commit 30cd347f37bfb293ffdc407397d1023628400b81
Author: Ken Sharp <ken.sharp@artifex.com>
Date: Mon Oct 15 13:35:15 2018 +0100
font parsing - prevent SEGV in .cffparse
Bug #699961 "currentcolortransfer procs crash .parsecff"
zparsecff checked the operand for being an array (and not a packed
array) but the returned procedures from the default currentcolortransfer
are arrays, not packed arrays. This led to the code trying to
dereference a NULL pointer.
Add a specific check for the 'refs' pointer being NULL before we try
to use it.
Additionally, make the StartData procedure in the CFF Font Resource
executeonly to prevent pulling the hidden .parsecff operator out and
using it. Finally, extend this to other resource types.
commit 8e18fcdaa2e2247363c4cc8f851f3096cc5756fa
Author: Chris Liddell <chris.liddell@artifex.com>
Date: Fri Oct 19 13:14:24 2018 +0100
"Hide" a final use of a .force* operator
There was one use of .forceput remaining that was in a regular procedure
rather than being "hidden" behind an operator.
In this case, it's buried in the resource machinery, and hard to access (I
would not be confident in claiming it was impossible). This ensures it's
not accessible.
From d3537a54740d78c5895ec83694a07b3e4f616f61 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 5 Dec 2018 12:22:13 +0000
Subject: [PATCH] Bug700317: Address .force* operators exposure
Fix logic for an older change: unlike almost every other function in gs, dict_find_string() returns 1 on
success 0 or <0 on failure. The logic for this case was wrong.
Sanitize op stack for error conditions
We save the stacks to an array and store the array for the error handler to
access.
For SAFER, we traverse the array, and deep copy any op arrays (procedures). As
we make these copies, we check for operators that do *not* exist in systemdict,
when we find one, we replace the operator with a name object (of the form
"/--opname--").
Any transient procedures that call .force* operators
(i.e. for conditionals or loops) make them executeonly.
Harden some uses of .force* operators
by adding a few immediate evalutions
CVE-2019-6116
---
diff -up ghostscript-9.07/psi/interp.c.cve-2019-6116 ghostscript-9.07/psi/interp.c
--- ghostscript-9.07/psi/interp.c.cve-2019-6116 2019-01-24 12:20:06.802913354 +0100
+++ ghostscript-9.07/psi/interp.c 2019-01-24 12:20:06.843912826 +0100
@@ -692,7 +692,7 @@ again:
* i.e. it's an internal operator we have hidden
*/
code = dict_find_string(systemdict, (const char *)bufptr, &tobj);
- if (code < 0) {
+ if (code <= 0) {
buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
rlen += 4;
bufptr = buf;
@@ -751,6 +751,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_s
uint size = ref_stack_count(pstack) - skip;
uint save_space = ialloc_space(idmemory);
int code, i;
+ ref *safety, *safe;
if (size > 65535)
size = 65535;
@@ -768,6 +769,13 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_s
make_null(&arr->value.refs[i]);
}
}
+ if (pstack == &o_stack && dict_find_string(systemdict, "SAFETY", &safety) > 0 &&
+ dict_find_string(safety, "safe", &safe) > 0 && r_has_type(safe, t_boolean) &&
+ safe->value.boolval == true) {
+ code = ref_stack_array_sanitize(i_ctx_p, arr, arr);
+ if (code < 0)
+ return code;
+ }
ialloc_set_space(idmemory, save_space);
return code;
}
diff -up ghostscript-9.07/psi/int.mak.cve-2019-6116 ghostscript-9.07/psi/int.mak
--- ghostscript-9.07/psi/int.mak.cve-2019-6116 2019-01-24 12:20:06.824913071 +0100
+++ ghostscript-9.07/psi/int.mak 2019-01-24 12:20:06.843912826 +0100
