From a60c0959df8cb80977b57611a5c72380ef18b65d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 07 2019 10:52:29 +0000 Subject: import ghostscript-9.25-2.el8 --- diff --git a/.ghostscript.metadata b/.ghostscript.metadata new file mode 100644 index 0000000..cc5991b --- /dev/null +++ b/.ghostscript.metadata @@ -0,0 +1 @@ +9d8ddff3382113bf4a1640368350e05652c93613 SOURCES/ghostscript-9.25.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d7c760a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/ghostscript-9.25.tar.xz diff --git a/SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch b/SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch new file mode 100644 index 0000000..80b0b7d --- /dev/null +++ b/SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch @@ -0,0 +1,22 @@ +From 91c9c6d17d445781ee572c281b8b9d75d96f9df8 Mon Sep 17 00:00:00 2001 +From: "David Kaspar [Dee'Kej]" +Date: Fri, 7 Oct 2016 13:57:01 +0200 +Subject: [PATCH] Make sure 'dvipdf' is being run securely + +--- + lib/dvipdf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dvipdf b/lib/dvipdf +index 802aeab..c92dfb0 100755 +--- a/lib/dvipdf ++++ b/lib/dvipdf +@@ -43,4 +43,4 @@ fi + + # We have to include the options twice because -I only takes effect if it + # appears before other options. +-exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite - ++exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite - +-- +2.14.3 + diff --git a/SOURCES/ghostscript-cve-2018-17961.patch b/SOURCES/ghostscript-cve-2018-17961.patch new file mode 100644 index 0000000..9f8653c --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-17961.patch @@ -0,0 +1,842 @@ +From b0222e5e39712999f22084996a6b85a120b9389e Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 20 Sep 2018 16:35:28 +0100 +Subject: [PATCH 1/6] Bug 699795: add operand checking to + .setnativefontmapbuilt + +.setnativefontmapbuilt .forceputs a value into systemdict - it is intended +to be a boolean, but in this case was being called with a compound object +(a dictionary). Such an object, in local VM, being forced into systemdict +would then confuse the garbager, since it could be restored away with the +reference remaining. + +This adds operand checking, so .setnativefontmapbuilt will simply ignore +anything other than a boolean value, and also removes the definition of +.setnativefontmapbuilt after use, since it is only used in two, closely +related places. +--- + Resource/Init/gs_fonts.ps | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 38f0f6c..45b6613 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -372,9 +372,13 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if + % of strings: what the system thinks is the ps name, + % and the access path. + /.setnativefontmapbuilt { % set whether we've been run +- systemdict exch /.nativefontmapbuilt exch .forceput ++ dup type /booleantype eq { ++ systemdict exch /.nativefontmapbuilt exch .forceput ++ } ++ {pop} ++ ifelse + } .bind executeonly def +-systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt ++systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec + /.buildnativefontmap { % - .buildnativefontmap + systemdict /.nativefontmapbuilt .knownget not + { //false} if +@@ -415,9 +419,10 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt + } forall + } if + % record that we've been run +- //true .setnativefontmapbuilt ++ //true //.setnativefontmapbuilt exec + } ifelse + } bind def ++currentdict /.setnativefontmapbuilt .forceundef + + % Create the dictionary that registers the .buildfont procedure + % (called by definefont) for each FontType. +-- +2.17.2 + + +From a54c9e61e7d02bbc620bcba9b1c208462a876afb Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Sat, 29 Sep 2018 15:34:55 +0100 +Subject: [PATCH 2/6] Bug 699816: Improve hiding of security critical custom + operators + +Make procedures that use .forceput/.forcedef/.forceundef into operators. + +The result of this is that errors get reported against the "top" operator, +rather than the "called" operator within the procedure. + +For example: +/myproc +{ + myop +} bind def + +If 'myop' throws an error, the error handler will be passed the 'myop' +operator. Promoting 'myproc' to a operator means the error handler will be +passed 'myproc'. +--- + Resource/Init/gs_diskn.ps | 2 +- + Resource/Init/gs_dps.ps | 2 +- + Resource/Init/gs_fntem.ps | 2 +- + Resource/Init/gs_fonts.ps | 10 +++++----- + Resource/Init/gs_lev2.ps | 13 +++++++++---- + Resource/Init/gs_pdfwr.ps | 2 +- + Resource/Init/gs_setpd.ps | 25 +++++++++++++++++-------- + Resource/Init/gs_typ32.ps | 14 +++++++++----- + Resource/Init/gs_type1.ps | 2 +- + Resource/Init/pdf_base.ps | 2 +- + Resource/Init/pdf_draw.ps | 10 +++++----- + Resource/Init/pdf_font.ps | 8 ++++---- + Resource/Init/pdf_main.ps | 4 ++-- + Resource/Init/pdf_ops.ps | 8 ++++---- + 14 files changed, 61 insertions(+), 43 deletions(-) + +diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps +index 5540715..26ec0b5 100644 +--- a/Resource/Init/gs_diskn.ps ++++ b/Resource/Init/gs_diskn.ps +@@ -53,7 +53,7 @@ systemdict begin + exch .setglobal + } + if +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Modify .putdevparams to force regeneration of .searchabledevs list + /.putdevparams { +diff --git a/Resource/Init/gs_dps.ps b/Resource/Init/gs_dps.ps +index cad7056..daf7b0f 100644 +--- a/Resource/Init/gs_dps.ps ++++ b/Resource/Init/gs_dps.ps +@@ -70,7 +70,7 @@ + % Save a copy of the initial gstate. + //systemdict /savedinitialgstate gstate readonly .forceput + .setglobal +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Initialize local dictionaries and gstate when creating a new context. + % Note that until this completes, we are in the anomalous situation of +diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps +index 