Blob Blame History Raw
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 10 Oct 2018 14:38:10 +0000 (+0100)
Subject: Bug 699927: don't include operator arrays in execstack output

Bug 699927: don't include operator arrays in execstack output

When we transfer the contents of the execution stack into the array, take the
extra step of replacing any operator arrays on the stack with the operator
that reference them.

This prevents the contents of Postscript defined, internal only operators (those
created with .makeoperator) being exposed via execstack (and thus, via error
handling).

This necessitates a change in the resource remapping 'resource', which contains
a procedure which relies on the contents of the operators arrays being present.
As we already had internal-only variants of countexecstack and execstack
(.countexecstack and .execstack) - using those, and leaving thier operation
including the operator arrays means the procedure continues to work correctly.

Both .countexecstack and .execstack are undefined after initialization.

Also, when we store the execstack (or part thereof) for an execstackoverflow
error, make the same oparray/operator substitution as above for execstack.

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c

From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 25 Sep 2018 14:38:14 +0000 (+0100)
Subject: Bug 699793: Hide the .needinput operator

Bug 699793: Hide the .needinput operator

This removes the .needinput operator from systemdict, ensuring it can only
be used in the initialization code, and not called erroneously from random
Postscript.

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f8ccc7dfb990336b1ca55f65f2e1a8ecdcb76adf
---

diff -up ghostscript-9.07/psi/interp.c.cve-2018-18073 ghostscript-9.07/psi/interp.c
--- ghostscript-9.07/psi/interp.c.cve-2018-18073	2018-12-05 15:15:27.071274267 +0100
+++ ghostscript-9.07/psi/interp.c	2018-12-05 15:15:27.077274220 +0100
@@ -142,7 +142,6 @@ static int oparray_pop(i_ctx_t *);
 static int oparray_cleanup(i_ctx_t *);
 static int zerrorexec(i_ctx_t *);
 static int zfinderrorobject(i_ctx_t *);
-static int errorexec_find(i_ctx_t *, ref *);
 static int errorexec_pop(i_ctx_t *);
 static int errorexec_cleanup(i_ctx_t *);
 static int zsetstackprotect(i_ctx_t *);
@@ -751,7 +750,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_s
 {
     uint size = ref_stack_count(pstack) - skip;
     uint save_space = ialloc_space(idmemory);
-    int code;
+    int code, i;
 
     if (size > 65535)
         size = 65535;
@@ -760,6 +759,15 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_s
     if (code >= 0)
         code = ref_stack_store(pstack, arr, size, 0, 1, true, idmemory,
                                "copy_stack");
+    /* If we are copying the exec stack, try to replace any oparrays with
+     * with the operator than references them
+     */
+    if (pstack == &e_stack) {
+        for (i = 0; i < size; i++) {
+            if (errorexec_find(i_ctx_p, &arr->value.refs[i]) < 0)
+                make_null(&arr->value.refs[i]);
+        }
+    }
     ialloc_set_space(idmemory, save_space);
     return code;
 }
@@ -1908,7 +1916,7 @@ zfinderrorobject(i_ctx_t *i_ctx_p)
  * .errorexec with errobj != null, store it in *perror_object and return 1,
  * otherwise return 0;
  */
-static int
+int
 errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object)
 {
     long i;
diff -up ghostscript-9.07/psi/interp.h.cve-2018-18073 ghostscript-9.07/psi/interp.h
--- ghostscript-9.07/psi/interp.h.cve-2018-18073	2013-02-14 08:58:13.000000000 +0100
+++ ghostscript-9.07/psi/interp.h	2018-12-05 15:15:27.077274220 +0100
@@ -92,5 +92,7 @@ void gs_interp_reset(i_ctx_t *i_ctx_p);
 /* Define the top-level interface to the interpreter. */
 int gs_interpret(i_ctx_t **pi_ctx_p, ref * pref, int user_errors,
                  int *pexit_code, ref * perror_object);
+int
+errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object);
 
 #endif /* interp_INCLUDED */
diff -up ghostscript-9.07/psi/int.mak.cve-2018-18073 ghostscript-9.07/psi/int.mak
--- ghostscript-9.07/psi/int.mak.cve-2018-18073	2018-12-05 15:15:27.017274689 +0100
+++ ghostscript-9.07/psi/int.mak	2018-12-05 15:15:27.077274220 +0100
@@ -317,7 +317,8 @@ $(PSOBJ)zarray.$(OBJ) : $(PSSRC)zarray.c
 	$(PSCC) $(PSO_)zarray.$(OBJ) $(C_) $(PSSRC)zarray.c
 
 $(PSOBJ)zcontrol.$(OBJ) : $(PSSRC)zcontrol.c $(OP) $(string__h)\
- $(estack_h) $(files_h) $(ipacked_h) $(iutil_h) $(store_h) $(stream_h)
+ $(estack_h) $(files_h) $(ipacked_h) $(iutil_h) $(store_h) $(stream_h)\
+ $(interp_h)
 	$(PSCC) $(PSO_)zcontrol.$(OBJ) $(C_) $(PSSRC)zcontrol.c
 
 $(PSOBJ)zdict.$(OBJ) : $(PSSRC)zdict.c $(OP)\
diff -up ghostscript-9.07/psi/zcontrol.c.cve-2018-18073 ghostscript-9.07/psi/zcontrol.c
--- ghostscript-9.07/psi/zcontrol.c.cve-2018-18073	2013-02-14 08:58:13.000000000 +0100
+++ ghostscript-9.07/psi/zcontrol.c	2018-12-05 15:15:27.077274220 +0100
@@ -24,6 +24,7 @@
 #include "ipacked.h"
 #include "iutil.h"
 #include "store.h"
+#include "interp.h"
 