@@ -199,7 +199,7 @@ $(PSOBJ)iparam.$(OBJ) : $(PSSRC)iparam.c
$(PSOBJ)istack.$(OBJ) : $(PSSRC)istack.c $(GH) $(memory__h)\
$(ierrors_h) $(gsstruct_h) $(gsutil_h)\
$(ialloc_h) $(istack_h) $(istkparm_h) $(istruct_h) $(iutil_h) $(ivmspace_h)\
- $(store_h)
+ $(store_h) $(icstate_h) $(iname_h) $(dstack_h) $(idict_h)
$(PSCC) $(PSO_)istack.$(OBJ) $(C_) $(PSSRC)istack.c
$(PSOBJ)iutil.$(OBJ) : $(PSSRC)iutil.c $(GH) $(math__h) $(memory__h) $(string__h)\
diff -up ghostscript-9.07/psi/istack.c.cve-2019-6116 ghostscript-9.07/psi/istack.c
--- ghostscript-9.07/psi/istack.c.cve-2019-6116 2013-02-14 08:58:13.000000000 +0100
+++ ghostscript-9.07/psi/istack.c 2019-01-24 12:20:06.844912813 +0100
@@ -27,6 +27,10 @@
#include "iutil.h"
#include "ivmspace.h" /* for local/global test */
#include "store.h"
+#include "icstate.h"
+#include "iname.h"
+#include "dstack.h"
+#include "idict.h"
/* Forward references */
static void init_block(ref_stack_t *pstack, const ref *pblock_array,
@@ -283,6 +287,80 @@ ref_stack_store_check(const ref_stack_t
return 0;
}
+int
+ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr)
+{
+ int i, code;
+ ref obj, arr2;
+ ref *pobj2;
+ gs_memory_t *mem = (gs_memory_t *)idmemory->current;
+
+ if (!r_is_array(sarr) || !r_has_type(darr, t_array))
+ return_error(gs_error_typecheck);
+
+ for (i = 0; i < r_size(sarr); i++) {
+ code = array_get(mem, sarr, i, &obj);
+ if (code < 0)
+ make_null(&obj);
+ switch(r_type(&obj)) {
+ case t_operator:
+ {
+ int index = op_index(&obj);
+
+ if (index > 0 && index < op_def_count) {
+ const byte *data = (const byte *)(op_index_def(index)->oname + 1);
+ if (dict_find_string(systemdict, (const char *)data, &pobj2) <= 0) {
+ byte *s = gs_alloc_bytes(mem, strlen((char *)data) + 5, "ref_stack_array_sanitize");
+ if (s) {
+ s[0] = '\0';
+ strcpy((char *)s, "--");
+ strcpy((char *)s + 2, (char *)data);
+ strcpy((char *)s + strlen((char *)data) + 2, "--");
+ }
+ else {
+ s = (byte *)data;
+ }
+ code = name_ref(imemory, s, strlen((char *)s), &obj, 1);
+ if (code < 0) make_null(&obj);
+ if (s != data)
+ gs_free_object(mem, s, "ref_stack_array_sanitize");
+ }
+ }
+ else {
+ make_null(&obj);
+ }
+ ref_assign(darr->value.refs + i, &obj);
+ break;
+ }
+ case t_array:
+ case t_shortarray:
+ case t_mixedarray:
+ {
+ int attrs = r_type_attrs(&obj) & (a_write | a_read | a_execute | a_executable);
+ /* We only want to copy executable arrays */
+ if (attrs & (a_execute | a_executable)) {
+ code = ialloc_ref_array(&arr2, attrs, r_size(&obj), "ref_stack_array_sanitize");
+ if (code < 0) {
+ make_null(&arr2);
+ }
+ else {
+ code = ref_stack_array_sanitize(i_ctx_p, &obj, &arr2);
+ }
+ ref_assign(darr->value.refs + i, &arr2);
+ }
+ else {
+ ref_assign(darr->value.refs + i, &obj);
+ }
+ break;
+ }
+ default:
+ ref_assign(darr->value.refs + i, &obj);
+ }
+ }
+ return 0;
+}
+
+
/*
* Store the top 'count' elements of a stack, starting 'skip' elements below
* the top, into an array, with or without store/undo checking. age=-1 for
diff -up ghostscript-9.07/psi/istack.h.cve-2019-6116 ghostscript-9.07/psi/istack.h
--- ghostscript-9.07/psi/istack.h.cve-2019-6116 2013-02-14 08:58:13.000000000 +0100
+++ ghostscript-9.07/psi/istack.h 2019-01-24 12:20:06.844912813 +0100
@@ -129,6 +129,9 @@ int ref_stack_store(const ref_stack_t *p
uint skip, int age, bool check,
gs_dual_memory_t *idmem, client_name_t cname);
+int
+ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr);
+
/*
* Pop the top N elements off a stack.
