From be86d2ff2f0f0ea0e365707f3be0fa0c9e7315ee Mon Sep 17 00:00:00 2001

From: Ray Johnston <ray.johnston@artifex.com>

Date: Mon, 18 Feb 2019 12:11:45 -0800

Subject: [PATCH 1/2] Bug 700599: Issue an error message if an ExtGstate is not

 found.

Previously, this was silently ignored. Only issue a single warning,

and respect PDFSTOPONERROR to prevent continuing with potentially

incorrect output.

Note that tests_private/pdf/uploads/bug696410.pdf also now gets this

error message (ExtGState" instead of ExtGState in object 10).

---

 Resource/Init/pdf_draw.ps | 11 ++++++++++-

 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps

index 1add3f7..6a2773a 100644

--- a/Resource/Init/pdf_draw.ps

+++ b/Resource/Init/pdf_draw.ps

@@ -494,7 +494,16 @@ end

     dup {

       oforce exch gsparamdict exch .knownget { exec } { pop } ifelse

     } forall pop

-  } if

+  } {

+    //pdfdict /.gs_warning_issued known not {

+      (\n   **** Error 'gs' ignored -- ExtGState missing from Resources.\n)

+      pdfformaterror

+      (        Output may be incorrect.\n) pdfformaterror

+      //pdfdict /.gs_warning_issued //true .forceput

+      PDFSTOPONERROR { /gs /undefined signalerror } if

+    } if

+  }

+  ifelse

 } bind executeonly def

 % ------ Transparency support ------ %

-- 

2.20.1

From cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001

From: Ken Sharp <ken.sharp@artifex.com>

Date: Wed, 21 Aug 2019 10:10:51 +0100

Subject: [PATCH 2/2] PDF interpreter - review .forceput security

Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"

By abusing the error handler it was possible to get the PDFDEBUG portion

of .pdfexectoken, which uses .forceput left readable.

Add an executeonly appropriately to make sure that clause isn't readable

no mstter what.

Review all the uses of .forceput searching for similar cases, add

executeonly as required to secure those. All cases in the PostScript

support files seem to be covered already.

---

 Resource/Init/pdf_base.ps |  2 +-

 Resource/Init/pdf_draw.ps | 14 +++++++-------

 Resource/Init/pdf_font.ps | 23 ++++++++++++-----------

 Resource/Init/pdf_main.ps |  6 +++---

 Resource/Init/pdf_ops.ps  | 11 ++++++-----

 5 files changed, 29 insertions(+), 27 deletions(-)

diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps

index d3c3a5f..5dabe4d 100644

--- a/Resource/Init/pdf_base.ps

+++ b/Resource/Init/pdf_base.ps

@@ -154,7 +154,7 @@ currentdict /num-chars-dict .undef

     {

       dup ==only () = flush

     } ifelse % PDFSTEP

-  } if % PDFDEBUG

+  } executeonly if % PDFDEBUG

   2 copy .knownget {

     exch pop exch pop exch pop exec

   } {

diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps

index 6a2773a..068ba7c 100644

--- a/Resource/Init/pdf_draw.ps

+++ b/Resource/Init/pdf_draw.ps

@@ -501,8 +501,8 @@ end

       (        Output may be incorrect.\n) pdfformaterror

       //pdfdict /.gs_warning_issued //true .forceput

       PDFSTOPONERROR { /gs /undefined signalerror } if

-    } if

-  }

+    } executeonly if

+  } executeonly

   ifelse

 } bind executeonly def

@@ -1127,7 +1127,7 @@ currentdict end readonly def

           .setglobal

           pdfformaterror

         } executeonly ifelse

-      }

+      } executeonly

       {

         currentglobal //pdfdict gcheck .setglobal

         //pdfdict /.Qqwarning_issued //true .forceput

@@ -1135,8 +1135,8 @@ currentdict end readonly def

         pdfformaterror

       } executeonly ifelse

       end

-    } ifelse

-  } loop

+    } executeonly ifelse

+  } executeonly loop

   {

     (\n   **** Error: File has unbalanced q/Q operators \(too many q's\)\n               Output may be incorrect.\n)