 /* Forward references */
 static int check_for_exec(const_os_ptr);
@@ -785,7 +786,7 @@ zexecstack2(i_ctx_t *i_ctx_p)
 /* Continuation operator to do the actual transfer. */
 /* r_size(op1) was set just above. */
 static int
-do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1)
+do_execstack(i_ctx_t *i_ctx_p, bool include_marks, bool include_oparrays, os_ptr op1)
 {
     os_ptr op = osp;
     ref *arefs = op1->value.refs;
@@ -827,6 +828,12 @@ do_execstack(i_ctx_t *i_ctx_p, bool incl
                                   strlen(tname), (const byte *)tname);
                 break;
             }
+            case t_array:
+            case t_shortarray:
+            case t_mixedarray:
+                if (!include_oparrays && errorexec_find(i_ctx_p, rq) < 0)
+                    make_null(rq);
+                break;
             default:
                 ;
         }
@@ -839,14 +846,14 @@ execstack_continue(i_ctx_t *i_ctx_p)
 {
     os_ptr op = osp;
 
-    return do_execstack(i_ctx_p, false, op);
+    return do_execstack(i_ctx_p, false, false, op);
 }
 static int
 execstack2_continue(i_ctx_t *i_ctx_p)
 {
     os_ptr op = osp;
 
-    return do_execstack(i_ctx_p, op->value.boolval, op - 1);
+    return do_execstack(i_ctx_p, op->value.boolval, true, op - 1);
 }
 
 /* - .needinput - */
diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-18073 ghostscript-9.07/Resource/Init/gs_init.ps
--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-18073	2018-12-05 15:15:27.073274252 +0100
+++ ghostscript-9.07/Resource/Init/gs_init.ps	2018-12-05 15:18:55.848645627 +0100
@@ -839,12 +839,26 @@ userdict /.currentresourcefile //null pu
 /.runstring {
   0 0 .systemvmstring .systemvmSFD cvx { .runexec } execute0
 } bind def
+
 % Define the procedure that the C code uses to set up for executing
 % a string that may be received in pieces.
+%
+% Immediate evaluation doesn't work on operators (like .needinput)
+% so calling .runstringbegin will throw an undefined error if we
+% undefined .needinput so it cannot be accessed outside the init
+% code. But, we can store the operator in an array, use immediate
+% evaluation on the array to get the operator, then undefined the
+% array (and because they are both of the same name, the operator
+% get undefined too).
+% This prevents random Postscript from erroneously calling .needinput
+% and forcing the interpreter into an invalid state.
+/.needinput
+1 .systemvmarray dup 0 /.needinput load put
+def
 /.runstringbegin {
-  1 .systemvmarray dup 0 /.needinput load put cvx	% { .needinput } in systemvm
+  1 .systemvmarray dup 0 //.needinput 0 get put cvx    % { .needinput } in systemvm
   0 0 .systemvmstring .systemvmSFD cvx .runexec
-} bind def
+} bind executeonly def
 
 % Define a special version of runlibfile that aborts on errors.
 /runlibfile0
@@ -2147,7 +2161,7 @@ SAFER { .setsafe } if
 %% but can be easily restored (just delete the name from the list in the array). In future
 %% we may remove the operator and the code implementation entirely.
 [
-/.bitadd /.charboxpath /.currentblackptcomp /.setblackptcomp /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter
+/.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter
 /.execfile /.filenamesplit /.file_name_parent
 /.setdefaultmatrix /.isprocfilter /.unread /.psstringencode
 /.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength
@@ -2186,6 +2200,7 @@ SAFER { .setsafe } if
 /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
 /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
 /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice
+/.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack
 
 % Used by a free user in the Library of Congress. Apparently this is used to
 % draw a partial page, which is then filled in by the results of a barcode
@@ -2204,7 +2219,7 @@ SAFER { .setsafe } if
 % test files/utilities, or engineers expressed a desire to keep them visible.
 %
 %/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11
-%/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors
+%/.buildfont32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors
 %/currentdevice  /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget
 %/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9
 %/.tempfile /.numicc_components /.set_outputintent  /.max /.min /.vmreclaim /.getpath /.setglobal
diff -up ghostscript-9.07/Resource/Init/gs_resmp.ps.cve-2018-18073 ghostscript-9.07/Resource/Init/gs_resmp.ps
--- ghostscript-9.07/Resource/Init/gs_resmp.ps.cve-2018-18073	2013-02-14 08:58:16.000000000 +0100
+++ ghostscript-9.07/Resource/Init/gs_resmp.ps	2018-12-05 15:15:27.078274212 +0100
@@ -183,7 +183,7 @@ setpacking
   % We don't check them.
 
   currentglobal //false setglobal                  % <object> bGlobal
-  countexecstack array execstack                   % <object> bGlobal [execstack]
+  //false .countexecstack array //false .execstack % <object> bGlobal [execstack]
   dup //null exch                                  % <object> bGlobal [execstack] null [execstack]
   length 3 sub -1 0 {                              % <object> bGlobal [execstack] null i
     2 index exch get                               % <object> bGlobal [execstack] null proc