* The number must not exceed the number of elements in use.
diff -up ghostscript-9.07/psi/zfont2.c.cve-2019-6116 ghostscript-9.07/psi/zfont2.c
--- ghostscript-9.07/psi/zfont2.c.cve-2019-6116 2019-01-24 12:20:06.601915943 +0100
+++ ghostscript-9.07/psi/zfont2.c 2019-01-24 12:20:06.844912813 +0100
@@ -2718,9 +2718,13 @@ zparsecff(i_ctx_t *i_ctx_p)
ref blk_wrap[1];
check_read(*op);
+
if (r_has_type(op, t_array)) { /* no packedarrays */
int i, blk_sz, blk_cnt;
+ if (op->value.refs == NULL)
+ return_error(gs_error_typecheck);
+
data.blk_ref = op->value.refs;
blk_cnt = r_size(op);
blk_sz = r_size(data.blk_ref);
diff -up ghostscript-9.07/Resource/Init/gs_cff.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_cff.ps
--- ghostscript-9.07/Resource/Init/gs_cff.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_cff.ps 2019-01-24 12:20:06.845912801 +0100
@@ -719,7 +719,7 @@ dup % Format 2
% ordinary CFF font.
/StartData { % <resname> <nbytes> StartData -
currentfile exch subfilefilter //false //false ReadData pop
-} bind def
+} bind executeonly def
/ReadData { % <resname> <file> <forceresname> <forcecid> ReadData <fontset>
% Initialize.
@@ -860,7 +860,7 @@ systemdict /OLDCFF known {
end % FontSetInit ProcSet
/FontSet defineresource
-} bind def
+} bind executeonly def
% ---------------- Resource category definition ---------------- %
diff -up ghostscript-9.07/Resource/Init/gs_cidcm.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_cidcm.ps
--- ghostscript-9.07/Resource/Init/gs_cidcm.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_cidcm.ps 2019-01-24 12:20:06.845912801 +0100
@@ -327,7 +327,7 @@ currentdict end def
//FindResource exec
} ifelse
} ifelse
-} bind def
+} bind executeonly def
/ResourceStatus { % <InstName> ResourceStatus <nStatus> <nSize> true
% <InstName> ResourceStatus false
@@ -359,7 +359,7 @@ currentdict end def
//false
} ifelse
} ifelse
-} bind def
+} bind executeonly def
/ResourceForAll { % <template> <proc> <scratch> ResourceForAll -
@@ -440,7 +440,7 @@ currentdict end def
% Make the enumerator and apply it :
/MappedCategoryRedefiner /ProcSet findresource /MakeResourceEnumerator get exec exec
-} bind def
+} bind executeonly def
currentdict end /Font exch /Category defineresource pop
end
diff -up ghostscript-9.07/Resource/Init/gs_ciddc.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_ciddc.ps
--- ghostscript-9.07/Resource/Init/gs_ciddc.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_ciddc.ps 2019-01-24 12:20:06.845912801 +0100
@@ -202,7 +202,7 @@ begin
exch pop begin %
.GetCIDDecoding
end
- } bind def
+ } bind executeonly def
/FindResource % <name> FindResource <dict>
{ currentglobal exch % bGlobal /InstName
@@ -210,7 +210,7 @@ begin
dup //.MakeInstance exec % bGlobal /InstName <Inst>
DefineResource % bGlobal <Inst>
exch setglobal % <Inst>
- } bind def
+ } bind executeonly def
currentdict end
/CIDDecoding exch /Category defineresource pop
diff -up ghostscript-9.07/Resource/Init/gs_cmap.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_cmap.ps
--- ghostscript-9.07/Resource/Init/gs_cmap.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_cmap.ps 2019-01-24 12:20:06.845912801 +0100
@@ -535,7 +535,7 @@ dup /DefineResource {
} if
dup /CodeMap .knownget { //null eq { .buildcmap } if } if
/Generic /Category findresource /DefineResource get exec
-} bind put
+} bind executeonly put
/Category defineresource pop
% We might have loaded CID font support already.
