p
|
|
|
7c5933 |
code = dict_find_string(&ICCdict, "N", &tempref);
|
|
|
7c5933 |
if (code < 0)
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
+ if (r_type(tempref) != t_integer)
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
components = tempref->value.intval;
|
|
|
7c5933 |
if (components > count_of(range))
|
|
|
7c5933 |
return_error(e_rangecheck);
|
|
|
7c5933 |
@@ -5684,6 +5692,8 @@ static int iccalternatespace(i_ctx_t * i
|
|
|
7c5933 |
code = dict_find_string(&ICCdict, "N", &tempref);
|
|
|
7c5933 |
if (code <= 0)
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
+ if (!r_has_type(tempref, t_integer))
|
|
|
7c5933 |
+ return_error(gs_error_typecheck);
|
|
|
7c5933 |
|
|
|
7c5933 |
components = tempref->value.intval;
|
|
|
7c5933 |
|
|
|
7c5933 |
@@ -5718,6 +5728,9 @@ static int icccomponents(i_ctx_t * i_ctx
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
|
|
|
7c5933 |
code = dict_find_string(&ICCdict, "N", &tempref);
|
|
|
7c5933 |
+ if (!r_has_type(tempref, t_integer))
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
*n = tempref->value.intval;
|
|
|
7c5933 |
return 0;
|
|
|
7c5933 |
}
|
|
|
7c5933 |
@@ -5730,6 +5743,9 @@ static int iccdomain(i_ctx_t * i_ctx_p,
|
|
|
7c5933 |
if (code < 0)
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
code = dict_find_string(&ICCdict, "N", &tempref);
|
|
|
7c5933 |
+ if (!r_has_type(tempref, t_integer))
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
components = tempref->value.intval;
|
|
|
7c5933 |
code = dict_find_string(&ICCdict, "Range", &tempref);
|
|
|
7c5933 |
if (code >= 0 && !r_has_type(tempref, t_null)) {
|
|
|
7c5933 |
@@ -5759,6 +5775,8 @@ static int iccrange(i_ctx_t * i_ctx_p, r
|
|
|
7c5933 |
if (code < 0)
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
code = dict_find_string(&ICCdict, "N", &tempref);
|
|
|
7c5933 |
+ if (!r_has_type(tempref, t_integer))
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
components = tempref->value.intval;
|
|
|
7c5933 |
code = dict_find_string(&ICCdict, "Range", &tempref);
|
|
|
7c5933 |
if (code >= 0 && !r_has_type(tempref, t_null)) {
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zcrd.c.cve-2018-19476 ghostscript-9.07/psi/zcrd.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zcrd.c.cve-2018-19476 2019-01-14 16:30:53.508230767 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zcrd.c 2019-01-14 16:31:42.609628795 +0100
|
|
|
7c5933 |
@@ -222,8 +222,10 @@ zcrd1_params(os_ptr op, gs_cie_render *
|
|
|
7c5933 |
)
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
if (dict_find_string(op, "RenderTable", &pRT) > 0) {
|
|
|
7c5933 |
- const ref *prte = pRT->value.const_refs;
|
|
|
7c5933 |
-
|
|
|
7c5933 |
+ const ref *prte;
|
|
|
7c5933 |
+
|
|
|
7c5933 |
+ check_read_type(*pRT, t_array);
|
|
|
7c5933 |
+ prte = pRT->value.const_refs;
|
|
|
7c5933 |
/* Finish unpacking and checking the RenderTable parameter. */
|
|
|
7c5933 |
check_type_only(prte[4], t_integer);
|
|
|
7c5933 |
if (!(prte[4].value.intval == 3 || prte[4].value.intval == 4))
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zfjpx.c.cve-2018-19476 ghostscript-9.07/psi/zfjpx.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zfjpx.c.cve-2018-19476 2019-01-14 16:32:09.315301395 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zfjpx.c 2019-01-14 16:32:59.902681210 +0100
|
|
|
7c5933 |
@@ -115,6 +115,8 @@ z_jpx_decode(i_ctx_t * i_ctx_p)
|
|
|
7c5933 |
dict_find_string(csdict, "N", &nref) > 0) {
|
|
|
7c5933 |
if_debug1m('w', imemory, "[w] JPX image has an external %"PRIpsint
|
|
|
7c5933 |
" channel colorspace\n", nref->value.intval);
|
|
|
7c5933 |
+ if (r_type(nref) != t_integer)
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
switch (nref->value.intval) {
|
|
|
7c5933 |
case 1: state.colorspace = gs_jpx_cs_gray;
|
|
|
7c5933 |
break;
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zfont0.c.cve-2018-19476 ghostscript-9.07/psi/zfont0.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zfont0.c.cve-2018-19476 2019-01-14 16:34:52.816296934 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zfont0.c 2019-01-14 16:36:07.581380337 +0100
|
|
|
7c5933 |
@@ -243,6 +243,9 @@ zbuildfont0(i_ctx_t *i_ctx_p)
|
|
|
7c5933 |
array_get(pfont->memory, &fdepvector, i, &fdep);
|
|
|
7c5933 |
/* The lookup can't fail, because of the pre-check above. */
|
|
|
7c5933 |
dict_find_string(&fdep, "FID", &pfid);
|
|
|
7c5933 |
+ if (!r_has_type(pfid, t_fontID))