3ceee18..c1f7651 100644 +--- a/Resource/Init/gs_fntem.ps ++++ b/Resource/Init/gs_fntem.ps +@@ -408,7 +408,7 @@ currentdict end def + exit + } loop + exch setglobal +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + currentdict end /ProcSet defineresource pop + +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 45b6613..89c3ab7 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -377,8 +377,8 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if + } + {pop} + ifelse +-} .bind executeonly def +-systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec ++} .bind executeonly odef ++systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt + /.buildnativefontmap { % - .buildnativefontmap + systemdict /.nativefontmapbuilt .knownget not + { //false} if +@@ -419,7 +419,7 @@ systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec + } forall + } if + % record that we've been run +- //true //.setnativefontmapbuilt exec ++ //true .setnativefontmapbuilt + } ifelse + } bind def + currentdict /.setnativefontmapbuilt .forceundef +@@ -1103,7 +1103,7 @@ $error /SubstituteFont { } put + + % Check to make sure the font was actually loaded. + dup 3 index .fontknownget +- { dup /PathLoad 4 index //.putgstringcopy exec ++ { dup /PathLoad 4 index .putgstringcopy + 4 1 roll pop pop pop //true exit + } if + +@@ -1115,7 +1115,7 @@ $error /SubstituteFont { } put + { % Stack: origfontname fontdirectory path filefontname + 2 index 1 index .fontknownget + { % Yes. Stack: origfontname fontdirectory path filefontname fontdict +- dup 4 -1 roll /PathLoad exch //.putgstringcopy exec ++ dup 4 -1 roll /PathLoad exch .putgstringcopy + % Stack: origfontname fontdirectory filefontname fontdict + 3 -1 roll pop + % Stack: origfontname filefontname fontdict +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index eee0b9f..a8ed892 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -163,10 +163,11 @@ end + % Set them again to the new values. From here on, we are safe, + % since a context switch will consult userparams. + .setuserparams +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + /setuserparams { % setuserparams - +- .setuserparams2 ++ {.setuserparams2} stopped ++ {/setuserparams load $error /errorname get signalerror} if + } .bind odef + % Initialize user parameters managed here. + /JobName () .definepsuserparam +@@ -415,7 +416,9 @@ psuserparams /ProcessDSCComment {.checkprocesscomment} put + + % VMReclaim and VMThreshold are user parameters. + /setvmthreshold { % setvmthreshold - +- mark /VMThreshold 2 .argindex .dicttomark .setuserparams2 pop ++ mark /VMThreshold 2 .argindex .dicttomark {.setuserparams2} stopped ++ {pop /setvmthreshold load $error /errorname get signalerror} ++ {pop} ifelse + } odef + /vmreclaim { % vmreclaim - + dup 0 gt { +@@ -427,7 +430,9 @@ psuserparams /ProcessDSCComment {.checkprocesscomment} put + ifelse + } { + % VMReclaim userparam controls enable/disable GC +- mark /VMReclaim 2 index .dicttomark .setuserparams2 pop ++ mark /VMReclaim 2 index .dicttomark {.setuserparams2} stopped ++ {pop /vmreclaim load $error /errorname get signalerror} ++ {pop} ifelse + } ifelse + } odef + -1 setvmthreshold +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +index fb1c419..58e75d3 100644 +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -660,7 +660,7 @@ currentdict /.pdfmarkparams .undef + { + pop + } ifelse +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Use the DSC processing hook to pass DSC comments to the driver. + % We use a pseudo-parameter named DSC whose value is an array: +diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps +index 8fa7c51..afb4ffa 100644 +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -608,6 +608,20 @@ NOMEDIAATTRS { + % in the dictionary with the policy value, + % and we replace the key in the dictionary with its prior value + % (or remove it if it had no prior value). ++ ++% Making this an operator means we can properly hide ++% the contents - specifically .forceput ++/1Policy ++{ ++ % Roll back the failed request to its previous status. ++ SETPDDEBUG { (Rolling back.) = pstack flush } if ++ 3 index 2 index 3 -1 roll .forceput ++ 4 index 1 index .knownget ++ { 4 index 3 1 roll .forceput } ++ { 3 index exch .undef } ++ ifelse ++} bind executeonly odef ++ + /.policyprocs mark + % These procedures are called with the following on the stack: + % +@@ -631,14 +645,7 @@ NOMEDIAATTRS { + /setpagedevice .systemvar /configurationerror signalerror + } ifelse + } bind +- 1 { % Roll back the failed request to its previous status. +-SETPDDEBUG { (Rolling back.) = pstack flush } if +- 3 index 2 index 3 -1 roll .forceput +- 4 index 1 index .knownget +- { 4 index 3 1 roll .forceput } +- { 3 index exch .undef } +- ifelse +- } .bind executeonly % must be bound and hidden for .forceput ++ 1 /1Policy load + 7 { % For PageSize only, just impose the request. + 1 index /PageSize eq + { pop pop 1 index /PageSize 7 put } +@@ -646,6 +653,8 @@ SETPDDEBUG { (Rolling back.) = pstack flush } if + ifelse + } bind + .dicttomark readonly def ++currentdict /1Policy undef ++ + /.applypolicies % .applypolicies + % + { 1 index /Policies get 1 index +diff --git a/Resource/Init/gs_typ32.ps b/Resource/Init/gs_typ32.ps +index b6600b0..9150f71 100644 +--- a/Resource/Init/gs_typ32.ps ++++ b/Resource/Init/gs_typ32.ps +@@ -79,15 +79,19 @@ systemdict /.removeglyphs .undef + .dicttomark /ProcSet defineresource pop + + /.cidfonttypes where { pop } { /.cidfonttypes 6 dict def } ifelse +-.cidfonttypes begin +- +-4 % CIDFontType 4 = FontType 32 +-{ dup /FontType 32 .forceput ++/CIDFontType4 ++{ ++ dup /FontType 32 .forceput + dup /CharStrings 20 dict .forceput + 1 index exch .buildfont32 exch pop +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef ++.cidfonttypes begin ++ ++ ++4 /CIDFontType4 