/CIDInit /ProcSet 2 copy { findresource } .internalstopped
diff -up ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_diskn.ps
--- ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2019-6116 2019-01-24 12:20:06.813913213 +0100
+++ ghostscript-9.07/Resource/Init/gs_diskn.ps 2019-01-24 12:20:06.845912801 +0100
@@ -51,7 +51,7 @@ systemdict begin
mark 5 1 roll ] mark exch { { } forall } forall ]
//systemdict /.searchabledevs 2 index .forceput
exch .setglobal
- }
+ } executeonly
if
} .bind executeonly odef % must be bound and hidden for .forceput
diff -up ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_dps1.ps
--- ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-6116 2019-01-24 12:20:06.798913406 +0100
+++ ghostscript-9.07/Resource/Init/gs_dps1.ps 2019-01-24 12:20:06.846912788 +0100
@@ -75,18 +75,18 @@ level2dict begin
} odef
% undefinefont has to take local/global VM into account.
/undefinefont % <fontname> undefinefont -
- { .FontDirectory 1 .argindex .forceundef % FontDirectory is readonly
+ { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly
.currentglobal
{ % Current mode is global; delete from local directory too.
//systemdict /LocalFontDirectory .knownget
- { 1 index .forceundef } % LocalFontDirectory is readonly
+ { 1 index .forceundef } executeonly % LocalFontDirectory is readonly
if
}
{ % Current mode is local; if there was a shadowed global
% definition, copy it into the local directory.
//systemdict /SharedFontDirectory .knownget
{ 1 index .knownget
- { .FontDirectory 2 index 3 -1 roll { put } //superexec } % readonly
+ { //.FontDirectory 2 index 3 -1 roll { put } //superexec } % readonly
if
}
if
@@ -127,7 +127,7 @@ level2dict begin
}
ifelse
} forall
- pop counttomark 2 idiv { .forceundef } repeat pop % readonly
+ pop counttomark 2 idiv { .forceundef } executeonly repeat pop % readonly
}
if
//SharedFontDirectory exch .forcecopynew pop
diff -up ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_dps.ps
--- ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2019-6116 2019-01-24 12:20:06.813913213 +0100
+++ ghostscript-9.07/Resource/Init/gs_dps.ps 2019-01-24 12:20:06.846912788 +0100
@@ -118,7 +118,7 @@
.dicttomark readonly /localdicts exch put
% localdicts is now defined in userdict.
% Copy the definitions into systemdict.
- localdicts { .forcedef } forall
+ localdicts { .forcedef } executeonly forall
% Set the user parameters.
userparams readonly .setuserparams
% Establish the initial gstate(s).
diff -up ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_fntem.ps
--- ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2019-6116 2019-01-24 12:20:06.807913290 +0100
+++ ghostscript-9.07/Resource/Init/gs_fntem.ps 2019-01-24 12:20:06.846912788 +0100
@@ -425,12 +425,12 @@ currentdict end def
.forceput % FontInfo can be read-only.
pop % bool <font>
exit
- } if
+ } executeonly if
dup /FontInfo get % bool <font> <FI>
/GlyphNames2Unicode /Unicode /Decoding findresource
.forceput % FontInfo can be read-only.
exit
- } loop
+ } executeonly loop
exch setglobal
} .bind executeonly odef % must be bound and hidden for .forceput
diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_fonts.ps
--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116 2019-01-24 12:20:06.814913200 +0100
+++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2019-01-24 12:20:06.846912788 +0100
@@ -505,7 +505,7 @@ buildfontdict 3 /.buildfont3 cvx put
if
}
if
- dup .FontDirectory 4 -2 roll { .growput } //superexec % readonly
+ dup //.FontDirectory 4 -2 roll { .growput } //superexec % readonly
% If the font originated as a resource, register it.
currentfile .currentresourcefile eq { dup .registerfont } if
readonly
@@ -927,7 +927,7 @@ $error /SubstituteFont { } put
% Try to find a font using only the present contents of Fontmap.
