From: Chris Liddell <chris.liddell@artifex.com>
Date: Sat, 29 Sep 2018 14:34:55 +0000 (+0100)
Subject: Bug 699816: Improve hiding of security critical custom operators
Bug 699816: Improve hiding of security critical custom operators
Make procedures that use .forceput/.forcedef/.forceundef into operators.
The result of this is that errors get reported against the "top" operator,
rather than the "called" operator within the procedure.
For example:
/myproc
{
myop
} bind def
If 'myop' throws an error, the error handler will be passed the 'myop'
operator. Promoting 'myproc' to a operator means the error handler will be
passed 'myproc'.
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a54c9e61e7d02bbc620bcba9b1c208462a876afb
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 10 Oct 2018 22:25:51 +0000 (+0100)
Subject: Bug 699938: .loadfontloop must be an operator
Bug 699938: .loadfontloop must be an operator
In the fix for Bug 699816, I omitted to make .loadfontloop into an operator, to
better hide .forceundef and .putgstringcopy.
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a5a9bf8c6a63aa4ac6874234fe8cd63e72077291
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 28 Nov 2018 17:12:08 +0000 (+0000)
Subject: Bug 700290: Fix problems with DELAYBIND and font substitution
Bug 700290: Fix problems with DELAYBIND and font substitution
Judicious use of immediate evaluation for .setnativefontmapbuilt and
.putgstringcopy to avoid problems with DELAYBIND
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2756f0efae1d3966989b15a6526c5d80848b5015
---
diff -up ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_diskn.ps
--- ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_diskn.ps 2018-12-10 14:51:03.208407266 +0100
@@ -53,7 +53,7 @@ systemdict begin
exch .setglobal
}
if
-} .bind executeonly def % must be bound and hidden for .forceput
+} .bind executeonly odef % must be bound and hidden for .forceput
% Modify .putdevparams to force regeneration of .searchabledevs list
/.putdevparams {
diff -up ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_dps.ps
--- ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_dps.ps 2018-12-10 14:51:03.208407266 +0100
@@ -71,7 +71,7 @@
//true .setglobal
//systemdict /savedinitialgstate gstate readonly put
.setglobal
-} .bind def
+} .bind executeonly odef % must be bound and hidden for .forceput
% Initialize local dictionaries and gstate when creating a new context.
% Note that until this completes, we are in the anomalous situation of
diff -up ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_fntem.ps
--- ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_fntem.ps 2018-12-10 14:51:03.209407249 +0100
@@ -432,7 +432,7 @@ currentdict end def
exit
} loop
exch setglobal
-} bind def
+} .bind executeonly odef % must be bound and hidden for .forceput
currentdict end /ProcSet defineresource pop
diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_fonts.ps
--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2018-17961 2018-12-10 14:51:03.002410648 +0100
+++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2018-12-10 14:51:03.209407249 +0100
@@ -375,7 +375,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .
% and the access path.
/.setnativefontmapbuilt { % set whether we've been run
systemdict exch /.nativefontmapbuilt exch .forceput
-} .bind executeonly def
+} .bind executeonly odef
systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
/.buildnativefontmap { % - .buildnativefontmap <bool>
QUIET not {
@@ -404,7 +404,7 @@ systemdict /NONATIVEFONTMAP known .setna
} forall
} if
% record that we've been run
- //true .setnativefontmapbuilt
+ //true //.setnativefontmapbuilt
} bind def
% Create the dictionary that registers the .buildfont procedure
@@ -1082,7 +1082,7 @@ $error /SubstituteFont { } put
% Check to make sure the font was actually loaded.
dup 3 index .fontknownget
- { dup /PathLoad 4 index //.putgstringcopy exec
+ { dup /PathLoad 4 index //.putgstringcopy
4 1 roll pop pop pop //true exit
} if
@@ -1094,7 +1094,7 @@ $error /SubstituteFont { } put
{ % Stack: origfontname fontdirectory path filefontname
2 index 1 index .fontknownget
{ % Yes. Stack: origfontname fontdirectory path filefontname fontdict
- dup 4 -1 roll /PathLoad exch //.putgstringcopy exec
+ dup 4 -1 roll /PathLoad exch //.putgstringcopy
% Stack: origfontname fontdirectory filefontname fontdict
3 -1 roll pop exch
% Stack: origfontname fontdict filefontname
@@ -1122,9 +1122,8 @@ $error /SubstituteFont { } put
} loop % end of loop
- } bind executeonly def % must be bound and hidden for .putgstringcopy
-
-currentdict /.putgstringcopy .undef
+ } bind executeonly odef % must be bound and hidden for .putgstringcopy
+currentdict /.putgstringcopy .forceundef
% Define a procedure to load all known fonts.