load def % CIDFontType 4 = FontType 32 + + end % .cidfonttypes ++currentdict /CIDFontType4 .forceundef + + % Define the BuildGlyph procedure. + % Since Type 32 fonts are indexed by CID, there is no BuildChar procedure. +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index efdae48..2935d9c 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -283,7 +283,7 @@ currentdict /closesourcedict .undef + } if + 2 copy /WeightVector exch .forceput + .setweightvector +-} .bind executeonly def ++} .bind executeonly odef + end + + % Register the font types for definefont. +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index a82a2a3..7ccd4cd 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -218,7 +218,7 @@ currentdict /num-chars-dict .undef + } ifelse + } ifelse + } ifelse +-} bind executeonly def ++} bind executeonly odef + /PDFScanRules_true << /PDFScanRules //true >> def + /PDFScanRules_null << /PDFScanRules //null >> def + /.pdfrun { % .pdfrun - +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index d1b6ac9..c239daf 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -1158,7 +1158,7 @@ currentdict end readonly def + Q + PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if + PDFfile exch setfileposition +-} bind executeonly def ++} bind executeonly odef + + /.pdfpaintproc { + %% Get the /m from pdfopdict (must be present) +@@ -1189,7 +1189,7 @@ currentdict end readonly def + { + switch_to_text_marking_ops + } if +-}bind executeonly def ++}bind executeonly odef + + /resolvepattern { % resolvepattern + % Don't do the resolvestream now: just capture the data +@@ -2353,7 +2353,7 @@ currentdict /last-ditch-bpc-csp undef + }{ + pdfdict /AppearanceNumber 0 .forceput + } ifelse +-}bind executeonly def ++}bind executeonly odef + + /MakeAppearanceName { + pdfdict /AppearanceNumber get +@@ -2382,7 +2382,7 @@ currentdict /last-ditch-bpc-csp undef + DoForm + pdfdict /.PreservePDFForm 3 -1 roll .forceput + grestore +-} bind executeonly def ++} bind executeonly odef + + /DoForm { + %% save the current value, if its true we will set it to false later, in order +@@ -2541,7 +2541,7 @@ currentdict /last-ditch-bpc-csp undef + end + } if + pdfdict /.PreservePDFForm 3 -1 roll .forceput +-} bind executeonly def ++} bind executeonly odef + + /_dops_save 1 array def + +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index feaf0d0..535b14a 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -718,7 +718,7 @@ currentdict end readonly def + {pop pop pop} + ifelse + +-} bind executeonly def ++} bind executeonly odef + + currentdict /.DoToUnicode? .forceundef + +@@ -1241,7 +1241,7 @@ currentdict /eexec_pdf_param_dict .undef + } bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop +-} bind executeonly def ++} bind executeonly odef + /.adjustcharwidth { % .adjustcharwidth + % Enforce the metrics, in glyph space, to the values found in the PDF Font object + % - force wy == 0 (assumed, and not stored in the PDF font) +@@ -2026,7 +2026,7 @@ currentdict /CMap_read_dict undef + } if + /findresource cvx /undefined signalerror + } loop +-} bind executeonly def ++} bind executeonly odef + + /buildCIDType0 { % buildCIDType0 + dup /BaseFont get findCIDFont exch pop +@@ -2211,7 +2211,7 @@ currentdict /CMap_read_dict undef + /Type0 //buildType0 + /Type1 //buildType1 + /MMType1 //buildType1 +- /Type3 //buildType3 ++ /Type3 /buildType3 load + /TrueType //buildTrueType + /CIDFontType0 //buildCIDType0 + /CIDFontType2 //buildCIDType2 +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 09f8735..c823e69 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -660,7 +660,7 @@ currentdict /runpdfstring .undef + } forall + pop + } ifelse +-} bind executeonly def ++} bind executeonly odef + + currentdict /pdf_collection_files .undef + +@@ -2715,7 +2715,7 @@ currentdict /PDF2PS_matrix_key undef + .setglobal + /RepairedAnError exch def + /Repaired exch def +-} bind executeonly def ++} bind executeonly odef + + % Display the contents of a page (including annotations). + /showpagecontents { % showpagecontents - +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index c45fc51..8672d61 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -193,7 +193,7 @@ currentdict /gput_always_allow .undef + pdfformaterror + } ifelse + } if +-} bind executeonly def ++} bind executeonly odef + + % Save PDF gstate + /qstate { % - qstate +@@ -451,7 +451,7 @@ currentdict /gput_always_allow .undef + %% a gsave, so we haven't copied it to /self, if we don't do that here + %% then transparent annotations cause an invalid access error. + currentdict //nodict eq {/self dup load end 5 dict begin def} if +-} bind executeonly def ++} bind executeonly odef + /AIS { .setalphaisshape } bind executeonly def + /BM { + /.setblendmode where { +@@ -1077,7 +1077,7 @@ end readonly def + pdfopdict /v {inside_text_v} bind .forceput + pdfopdict /y {inside_text_y} bind .forceput + pdfopdict /re {inside_text_re} bind .forceput +-} bind executeonly def ++} bind executeonly odef + + /switch_to_normal_marking_ops { + pdfopdict /m {normal_m} bind .forceput +@@ -1086,7 +1086,7 @@ end readonly def + pdfopdict /v {normal_v} bind .forceput + pdfopdict /y {normal_y} bind .forceput + pdfopdict /re {normal_re} bind .forceput +-} bind executeonly def ++} bind executeonly odef + + /BT { + currentdict /TextSaveMatrix known { +-- +2.17.2 + + +From 1778db6bc10a8d60dfe986b22d2300326733ddd6 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 4 Oct 2018 10:42:13 +0100 +Subject: [PATCH 3/6] Bug 699832: add control over hiding error handlers. + +With a previous commit changing error handling in SAFER so the handler gets +passed a name object (rather than executable object), it is less critical to +hide the error handlers. + +This introduces a -dSAFERERRORS option to force only use of the