/.tryfindfont { % <fontname> .tryfindfont <font> true
% <fontname> .tryfindfont false
- .FontDirectory 1 index .fontknownget
+ //.FontDirectory 1 index .fontknownget
{ % Already loaded
exch pop //true
}
@@ -948,7 +948,7 @@ $error /SubstituteFont { } put
{ % Font with a procedural definition
exec % The procedure will load the font.
% Check to make sure this really happened.
- .FontDirectory 1 index .knownget
+ //.FontDirectory 1 index .knownget
{ exch pop //true exit }
if
}
@@ -980,11 +980,11 @@ $error /SubstituteFont { } put
{ 2 index gcheck currentglobal
2 copy eq {
pop pop .forceput
- } {
+ } executeonly {
5 1 roll setglobal
dup length string copy
.forceput setglobal
- } ifelse
+ } executeonly ifelse
} .bind executeonly odef % must be bound and hidden for .forceput
% Attempt to load a font from a file.
@@ -1060,11 +1060,11 @@ $error /SubstituteFont { } put
% because it's different depending on language level.
.currentglobal exch /.setglobal .systemvar exec
% Remove the fake definition, if any.
- .FontDirectory 3 index .forceundef % readonly
- 1 index (r) file .loadfont .FontDirectory exch
+ //.FontDirectory 3 index .forceundef % readonly
+ 1 index (r) file .loadfont //.FontDirectory exch
/.setglobal .systemvar exec
- }
- { .loadfont .FontDirectory
+ } executeonly
+ { .loadfont //.FontDirectory
}
ifelse
% Stack: fontname fontfilename fontdirectory
@@ -1084,7 +1084,7 @@ $error /SubstituteFont { } put
dup 3 index .fontknownget
{ dup /PathLoad 4 index //.putgstringcopy
4 1 roll pop pop pop //true exit
- } if
+ } executeonly if
% Maybe the file had a different FontName.
% See if we can get a FontName from the file, and if so,
@@ -1108,9 +1108,9 @@ $error /SubstituteFont { } put
ifelse % Stack: origfontname fontdict
exch pop //true exit
% Stack: fontdict
- }
+ } executeonly
if pop % Stack: origfontname fontdirectory path
- }
+ } executeonly
if pop pop % Stack: origfontname
% The font definitely did not load correctly.
@@ -1146,10 +1146,10 @@ currentdict /.putgstringcopy .forceundef
(gs_fonts FAKEFONTS) VMDEBUG
Fontmap {
pop dup type /stringtype eq { cvn } if
- .FontDirectory 1 index known not {
+ //.FontDirectory 1 index known not {
2 dict dup /FontName 3 index put
dup /FontType 1 put
- .FontDirectory 3 1 roll { put } //superexec % readonly
+ //.FontDirectory 3 1 roll { put } //superexec % readonly
} {
pop
} ifelse
diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_init.ps
--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-6116 2019-01-24 12:20:06.826913045 +0100
+++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-01-24 12:20:06.846912788 +0100
@@ -1157,8 +1157,8 @@ errordict /unknownerror .undef
//.SAFERERRORLIST
{dup errordict exch get 2 index 3 1 roll put} forall
noaccess pop
- systemdict /.setsafeerrors .forceundef
- systemdict /.SAFERERRORLIST .forceundef
+ //systemdict /.setsafeerrors .forceundef
+ //systemdict /.SAFERERRORLIST .forceundef
} bind executeonly odef
SAFERERRORS {.setsafererrors} if
@@ -2080,7 +2080,7 @@ readonly def
/LockFilePermissions //true
>> setuserparams
}
- systemdict /getenv {pop //false} .forceput
+ //systemdict /getenv {pop //false} .forceput
if
% setpagedevice has the side effect of clearing the page, but
% we will just document that. Using setpagedevice keeps the device
@@ -2287,7 +2287,7 @@ SAFER { .setsafe } if
% Update the copy of the user parameters.
mark .currentuserparams counttomark 2 idiv {
userparams 3 1 roll .forceput % userparams is read-only
- } repeat pop
+ } executeonly repeat pop
% Turn on idiom recognition, if available.
currentuserparams /IdiomRecognition known {
/IdiomRecognition //true .definepsuserparam
@@ -2306,7 +2306,7 @@ SAFER { .setsafe } if
% Remove real system params from pssystemparams.