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
data.FDepVector[i] = r_ptr(pfid, gs_font);
|
|
|
7c5933 |
}
|
|
|
7c5933 |
pfont->data = data;
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zfont.c.cve-2018-19476 ghostscript-9.07/psi/zfont.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zfont.c.cve-2018-19476 2019-01-14 16:33:26.705352619 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zfont.c 2019-01-14 16:34:29.104587630 +0100
|
|
|
7c5933 |
@@ -596,6 +596,9 @@ zfont_info(gs_font *font, const gs_point
|
|
|
7c5933 |
info->members |= FONT_INFO_FULL_NAME;
|
|
|
7c5933 |
if ((members & FONT_INFO_EMBEDDING_RIGHTS)
|
|
|
7c5933 |
&& (dict_find_string(pfontinfo, "FSType", &pvalue) > 0)) {
|
|
|
7c5933 |
+ if (r_type(pvalue) != t_integer)
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
info->EmbeddingRights = pvalue->value.intval;
|
|
|
7c5933 |
info->members |= FONT_INFO_EMBEDDING_RIGHTS;
|
|
|
7c5933 |
}
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zicc.c.cve-2018-19476 ghostscript-9.07/psi/zicc.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zicc.c.cve-2018-19476 2019-01-14 15:42:17.836379460 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zicc.c 2019-01-14 15:48:50.612698290 +0100
|
|
|
7c5933 |
@@ -79,7 +79,7 @@ int seticc(i_ctx_t * i_ctx_p, int ncomps
|
|
|
7c5933 |
want to have this buffer. */
|
|
|
7c5933 |
/* Check if we have the /Name entry. This is used to associate with
|
|
|
7c5933 |
specs that have enumerated types to indicate sRGB sGray etc */
|
|
|
7c5933 |
- if (dict_find_string(ICCdict, "Name", &pnameval) > 0){
|
|
|
7c5933 |
+ if (dict_find_string(ICCdict, "Name", &pnameval) > 0 && r_has_type(pnameval, t_string)){
|
|
|
7c5933 |
uint size = r_size(pnameval);
|
|
|
7c5933 |
char *str = (char *)gs_alloc_bytes(gs_state_memory(igs), size+1, "seticc");
|
|
|
7c5933 |
memcpy(str, (const char *)pnameval->value.bytes, size);
|
|
|
7c5933 |
@@ -261,6 +261,8 @@ zset_outputintent(i_ctx_t * i_ctx_p)
|
|
|
7c5933 |
code = dict_find_string(op, "N", &pnval);
|
|
|
7c5933 |
if (code < 0)
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
+ if (r_type(pnval) != t_integer)
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
ncomps = pnval->value.intval;
|
|
|
7c5933 |
|
|
|
7c5933 |
/* verify the DataSource entry. Creat profile from stream */
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zimage3.c.cve-2018-19476 ghostscript-9.07/psi/zimage3.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zimage3.c.cve-2018-19476 2019-01-14 16:36:31.871082554 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zimage3.c 2019-01-14 16:37:41.626227376 +0100
|
|
|
7c5933 |
@@ -53,6 +53,8 @@ zimage3(i_ctx_t *i_ctx_p)
|
|
|
7c5933 |
dict_find_string(op, "MaskDict", &pMaskDict) <= 0
|
|
|
7c5933 |
)
|
|
|
7c5933 |
return_error(e_rangecheck);
|
|
|
7c5933 |
+ check_type(*pDataDict, t_dictionary);
|
|
|
7c5933 |
+ check_type(*pMaskDict, t_dictionary);
|
|
|
7c5933 |
if ((code = pixel_image_params(i_ctx_p, pDataDict,
|
|
|
7c5933 |
(gs_pixel_image_t *)&image, &ip_data,
|
|
|
7c5933 |
12, false, gs_currentcolorspace(igs))) < 0 ||
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/ztrans.c.cve-2018-19476 ghostscript-9.07/psi/ztrans.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/ztrans.c.cve-2018-19476 2019-01-14 16:38:14.893819526 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/ztrans.c 2019-01-14 16:42:22.503788524 +0100
|
|
|
7c5933 |
@@ -362,6 +362,7 @@ zimage3x(i_ctx_t *i_ctx_p)
|
|
|
7c5933 |
gs_image3x_t_init(&image, NULL);
|
|
|
7c5933 |
if (dict_find_string(op, "DataDict", &pDataDict) <= 0)
|
|
|
7c5933 |
return_error(e_rangecheck);
|
|
|
7c5933 |
+ check_type(*pDataDict, t_dictionary);
|
|
|
7c5933 |
if ((code = pixel_image_params(i_ctx_p, pDataDict,
|
|
|
7c5933 |
(gs_pixel_image_t *)&image, &ip_data,
|
|
|
7c5933 |
16, false, gs_currentcolorspace(igs))) < 0 ||
|
|
|
7c5933 |
@@ -398,6 +399,9 @@ image_params *pip_data, const char *dict
|
|
|
7c5933 |
|
|
|
7c5933 |
if (dict_find_string(op, dict_name, &pMaskDict) <= 0)
|
|
|
7c5933 |
return 1;
|
|
|
7c5933 |
+ if (!r_has_type(pMaskDict, t_dictionary))
|
|
|
7c5933 |
+ return gs_note_error(gs_error_typecheck);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
if ((mcode = code = data_image_params(mem, pMaskDict, &pixm->MaskDict,
|
|
|
7c5933 |
&ip_mask, false, 1, 16, false, false)) < 0 ||
|
|
|
7c5933 |
(code = dict_int_param(pMaskDict, "ImageType", 1, 1, 0, &ignored)) < 0 ||
|