default error +handlers. + +It also adds a .setsafererrors Postscript call, meaning a caller, without +-dSAFERERRORS, can create their own default error handlers (in errordict, as +normal), and then call .setsafererrors meaning their own handlers are always +called. + +With -dSAFERERRORS or after a call to .setsafererrors, .setsafererrors is +removed. +--- + Resource/Init/gs_init.ps | 42 ++++++++++++++++++++++++---------- + psi/interp.c | 49 ++++++++++++++++++++++++---------------- + 2 files changed, 59 insertions(+), 32 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index b94f873..a627eec 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -188,6 +188,16 @@ currentdict /DELAYSAFER known { /DELAYSAFER //true def /NOSAFER //true def } if + currentdict /PARANOIDSAFER known or % PARANOIDSAFER is equivalent + } + ifelse def ++ ++/SAFERERRORS ++currentdict /NOSAFERERRORS known ++{ ++ //false ++} ++{ ++ currentdict /SAFERERRORS known ++} ifelse def ++ + currentdict /SHORTERRORS known /SHORTERRORS exch def + currentdict /TTYPAUSE known /TTYPAUSE exch def + currentdict /WRITESYSTEMDICT known /WRITESYSTEMDICT exch def +@@ -1137,12 +1147,23 @@ errordict begin + } bind def + end % errordict + +-% Put all the default handlers in gserrordict +-gserrordict +-errordict {2 index 3 1 roll put} forall +-noaccess pop +-% remove the non-standard errors from errordict ++gserrordict /unknownerror errordict /unknownerror get put + errordict /unknownerror .undef ++ ++/.SAFERERRORLIST ErrorNames def ++/.setsafererrors ++{ ++% Put all the requested handlers in gserrordict ++ gserrordict ++ //.SAFERERRORLIST ++ {dup errordict exch get 2 index 3 1 roll put} forall ++ noaccess pop ++ systemdict /.setsafeerrors .forceundef ++ systemdict /.SAFERERRORLIST .forceundef ++} bind executeonly odef ++ ++SAFERERRORS {.setsafererrors} if ++ + % Define a stable private copy of handleerror that we will always use under + % JOBSERVER mode. + /.GShandleerror errordict /handleerror get def +@@ -1774,18 +1795,15 @@ currentdict /.runlibfile .undef + + % Bind all the operators defined as procedures. + /.bindoperators % binds operators in currentdict +- { % Temporarily disable the typecheck error. +- errordict /typecheck 2 copy get +- errordict /typecheck { pop } put % pop the command ++ { + currentdict + { dup type /operatortype eq +- { % This might be a real operator, so bind might cause a typecheck, +- % but we've made the error a no-op temporarily. +- .bind ++ { ++ % This might be a real operator, so bind might cause a typecheck ++ {.bind} .internalstopped pop + } + if pop pop + } forall +- put + } def + DELAYBIND not { .bindoperators } if + +diff --git a/psi/interp.c b/psi/interp.c +index 1dec9b6..d60c733 100644 +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -661,27 +661,18 @@ again: + if (gs_errorname(i_ctx_p, code, &error_name) < 0) + return code; /* out-of-range error code! */ + +- /* If LockFilePermissions is true, we only refer to gserrordict, which +- * is not accessible to Postcript jobs ++ /* We refer to gserrordict first, which is not accessible to Postcript jobs ++ * If we're running with SAFERERRORS all the handlers are copied to gserrordict ++ * so we'll always find the default one. If not SAFERERRORS, only gs specific ++ * errors are in gserrordict. + */ +- if (i_ctx_p->LockFilePermissions) { +- if (((dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || +- dict_find(perrordict, &error_name, &epref) <= 0)) +- ) +- return code; /* error name not in errordict??? */ +- } +- else { +- /* +- * For greater Adobe compatibility, only the standard PostScript errors +- * are defined in errordict; the rest are in gserrordict. +- */ +- if (dict_find_string(systemdict, "errordict", &perrordict) <= 0 || +- (dict_find(perrordict, &error_name, &epref) <= 0 && +- (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || +- dict_find(perrordict, &error_name, &epref) <= 0)) +- ) +- return code; /* error name not in errordict??? */ +- } ++ if (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || ++ (dict_find(perrordict, &error_name, &epref) <= 0 && ++ (dict_find_string(systemdict, "errordict", &perrordict) <= 0 || ++ dict_find(perrordict, &error_name, &epref) <= 0)) ++ ) ++ return code; /* error name not in errordict??? */ ++ + doref = *epref; + epref = &doref; + /* Push the error object on the operand stack if appropriate. */ +@@ -694,6 +685,24 @@ again: + } + *osp = *perror_object; + errorexec_find(i_ctx_p, osp); ++ /* If using SAFER, hand a name object to the error handler, rather than the executable ++ * object/operator itself. ++ */ ++ if (i_ctx_p->LockFilePermissions) { ++ code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr); ++ if (code < 0) { ++ const char *unknownstr = "--unknown--"; ++ rlen = strlen(unknownstr); ++ memcpy(buf, unknownstr, rlen); ++ } ++ else { ++ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; ++ rlen += 4; ++ } ++ code = name_ref(imemory, buf, rlen, osp, 1); ++ if (code < 0) ++ make_null(osp); ++ } + } + goto again; + } +-- +2.17.2 + + +From a6807394bd94b708be24758287b606154daaaed9 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Tue, 2 Oct 2018 16:02:58 +0100 +Subject: [PATCH 4/6] For hidden operators, pass a name object to error + handler. + +In normal operation, Postscript error handlers are passed the object which +triggered the error: this is invariably an operator object. + +The issue arises when an error is triggered by an operator which is for internal +use only, and that operator is then passed to the error handler, meaning it +becomes visible to the error handler code. + +By converting to a name object, the error message is still valid, but we no +longer expose internal use only operators. + +The change in gs_dps1.ps is related to the above: previously an error in +scheck