     //pdfdict /.Qqwarning_issued .knownget

@@ -1150,14 +1150,14 @@ currentdict end readonly def

         .setglobal

         pdfformaterror

       } executeonly ifelse

-    }

+    } executeonly

     {

       currentglobal //pdfdict gcheck .setglobal

       //pdfdict /.Qqwarning_issued //true .forceput

       .setglobal

       pdfformaterror

     } executeonly ifelse

-  } if

+  } executeonly if

   pop

   % restore pdfemptycount

diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps

index 8b8fef8..86b1870 100644

--- a/Resource/Init/pdf_font.ps

+++ b/Resource/Init/pdf_font.ps

@@ -677,7 +677,7 @@ currentdict end readonly def

                 currentglobal 2 index dup gcheck setglobal

                 /FontInfo 5 dict dup 5 1 roll .forceput

                 setglobal

-              } if

+              } executeonly if

               dup /GlyphNames2Unicode .knownget not {

                 //true                        % No existing G2U, make one

               } {

@@ -701,9 +701,9 @@ currentdict end readonly def

         } if

         PDFDEBUG {

           (.processToUnicode end) =

-        } if

-      } if

-    } stopped

+        } executeonly if

+      } executeonly if

+    } executeonly stopped

     {

       .dstackdepth 1 countdictstack 1 sub

       {pop end} for

@@ -1225,19 +1225,20 @@ currentdict /eexec_pdf_param_dict .undef

                 //pdfdict /.Qqwarning_issued //true .forceput

               } executeonly if

               Q

-            } repeat

+            } executeonly repeat

             Q

-          } PDFfile fileposition 2 .execn % Keep pdfcount valid.

+          } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.

           PDFfile exch setfileposition

-        } ifelse

-      } {

+        } executeonly ifelse

+      } executeonly

+      {

         % PDF Type 3 fonts don't use .notdef

         % d1 implementation adjusts the width as needed

         0 0 0 0 0 0

         pdfopdict /d1 get exec

       } ifelse

       end end

-    } bdef

+    } executeonly bdef

     dup currentdict Encoding .processToUnicode

     currentdict end .completefont exch pop

 } bind executeonly odef

@@ -2022,9 +2023,9 @@ currentdict /CMap_read_dict undef

           (Will continue, but content may be missing.) = flush

         } ifelse

       } if

-    } if

+    } executeonly if

     /findresource cvx /undefined signalerror

-  } loop

+  } executeonly loop

 } bind executeonly odef

 /buildCIDType0 {	% <CIDFontType0-font-resource> buildCIDType0 <font>

diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps

index e44288e..ecde3d4 100644

--- a/Resource/Init/pdf_main.ps

+++ b/Resource/Init/pdf_main.ps

@@ -2696,15 +2696,15 @@ currentdict /PDF2PS_matrix_key undef

           .setglobal

           pdfformaterror

         } executeonly ifelse

-      }

+      } executeonly

       {

         currentglobal //pdfdict gcheck .setglobal

         //pdfdict /.Qqwarning_issued //true .forceput

         .setglobal

         pdfformaterror

       } executeonly ifelse

-    } if

-  } if

+    } executeonly if

+  } executeonly if

   pop

   count PDFexecstackcount sub { pop } repeat

   (after exec) VMDEBUG

diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps

index c2e7461..12d5a66 100644

--- a/Resource/Init/pdf_ops.ps

+++ b/Resource/Init/pdf_ops.ps

@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef

         .setglobal

         pdfformaterror

       } executeonly ifelse

-    }

+    } executeonly

     {

       currentglobal //pdfdict gcheck .setglobal

       //pdfdict /.Qqwarning_issued //true .forceput

       .setglobal

       pdfformaterror

     } executeonly ifelse

-  } if

+  } executeonly if

 } bind executeonly odef

 % Save PDF gstate

@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef

   dup type /booleantype eq {

     .currentSMask type /dicttype eq {

       .currentSMask /Processed 2 index .forceput

+    } executeonly

+    {

+      .setSMask

+    }ifelse

   } executeonly

   {

-      .setSMask

-  }ifelse

-  }{

   .setSMask

   }ifelse

-- 

2.20.1