mark .currentsystemparams counttomark 2 idiv {
pop pssystemparams exch .forceundef
- } repeat pop
+ } executeonly repeat pop
} if
% Set up AlignToPixels :
diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_lev2.ps
--- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-6116 2019-01-24 12:20:06.808913277 +0100
+++ ghostscript-9.07/Resource/Init/gs_lev2.ps 2019-01-24 12:20:06.854912684 +0100
@@ -154,7 +154,8 @@ end
% protect top level of parameters that we copied
dup type dup /arraytype eq exch /stringtype eq or { readonly } if
/userparams .systemvar 3 1 roll .forceput % userparams is read-only
- } {
+ } executeonly
+ {
pop pop
} ifelse
} forall
@@ -223,7 +224,7 @@ end
% protect top level parameters that we copied
dup type dup /arraytype eq exch /stringtype eq or { readonly } if
//pssystemparams 3 1 roll .forceput % pssystemparams is read-only
- }
+ } executeonly
{ pop pop
}
ifelse
@@ -911,7 +912,7 @@ mark
dup /PaintProc get
1 index /Implementation known not {
1 index dup /Implementation //null .forceput readonly pop
- } if
+ } executeonly if
exec
} .bind odef % must bind .forceput
diff -up ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_pdfwr.ps
--- ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2019-6116 2019-01-24 12:20:06.808913277 +0100
+++ ghostscript-9.07/Resource/Init/gs_pdfwr.ps 2019-01-24 12:20:06.855912672 +0100
@@ -541,7 +541,7 @@ currentdict /.pdfmarkparams .undef
resourcestatus
} ifelse
} bind .makeoperator .forceput
- } if
+ } executeonly if
pop
} if
} {
diff -up ghostscript-9.07/Resource/Init/gs_res.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_res.ps
--- ghostscript-9.07/Resource/Init/gs_res.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_res.ps 2019-01-24 12:20:06.857912646 +0100
@@ -155,10 +155,10 @@ setglobal
} {
/defineresource cvx /typecheck signaloperror
} ifelse
-} bind def
+} bind executeonly odef
/FindResource % (redefined below)
{ .Instances exch get 0 get
- } bind def
+ } bind executeonly def
% Additional entries
@@ -210,7 +210,7 @@ def
/findresource .systemvar /typecheck signalerror
} if
/findresource cvx //.findresource .errorexec
-} odef
+} bind executeonly odef
/defineresource { % <key> <instance> <category> defineresource <instance>
2 .argindex 2 index 2 index % catch stackunderflow
@@ -226,7 +226,7 @@ def
/DefineResource .resourceexec
4 1 roll pop pop pop
} .errorexec
-} bind odef
+} bind executeonly odef
% We must prevent resourceforall from automatically restoring the stacks,
% because we don't want the stacks restored if proc causes an error or
% executes a 'stop'. On the other hand, resourceforall is defined in the
@@ -240,10 +240,10 @@ def
% Stack: <template> <proc> <scratch> <category> proc
exch pop % pop the category
exec end
-} bind def
+} bind executeonly def
/resourceforall { % <template> <proc> <scratch> <category> resourceforall1 -
//resourceforall1 exec % see above
-} bind odef
+} bind executeonly odef
/resourcestatus { % <key> <category> resourcestatus <status> <size> true
% <key> <category> resourcestatus false
{
@@ -259,7 +259,7 @@ def
% for error reporting. CET 23-26
/resourcestatus cvx $error /errorname get signalerror
} if
-} bind odef
+} bind executeonly odef
/undefineresource { % <key> <category> undefineresource -
0 .argindex type /nametype ne {
/undefinedresource cvx /typecheck signaloperror
@@ -272,7 +272,7 @@ def
% here but uses operator for the errors above. CET 23-33
/undefineresource cvx $error /errorname get signalerror
} if
-} bind odef
+} bind executeonly odef
% Define the system parameters used for the Generic implementation of
% ResourceFileName.