would throw an error against .gcheck, but as .gcheck is now a hidden +operator, it resulted in a name object being passed to the error handler. As +scheck is a 'real' operator, it's better to use the real operator, rather than +the name of an internal, hidden one. +--- + Resource/Init/gs_dps1.ps | 2 +- + psi/interp.c | 33 ++++++++++++++++++++++++--------- + 2 files changed, 25 insertions(+), 10 deletions(-) + +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps +index 1182f53..ec5db61 100644 +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -21,7 +21,7 @@ level2dict begin + % ------ Virtual memory ------ % + + /currentshared /.currentglobal load def +-/scheck /.gcheck load def ++/scheck {.gcheck} bind odef + %****** FOLLOWING IS WRONG ****** + /shareddict currentdict /globaldict .knownget not { 20 dict } if def + +diff --git a/psi/interp.c b/psi/interp.c +index d60c733..6dc0dda 100644 +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -677,6 +677,8 @@ again: + epref = &doref; + /* Push the error object on the operand stack if appropriate. */ + if (!GS_ERROR_IS_INTERRUPT(code)) { ++ byte buf[260], *bufptr; ++ uint rlen; + /* Replace the error object if within an oparray or .errorexec. */ + osp++; + if (osp >= ostop) { +@@ -685,23 +687,36 @@ again: + } + *osp = *perror_object; + errorexec_find(i_ctx_p, osp); +- /* If using SAFER, hand a name object to the error handler, rather than the executable +- * object/operator itself. +- */ +- if (i_ctx_p->LockFilePermissions) { ++ ++ if (!r_has_type(osp, t_string) && !r_has_type(osp, t_name)) { + code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr); + if (code < 0) { + const char *unknownstr = "--unknown--"; + rlen = strlen(unknownstr); + memcpy(buf, unknownstr, rlen); ++ bufptr = buf; + } + else { +- buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; +- rlen += 4; ++ ref *tobj; ++ bufptr[rlen] = '\0'; ++ /* Only pass a name object if the operator doesn't exist in systemdict ++ * i.e. it's an internal operator we have hidden ++ */ ++ code = dict_find_string(systemdict, (const char *)bufptr, &tobj); ++ if (code < 0) { ++ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; ++ rlen += 4; ++ bufptr = buf; ++ } ++ else { ++ bufptr = NULL; ++ } ++ } ++ if (bufptr) { ++ code = name_ref(imemory, buf, rlen, osp, 1); ++ if (code < 0) ++ make_null(osp); + } +- code = name_ref(imemory, buf, rlen, osp, 1); +- if (code < 0) +- make_null(osp); + } + } + goto again; +-- +2.17.2 + + +From a5a9bf8c6a63aa4ac6874234fe8cd63e72077291 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 10 Oct 2018 23:25:51 +0100 +Subject: [PATCH 5/6] Bug 699938: .loadfontloop must be an operator + +In the fix for Bug 699816, I omitted to make .loadfontloop into an operator, to +better hide .forceundef and .putgstringcopy. +--- + Resource/Init/gs_fonts.ps | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 89c3ab7..72feff2 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -1148,7 +1148,7 @@ $error /SubstituteFont { } put + + } loop % end of loop + +- } bind executeonly def % must be bound and hidden for .putgstringcopy ++ } bind executeonly odef % must be bound and hidden for .putgstringcopy + + currentdict /.putgstringcopy .undef + +-- +2.17.2 + + +From 2756f0efae1d3966989b15a6526c5d80848b5015 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 28 Nov 2018 17:12:08 +0000 +Subject: [PATCH 6/6] Bug 700290: Fix problems with DELAYBIND and font + substitution + +Judicious use of immediate evaluation for .setnativefontmapbuilt and +.putgstringcopy to avoid problems with DELAYBIND +--- + Resource/Init/gs_fonts.ps | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 72feff2..7a57366 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -419,7 +419,7 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt + } forall + } if + % record that we've been run +- //true .setnativefontmapbuilt ++ //true //.setnativefontmapbuilt + } ifelse + } bind def + currentdict /.setnativefontmapbuilt .forceundef +@@ -1103,7 +1103,7 @@ $error /SubstituteFont { } put + + % Check to make sure the font was actually loaded. + dup 3 index .fontknownget +- { dup /PathLoad 4 index .putgstringcopy ++ { dup /PathLoad 4 index //.putgstringcopy + 4 1 roll pop pop pop //true exit + } if + +@@ -1115,7 +1115,7 @@ $error /SubstituteFont { } put + { % Stack: origfontname fontdirectory path filefontname + 2 index 1 index .fontknownget + { % Yes. Stack: origfontname fontdirectory path filefontname fontdict +- dup 4 -1 roll /PathLoad exch .putgstringcopy ++ dup 4 -1 roll /PathLoad exch //.putgstringcopy + % Stack: origfontname fontdirectory filefontname fontdict + 3 -1 roll pop + % Stack: origfontname filefontname fontdict +@@ -1149,8 +1149,7 @@ $error /SubstituteFont { } put + } loop % end of loop + + } bind executeonly odef % must be bound and hidden for .putgstringcopy +- +-currentdict /.putgstringcopy .undef ++currentdict /.putgstringcopy .forceundef + + % Define a procedure to load all known fonts. + % This isn't likely to be very useful. +-- +2.17.2 + diff --git a/SOURCES/ghostscript-cve-2018-18073.patch b/SOURCES/ghostscript-cve-2018-18073.patch new file mode 100644 index 0000000..846afed --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-18073.patch @@ -0,0 +1,289 @@ +From c76bf1cb7cc419534006631ea139ae20801fd824 Mon Sep 17 00:00:00 2001 +From: Nancy Durgin +Date: Tue, 18 Sep 2018 11:54:58 -0700 +Subject: [PATCH 1/3] Undefine some additional internal operators. + +.type, .writecvs, .setSMask, .currentSMask + +These don't seem to be referenced anywhere outside of the initialization code, +which binds their usages. Passes cluster if they are removed. +--- + Resource/Init/gs_init.ps | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 55d6923..4aff036 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2212,6 +2212,7 @@ SAFER { .setsafeglobal } if + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice ++ /.type /.writecvs /.setSMask /.currentSMask + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +@@ -2230,7 +2231,7 @@ SAFER { .setsafeglobal } if + % test files/utilities, or engineers expressed a desire to keep them visible. + % + %/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11 +- %/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors ++ %/.buildfont32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors + %/currentdevice /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget + %/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9 + %/.tempfile /.numicc_components /.set_outputintent /.max /.min /.vmreclaim /.getpath /.setglobal +-- +2.17.2 + + +From f8ccc7dfb990336b1ca55f65f2e1a8ecdcb76adf Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Tue, 25 Sep 2018 15:38:14 +0100 +Subject: [PATCH 2/3] Bug 699793: Hide the .needinput operator + +This removes the .needinput operator from systemdict, ensuring it can only +be used in the initialization code, and not called erroneously from random +Postscript. +--- + Resource/Init/gs_init.ps | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 4aff036..6a5c1df 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -831,12 +831,26 @@ userdict /.currentresourcefile //null put + /.runstring { + 0 0 .systemvmstring .systemvmSFD cvx { .runexec } execute0 + } bind def ++ + % Define the procedure that the C code uses to set up for executing + % a string that may be received in pieces. ++% ++% Immediate evaluation doesn't work on operators (like .needinput) ++% so calling .runstringbegin will throw an undefined error if we ++% undefined .needinput so it cannot be accessed outside the init ++% code. But, we can store the operator in an array, use immediate ++% evaluation on the array to get the operator, then undefined the ++% array (and because they are both of the same name, the operator ++% get undefined too). ++% This prevents random Postscript from erroneously calling .needinput ++% and forcing the interpreter into an invalid state. ++/.needinput ++1 .systemvmarray dup 0 /.needinput load put ++def + /.runstringbegin { +- 1 .systemvmarray dup 0 /.needinput load put cvx % { .needinput } in systemvm ++ 1 .systemvmarray dup 0 //.needinput 0 get put cvx % { .needinput } in systemvm + 0 0 .systemvmstring .systemvmSFD cvx .runexec +-} bind def ++} bind executeonly def + + % Define a special version of runlibfile that aborts on errors. + /runlibfile0 +@@ -2212,7 +2226,7 @@ SAFER { .setsafeglobal } if + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice +- /.type /.writecvs /.setSMask /.currentSMask ++ /.type /.writecvs /.setSMask /.currentSMask /.needinput + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +-- +2.17.2 + + +From 34cc326eb2c5695833361887fe0b32e8d987741c Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 10 Oct 2018 15:38:10 +0100 +Subject: [PATCH 3/3] Bug 699927: don't include operator arrays in execstack + output + +When we transfer the contents of the execution stack into the array, take the +extra step of replacing any operator arrays on the stack with the operator +that reference them. + +This prevents the contents of Postscript defined, internal only operators (those +created with .makeoperator) being exposed via execstack (and thus, via error +handling). + +This necessitates a change in the resource remapping 'resource', which contains +a procedure which relies on the contents of the operators arrays being present. +As we already had internal-only variants of countexecstack and execstack +(.countexecstack and .execstack) - using those, and leaving thier operation +including the operator arrays means the procedure continues to work correctly. + +Both .countexecstack and .execstack are undefined after initialization. + +Also, when we store the execstack (or part thereof) for an execstackoverflow +error, make the same oparray/operator substitution as above for execstack. +--- + Resource/Init/gs_init.ps | 4 ++-- + Resource/Init/gs_resmp.ps | 2 +- + psi/int.mak | 2 +- + psi/interp.c | 14 +++++++++++--- + psi/interp.h | 2 ++ + psi/zcontrol.c | 13 ++++++++++--- + 6 files changed, 27 insertions(+), 10 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 6a5c1df..5bec480 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2187,7 +2187,7 @@ SAFER { .setsafeglobal } if + %% but can be easily restored (just delete the name from the list in the array). In future + %% we may remove the operator and the code implementation entirely. + [ +- /.bitadd /.charboxpath /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter ++ /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter + /.execfile /.filenamesplit /.file_name_parent + /.setdefaultmatrix /.isprocfilter /.unread /.psstringencode + /.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength +@@ -2226,7 +2226,7 @@ SAFER { .setsafeglobal } if + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice +- /.type /.writecvs /.setSMask /.currentSMask /.needinput ++ /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps +index 7cacaf8..9bb4263 100644 +--- a/Resource/Init/gs_resmp.ps ++++ b/Resource/Init/gs_resmp.ps +@@ -183,7 +183,7 @@ setpacking + % We don't check them. + + currentglobal //false setglobal % bGlobal +- countexecstack array execstack % bGlobal [execstack] ++ //false .countexecstack array //false .execstack % bGlobal [execstack] + dup //null exch % bGlobal [execstack] null [execstack] + length 3 sub -1 0 { % bGlobal [execstack] null i + 2 index exch get % bGlobal [execstack] null proc +diff --git a/psi/int.mak b/psi/int.mak +index 5d9b3d5..6ab5bf0 100644 +--- a/psi/int.mak ++++ b/psi/int.mak +@@ -323,7 +323,7 @@ $(PSOBJ)zarray.