% This isn't likely to be very useful.
diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_lev2.ps
--- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_lev2.ps 2018-12-10 14:51:03.210407233 +0100
@@ -163,9 +163,10 @@ end
% Set them again to the new values. From here on, we are safe,
% since a context switch will consult userparams.
.setuserparams
-} .bind def
+} .bind executeonly odef % must be bound and hidden for .forceput
/setuserparams { % <dict> setuserparams -
- .setuserparams2
+ {.setuserparams2} stopped
+ {/setuserparams load $error /errorname get signalerror} if
} .bind odef
% Initialize user parameters managed here.
/JobName () .definepsuserparam
@@ -414,7 +415,9 @@ psuserparams /ProcessDSCComment {.checkp
% VMReclaim and VMThreshold are user parameters.
/setvmthreshold { % <int> setvmthreshold -
- mark /VMThreshold 2 .argindex .dicttomark .setuserparams2 pop
+ mark /VMThreshold 2 .argindex .dicttomark {.setuserparams2} stopped
+ {pop /setvmthreshold load $error /errorname get signalerror}
+ {pop} ifelse
} odef
/vmreclaim { % <int> vmreclaim -
dup 0 gt {
@@ -426,7 +429,9 @@ psuserparams /ProcessDSCComment {.checkp
ifelse
} {
% VMReclaim userparam controls enable/disable GC
- mark /VMReclaim 2 index .dicttomark .setuserparams2 pop
+ mark /VMReclaim 2 index .dicttomark {.setuserparams2} stopped
+ {pop /vmreclaim load $error /errorname get signalerror}
+ {pop} ifelse
} ifelse
} odef
-1 setvmthreshold
diff -up ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_pdfwr.ps
--- ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_pdfwr.ps 2018-12-10 14:51:03.210407233 +0100
@@ -547,8 +547,7 @@ currentdict /.pdfmarkparams .undef
} {
pop
} ifelse
-}
-bind def
+} .bind executeonly odef % must be bound and hidden for .forceput
% Use the DSC processing hook to pass DSC comments to the driver.
% We use a pseudo-parameter named DSC whose value is an array:
diff -up ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_setpd.ps
--- ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-17961 2018-12-10 14:51:03.194407496 +0100
+++ ghostscript-9.07/Resource/Init/gs_setpd.ps 2018-12-10 14:51:03.210407233 +0100
@@ -544,6 +544,20 @@ NOMEDIAATTRS {
% in the <failed> dictionary with the policy value,
% and we replace the key in the <merged> dictionary with its prior value
% (or remove it if it had no prior value).
+
+% Making this an operator means we can properly hide
+% the contents - specifically .forceput
+/1Policy
+{
+ % Roll back the failed request to its previous status.
+ SETPDDEBUG { (Rolling back.) = pstack flush } if
+ 3 index 2 index 3 -1 roll .forceput
+ 4 index 1 index .knownget
+ { 4 index 3 1 roll .forceput }
+ { 3 index exch .undef }
+ ifelse
+} bind executeonly odef
+
/.policyprocs mark
% These procedures are called with the following on the stack:
% <orig> <merged> <failed> <Policies> <key> <policy>
@@ -567,14 +581,7 @@ NOMEDIAATTRS {
/setpagedevice .systemvar /configurationerror signalerror
} ifelse
} bind
- 1 { % Roll back the failed request to its previous status.
-SETPDDEBUG { (Rolling back.) = pstack flush } if
- 3 index 2 index 3 -1 roll .forceput
- 4 index 1 index .knownget
- { 4 index 3 1 roll .forceput }
- { 3 index exch .undef }
- ifelse
- } .bind
+ 1 /1Policy load
7 { % For PageSize only, just impose the request.
1 index /PageSize eq
{ pop pop 1 index /PageSize 7 put }
@@ -582,6 +589,8 @@ SETPDDEBUG { (Rolling back.) = pstack fl
ifelse
} bind
.dicttomark readonly def
+currentdict /1Policy undef
+
/.applypolicies % <orig> <merged> <failed> .applypolicies
% <orig> <merged'> <failed'>
{ 1 index /Policies get 1 index
diff -up ghostscript-9.07/Resource/Init/gs_typ32.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_typ32.ps
--- ghostscript-9.07/Resource/Init/gs_typ32.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_typ32.ps 2018-12-10 14:51:03.211407216 +0100
@@ -79,15 +79,19 @@ systemdict /.removeglyphs .undef
.dicttomark /ProcSet defineresource pop
/.cidfonttypes where { pop } { /.cidfonttypes 6 dict def } ifelse
-.cidfonttypes begin
-
-4 % CIDFontType 4 = FontType 32
-{ dup /FontType 32 .forceput
+/CIDFontType4
+{
+ dup /FontType 32 .forceput
dup /CharStrings 20 dict .forceput
1 index exch .buildfont32 exch pop
-} bind def
+} .bind executeonly odef
+.cidfonttypes begin
+
+
+4 /CIDFontType4 load def % CIDFontType 4 = FontType 32
end % .cidfonttypes
+currentdict /CIDFontType4 .forceundef
% Define the BuildGlyph procedure.