@@ -412,7 +412,7 @@ status {
} ifelse
} bind def
-/DefineResource {
+/DefineResource dup {
.CheckResource
{ dup [ exch 0 -1 ]
% Stack: key value instance
@@ -424,7 +424,7 @@ status {
% As noted above, Category dictionaries are read-only,
% so we have to use .forcedef here.
/.Instances 1 index .forcedef % Category dict is read-only
- } if
+ } executeonly if
}
{ .LocalInstances dup //.emptydict eq
{ pop 3 dict localinstancedict Category 2 index put
@@ -441,7 +441,7 @@ status {
{ /defineresource cvx /typecheck signaloperror
}
ifelse
-} .bind executeonly % executeonly to prevent access to .forcedef
+} .bind executeonly .makeoperator % executeonly to prevent access to .forcedef
/UndefineResource
{ { dup 2 index .knownget
{ dup 1 get 1 ge
@@ -457,7 +457,7 @@ status {
{ 2 copy .Instances exch exec
}
if .LocalInstances exch exec
- } bind
+ } bind executeonly
% Because of some badly designed code in Adobe's CID font downloader that
% makes findresource and resourcestatus deliberately inconsistent with each
% other, the default FindResource must not call ResourceStatus if there is
@@ -483,7 +483,7 @@ status {
/findresource cvx .undefinedresource
} ifelse
} ifelse
-} bind
+} bind executeonly
% Because of some badly designed code in Adobe's CID font downloader, the
% definition of ResourceStatus for Generic and Font must be the same (!).
% We patch around this by using an intermediate .ResourceFileStatus procedure.
@@ -493,10 +493,10 @@ status {
} {
.ResourceFileStatus
} ifelse
-} bind
+} bind executeonly
/.ResourceFileStatus {
.ResourceFile { closefile 2 -1 //true } { pop //false } ifelse
-} bind
+} bind executeonly
/ResourceForAll {
% Construct a new procedure to hold the arguments.
% All objects constructed here must be in local VM to avoid
@@ -554,7 +554,7 @@ status {
3 2 roll pop % args
{ forall } 0 get
currentdict end 2 .execn begin
-} bind
+} bind executeonly
/ResourceFileName { % /in (scr) --> (p/c/n)
exch //.rfnstring cvs % (scr) (n)
@@ -577,7 +577,7 @@ status {
} ifelse
} ifelse
exch copy % (p/c/n)
-} bind
+} bind executeonly
% Additional entries
@@ -743,17 +743,17 @@ counttomark 2 idiv
ifelse
}
ifelse
- } bind
+ } bind executeonly
/UndefineResource
- { /undefineresource cvx /invalidaccess signaloperror } bind
+ { /undefineresource cvx /invalidaccess signaloperror } bind executeonly
/FindResource
{ .Instances 1 index .knownget
{ exch pop }
{ /findresource cvx .undefinedresource }
ifelse
- } bind
+ } bind executeonly
/ResourceStatus
- { .Instances exch known { 0 0 //true } { //false } ifelse } bind
+ { .Instances exch known { 0 0 //true } { //false } ifelse } bind executeonly
/ResourceForAll
/Generic .findcategory /ResourceForAll load end
@@ -836,7 +836,7 @@ userdict /.localcsdefaults //false put
1 index .definedefaultcs
currentglobal not { .userdict /.localcsdefaults //true put } if
} if
-} bind
+} bind executeonly
/UndefineResource {
dup /Generic /Category findresource /UndefineResource get exec
@@ -859,7 +859,7 @@ userdict /.localcsdefaults //false put
} {
pop
} ifelse
-} bind
+} bind executeonly
.definecategory % ColorSpace
@@ -889,7 +889,7 @@ userdict /.localcsdefaults //false put
{ exch copy exch pop }
{ /Generic /Category findresource /ResourceFileName get exec }
ifelse
- } bind
+ } bind executeonly
.definecategory % Encoding
@@ -945,11 +945,11 @@ userdict /.localcsdefaults //false put
/DefineResource
{ 2 copy //definefont exch pop
/Generic /Category findresource /DefineResource get exec
- } bind
+ } bind executeonly
/UndefineResource
{ dup //undefinefont
/Generic /Category findresource /UndefineResource get exec
- } bind
+ } bind executeonly
/FindResource {
dup .getvminstance {
exch pop 0 get
@@ -960,14 +960,14 @@ userdict /.localcsdefaults //false put
.loadfontresource
} ifelse
} ifelse
-} bind
+} bind executeonly
/ResourceForAll {
{ .scannextfontdir not { exit } if } loop
/Generic /Category findresource /ResourceForAll get exec
-} bind
+} bind executeonly
/.ResourceFileStatus {
.fontstatus { pop 2 -1 //true } { pop //false } ifelse
-} bind
+} bind executeonly
/.loadfontresource {
dup .vmused exch
@@ -1017,20 +1017,20 @@ end
{ /Font defineresource } stopped {
/definefont cvx $error /errorname get signalerror
} if
-} bind odef
+} bind executeonly odef
/undefinefont {
/Font undefineresource
-} bind odef
+} bind executeonly odef
% The Red Book requires that findfont be a procedure, not an operator,
% but it still needs to restore the stacks reliably if it fails.