$(OBJ) : $(PSSRC)zarray.c $(OP) $(memory__h)\ + + $(PSOBJ)zcontrol.$(OBJ) : $(PSSRC)zcontrol.c $(OP) $(string__h)\ + $(estack_h) $(files_h) $(ipacked_h) $(iutil_h) $(store_h) $(stream_h)\ +- $(INT_MAK) $(MAKEDIRS) ++ $(interp_h) $(INT_MAK) $(MAKEDIRS) + $(PSCC) $(PSO_)zcontrol.$(OBJ) $(C_) $(PSSRC)zcontrol.c + + $(PSOBJ)zdict.$(OBJ) : $(PSSRC)zdict.c $(OP)\ +diff --git a/psi/interp.c b/psi/interp.c +index 3dd5f7a..1dec9b6 100644 +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -142,7 +142,6 @@ static int oparray_pop(i_ctx_t *); + static int oparray_cleanup(i_ctx_t *); + static int zerrorexec(i_ctx_t *); + static int zfinderrorobject(i_ctx_t *); +-static int errorexec_find(i_ctx_t *, ref *); + static int errorexec_pop(i_ctx_t *); + static int errorexec_cleanup(i_ctx_t *); + static int zsetstackprotect(i_ctx_t *); +@@ -737,7 +736,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) + { + uint size = ref_stack_count(pstack) - skip; + uint save_space = ialloc_space(idmemory); +- int code; ++ int code, i; + + if (size > 65535) + size = 65535; +@@ -746,6 +745,15 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) + if (code >= 0) + code = ref_stack_store(pstack, arr, size, 0, 1, true, idmemory, + "copy_stack"); ++ /* If we are copying the exec stack, try to replace any oparrays with ++ * with the operator than references them ++ */ ++ if (pstack == &e_stack) { ++ for (i = 0; i < size; i++) { ++ if (errorexec_find(i_ctx_p, &arr->value.refs[i]) < 0) ++ make_null(&arr->value.refs[i]); ++ } ++ } + ialloc_set_space(idmemory, save_space); + return code; + } +@@ -1910,7 +1918,7 @@ zfinderrorobject(i_ctx_t *i_ctx_p) + * .errorexec with errobj != null, store it in *perror_object and return 1, + * otherwise return 0; + */ +-static int ++int + errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object) + { + long i; +diff --git a/psi/interp.h b/psi/interp.h +index e9275b9..4f551d1 100644 +--- a/psi/interp.h ++++ b/psi/interp.h +@@ -91,5 +91,7 @@ void gs_interp_reset(i_ctx_t *i_ctx_p); + /* Define the top-level interface to the interpreter. */ + int gs_interpret(i_ctx_t **pi_ctx_p, ref * pref, int user_errors, + int *pexit_code, ref * perror_object); ++int ++errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object); + + #endif /* interp_INCLUDED */ +diff --git a/psi/zcontrol.c b/psi/zcontrol.c +index 36da22c..0362cf4 100644 +--- a/psi/zcontrol.c ++++ b/psi/zcontrol.c +@@ -24,6 +24,7 @@ + #include "ipacked.h" + #include "iutil.h" + #include "store.h" ++#include "interp.h" + + /* Forward references */ + static int check_for_exec(const_os_ptr); +@@ -787,7 +788,7 @@ zexecstack2(i_ctx_t *i_ctx_p) + /* Continuation operator to do the actual transfer. */ + /* r_size(op1) was set just above. */ + static int +-do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1) ++do_execstack(i_ctx_t *i_ctx_p, bool include_marks, bool include_oparrays, os_ptr op1) + { + os_ptr op = osp; + ref *arefs = op1->value.refs; +@@ -829,6 +830,12 @@ do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1) + strlen(tname), (const byte *)tname); + break; + } ++ case t_array: ++ case t_shortarray: ++ case t_mixedarray: ++ if (!include_oparrays && errorexec_find(i_ctx_p, rq) < 0) ++ make_null(rq); ++ break; + default: + ; + } +@@ -841,14 +848,14 @@ execstack_continue(i_ctx_t *i_ctx_p) + { + os_ptr op = osp; + +- return do_execstack(i_ctx_p, false, op); ++ return do_execstack(i_ctx_p, false, false, op); + } + static int + execstack2_continue(i_ctx_t *i_ctx_p) + { + os_ptr op = osp; + +- return do_execstack(i_ctx_p, op->value.boolval, op - 1); ++ return do_execstack(i_ctx_p, op->value.boolval, true, op - 1); + } + + /* - .needinput - */ +-- +2.17.2 + diff --git a/SOURCES/ghostscript-cve-2018-18284.patch b/SOURCES/ghostscript-cve-2018-18284.patch new file mode 100644 index 0000000..8e765f5 --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-18284.patch @@ -0,0 +1,240 @@ +From 8d19fdf63f91f50466b08f23e2d93d37a4c5ea0b Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 15 Oct 2018 11:28:28 +0100 +Subject: [PATCH] Make .forceput unavailable from '.policyprocs' helper + dictionary + +Bug #69963 "1Policy is a dangerous operator, any callers should be odef" + +Leaving the .policyprocs dictionary with a procedure which is a simple +wrapper for .forceput effectively leaves .forceput available. + +It seems that the only reason to have .policyprocs is to minimise the +code in .applypolicies, so we can remove the dictionary and put the +code straight into .applypolicies, which we can then bind and make +executeonly, which hides the .forceput. Also, since we don't need +.applypolicies after startup, we can undefine that from systemdict too. + +While we're here, review all the uses of .force* to make certain that +there are no other similar cases. This showed a few places where we +hadn't made a function executeonly, so do that too. Its probably not +required, since I'm reasonably sure its impossible to load those +functions as packed arrays (they are all defined as operators), but lets +have a belt and braces approach, the additional time cost is negligible. +--- + Resource/Init/gs_diskn.ps | 2 +- + Resource/Init/gs_dps.ps | 2 +- + Resource/Init/gs_epsf.ps | 2 +- + Resource/Init/gs_fonts.ps | 4 +- + Resource/Init/gs_init.ps | 2 +- + Resource/Init/gs_setpd.ps | 100 ++++++++++++++++++++------------------ + 6 files changed, 58 insertions(+), 54 deletions(-) + +diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps +index 26ec0b5..fd694bc 100644 +--- a/Resource/Init/gs_diskn.ps ++++ b/Resource/Init/gs_diskn.ps +@@ -61,7 +61,7 @@ systemdict begin + % doesn't get run enough to justify the complication + //.putdevparams + //systemdict /.searchabledevs .forceundef +-} .bind odef % must be bound and hidden for .forceundef ++} .bind executeonly odef % must be bound and hidden