% Since Type 32 fonts are indexed by CID, there is no BuildChar procedure.
diff -up ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_type1.ps
--- ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_type1.ps 2018-12-10 14:51:03.211407216 +0100
@@ -215,7 +215,7 @@ currentdict /closesourcedict .undef
} if
2 copy /WeightVector exch .forceput
.setweightvector
-} .bind executeonly def
+} .bind executeonly odef
end
% Register the font types for definefont.
diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_base.ps
--- ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/pdf_base.ps 2018-12-10 14:51:03.211407216 +0100
@@ -177,7 +177,7 @@ currentdict /num-chars-dict .undef
} ifelse
} ifelse
} ifelse
-} bind def
+} bind executeonly odef
/PDFScanRules_true << /PDFScanRules //true >> def
/PDFScanRules_null << /PDFScanRules //null >> def
/.pdfrun { % <file> <opdict> .pdfrun -
diff -up ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_draw.ps
--- ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2018-17961 2018-12-10 14:51:03.177407775 +0100
+++ ghostscript-9.07/Resource/Init/pdf_draw.ps 2018-12-10 14:51:03.212407200 +0100
@@ -948,7 +948,7 @@ currentdict end readonly def
Q
PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
PDFfile exch setfileposition
-} bdef
+}bind executeonly odef
/resolvepattern { % <patternstreamdict> resolvepattern <patterndict>
% Don't do the resolvestream now: just capture the data
@@ -1809,7 +1809,7 @@ currentdict /last-ditch-bpc-csp undef
} if
pop
/pdfemptycount exch store
-} bdef
+} bind executeonly odef
/_dops_save 1 array def
diff -up ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_font.ps
--- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/pdf_font.ps 2018-12-10 14:51:03.213407183 +0100
@@ -641,7 +641,7 @@ currentdict end readonly def
} if
} if
pop pop pop
-} bind def
+} bind executeonly odef
% ---------------- Descriptors ---------------- %
@@ -1097,7 +1097,7 @@ currentdict /eexec_pdf_param_dict .undef
} bdef
dup currentdict Encoding .processToUnicode
currentdict end .completefont exch pop
-} bdef
+} bind executeonly odef
/.adjustcharwidth { % <wx> <wy> .adjustcharwidth <wx'> <wy'>
% Enforce the metrics, in glyph space, to the values found in the PDF Font object
% - force wy == 0 (assumed, and not stored in the PDF font)
@@ -1794,7 +1794,7 @@ currentdict /CMap_read_dict undef
} if
/findresource cvx /undefined signalerror
} loop
-} bdef
+} bind executeonly odef
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
dup /BaseFont get findCIDFont exch pop
@@ -1964,7 +1964,7 @@ currentdict /CMap_read_dict undef
/Type0 //buildType0
/Type1 //buildType1
/MMType1 //buildType1
- /Type3 //buildType3
+ /Type3 /buildType3 load
/TrueType //buildTrueType
/CIDFontType0 //buildCIDType0
/CIDFontType2 //buildCIDType2
diff -up ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_main.ps
--- ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2018-17961 2018-12-10 14:51:03.168407922 +0100
+++ ghostscript-9.07/Resource/Init/pdf_main.ps 2018-12-10 14:51:03.213407183 +0100
@@ -382,7 +382,7 @@ currentdict /runpdfstring .undef
} forall
pop
} ifelse
-} bind def
+} bind executeonly odef
currentdict /pdf_collection_files .undef
@@ -1878,7 +1878,7 @@ currentdict /PDF2PS_matrix_key undef
Repaired % pass Repaired state around the restore
PDFSave restore
/Repaired exch def
-} bind def
+} bind executeonly odef
% Display the contents of a page (including annotations).
/showpagecontents { % <pagedict> showpagecontents -
diff -up ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_ops.ps
--- ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/pdf_ops.ps 2018-12-10 14:51:03.214407167 +0100
@@ -128,7 +128,7 @@ nodict readonly pop
{ (\n **** File has unbalanced q/Q operators \(too many Q's\) ****\n)
pdfformaterror
} if
-} bdef
+} bind executeonly odef
% Save PDF gstate
/qstate { % - qstate <qstate>
@@ -282,7 +282,7 @@ nodict readonly pop
} bdef
/ca { /FillConstantAlpha gput } bdef
/CA { /StrokeConstantAlpha gput } bdef
-/SMask { /SoftMask gput } bdef
+/SMask { /SoftMask gput } bind executeonly odef
/AIS { /AlphaIsShape gput } bdef
/BM {
/.setblendmode where {