/.findfontop {
{ /Font findresource } stopped {
pop /findfont $error /errorname get signalerror
} if
-} bind odef
+} bind executeonly odef
/findfont {
.findfontop
-} bind def % Must be a procedure, not an operator
+} bind executeonly def % Must be a procedure, not an operator
% Remove initialization utilities.
currentdict /.definecategory .undef
diff -up ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_setpd.ps
--- ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2019-6116 2019-01-24 12:20:06.815913187 +0100
+++ ghostscript-9.07/Resource/Init/gs_setpd.ps 2019-01-24 12:20:06.856912659 +0100
@@ -570,7 +570,7 @@ NOMEDIAATTRS {
SETPDDEBUG { (Rolling back.) = pstack flush } if
3 index 2 index 3 -1 roll .forceput
4 index 1 index .knownget
- { 4 index 3 1 roll .forceput }
+ { 4 index 3 1 roll .forceput } executeonly
{ 3 index exch .undef }
ifelse
} bind executeonly odef
diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/pdf_base.ps
--- ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-6116 2019-01-24 12:20:06.809913264 +0100
+++ ghostscript-9.07/Resource/Init/pdf_base.ps 2019-01-24 12:20:06.856912659 +0100
@@ -125,26 +125,26 @@ currentdict /num-chars-dict .undef
/.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ?
PDFDEBUG {
- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } if
+ pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
PDFSTEP {
pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
PDFSTEPcount 1 gt {
pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
- } {
+ } executeonly {
dup ==only
( step # ) print PDFtokencount =only
( ? ) print flush 1 //false .outputpage
(%stdin) (r) file 255 string readline {
token {
exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
- } {
+ } executeonly {
pdfdict /PDFSTEPcount 1 .forceput
- } ifelse % token
+ } executeonly ifelse % token
} {
pop /PDFSTEP //false def % EOF on stdin
} ifelse % readline
} ifelse % PDFSTEPcount > 1
- } {
+ } executeonly {
dup ==only () = flush
} ifelse % PDFSTEP
} if % PDFDEBUG
diff -up ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/pdf_font.ps
--- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-6116 2019-01-24 12:20:06.810913251 +0100
+++ ghostscript-9.07/Resource/Init/pdf_font.ps 2019-01-24 12:20:06.857912646 +0100
@@ -614,7 +614,7 @@ currentdict end readonly def
currentglobal 2 index dup gcheck setglobal
/FontInfo 5 dict dup 5 1 roll .forceput
setglobal
- } if
+ } executeonly if
dup /GlyphNames2Unicode .knownget not {
//true % No existing G2U, make one
} {
@@ -628,7 +628,7 @@ currentdict end readonly def
currentglobal exch dup gcheck setglobal
dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput
3 2 roll setglobal
- } if % font-res font-dict encoding|null font-info g2u
+ } executeonly if % font-res font-dict encoding|null font-info g2u
exch pop exch % font-res font-dict g2u encoding|null
userdict /.lastToUnicode get % font-res font-dict g2u Encoding|null CMap
.convert_ToUnicode-into-g2u % font-res font-dict
@@ -1757,7 +1757,7 @@ currentdict /CMap_read_dict undef
/CIDFallBack /CIDFont findresource
} if
exit
- } if
+ } executeonly if
} if
} if