for .forceundef + + % ------ extend filenameforall to handle wildcards in %dev% part of pattern -------% + /filenameforall { +diff --git a/Resource/Init/gs_dps.ps b/Resource/Init/gs_dps.ps +index daf7b0f..00c14d5 100644 +--- a/Resource/Init/gs_dps.ps ++++ b/Resource/Init/gs_dps.ps +@@ -124,7 +124,7 @@ + /savedinitialgstate .systemvar setgstate gsave + % Wrap up. + end .setglobal +-} odef ++} bind executeonly odef + + % Check whether an object is a procedure. + /.proccheck { % .proccheck +diff --git a/Resource/Init/gs_epsf.ps b/Resource/Init/gs_epsf.ps +index e4037d9..2d0f677 100644 +--- a/Resource/Init/gs_epsf.ps ++++ b/Resource/Init/gs_epsf.ps +@@ -31,7 +31,7 @@ + /EPSBoundingBoxState 5 def + /EPSBoundingBoxSetState { + //systemdict /EPSBoundingBoxState 3 -1 roll .forceput +-} .bind odef % .forceput must be bound and hidden ++} .bind executeonly odef % .forceput must be bound and hidden + + % Parse 4 numbers for a bounding box + /EPSBoundingBoxParse { % (llx lly urx ury) -- llx lly urx ury true OR false +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 7a57366..052a191 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -583,7 +583,7 @@ buildfontdict 3 /.buildfont3 cvx put + } bind def + /.setloadingfont { + //systemdict /.loadingfont 3 -1 roll .forceput +-} .bind odef % .forceput must be bound and hidden ++} .bind executeonly odef % .forceput must be bound and hidden + /.loadfont + { % Some buggy fonts leave extra junk on the stack, + % so we have to make a closure that records the stack depth +@@ -1012,7 +1012,7 @@ $error /SubstituteFont { } put + dup length string copy + .forceput setglobal + } ifelse +-} .bind odef % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Attempt to load a font from a file. + /.tryloadfont { % .tryloadfont true +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 2114a2a..0b900e6 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2244,7 +2244,7 @@ SAFER { .setsafeglobal } if + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice +- /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack ++ /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack /.applypolicies + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps +index fab8b84..71eb622 100644 +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -609,6 +609,23 @@ NOMEDIAATTRS { + % and we replace the key in the dictionary with its prior value + % (or remove it if it had no prior value). + ++% These procedures are called with the following on the stack: ++% ++% They are expected to consume the top 2 operands. ++% NOTE: we currently treat all values other than 0, 1, or 7 (for PageSize) ++% the same as 0, i.e., we signal an error. ++/0Policy { % Set errorinfo and signal a configurationerror. ++ NOMEDIAATTRS { ++ % NOMEDIAATTRS means that the default policy is 7... ++ pop 2 index exch 7 put ++ } { ++ pop dup 4 index exch get 2 array astore ++ $error /errorinfo 3 -1 roll put ++ cleartomark ++ /setpagedevice .systemvar /configurationerror signalerror ++ } ifelse ++} bind executeonly odef ++ + % Making this an operator means we can properly hide + % the contents - specifically .forceput + /1Policy +@@ -617,59 +634,46 @@ NOMEDIAATTRS { + SETPDDEBUG { (Rolling back.) = pstack flush } if + 3 index 2 index 3 -1 roll .forceput + 4 index 1 index .knownget +- { 4 index 3 1 roll .forceput } +- { 3 index exch .undef } ++ { 4 index 3 1 roll .forceput } ++ { 3 index exch .undef } + ifelse + } bind executeonly odef + +-/.policyprocs mark +-% These procedures are called with the following on the stack: +-% +-% They are expected to consume the top 2 operands. +-% NOTE: we currently treat all values other than 0, 1, or 7 (for PageSize) +-% the same as 0, i.e., we signal an error. +-% +-% M. Sweet, Easy Software Products: +-% +-% Define NOMEDIAATTRS to turn off the default (but unimplementable) media +-% selection policies for setpagedevice. This is used by CUPS to support +-% the standard Adobe media attributes. +- 0 { % Set errorinfo and signal a configurationerror. +- NOMEDIAATTRS { +- % NOMEDIAATTRS means that the default policy is 7... +- pop 2 index exch 7 put +- } { +- pop dup 4 index exch get 2 array astore +- $error /errorinfo 3 -1 roll put +- cleartomark +- /setpagedevice .systemvar /configurationerror signalerror +- } ifelse +- } bind +- 1 /1Policy load +- 7 { % For PageSize only, just impose the request. +- 1 index /PageSize eq +- { pop pop 1 index /PageSize 7 put } +- { .policyprocs 0 get exec } +- ifelse +- } bind +-.dicttomark readonly def +-currentdict /1Policy undef ++/7Policy { % For PageSize only, just impose the request. ++ 1 index /PageSize eq ++ { pop pop 1 index /PageSize 7 put } ++ { .policyprocs 0 get exec } ++ ifelse ++} bind executeonly odef + + /.applypolicies % .applypolicies + % +- { 1 index /Policies get 1 index +- { type /integertype eq +- { pop % already processed +- } +- { 2 copy .knownget not { 1 index /PolicyNotFound get } if +- % Stack: +- % +- .policyprocs 1 index .knownget not { .policyprocs 0 get } if exec +- } +- ifelse +- } +- forall pop +- } bind def ++{ ++ 1 index /Policies get 1 index ++ { type /integertype eq ++ { ++ pop % already processed ++ }{ ++ 2 copy .knownget not { 1 index /PolicyNotFound get } if ++ % Stack: ++ % ++ dup 1 eq { ++ 1Policy ++ }{ ++ dup 7 eq { ++ 7Policy ++ }{ ++ 0Policy ++ } ifelse ++ } ifelse ++ } ifelse ++ } ++ forall pop ++} bind executeonly odef ++ ++currentdict /0Policy undef ++currentdict /1Policy undef ++currentdict /7Policy undef + + % Prepare to present parameters to the device, by spreading them onto the + % operand stack and removing any that shouldn't be presented. +@@ -1012,7 +1016,7 @@ SETPDDEBUG { (Installing.) = pstack flush } if + .postinstall + } ifelse + setglobal % return to original VM allocation mode +-} odef ++} bind executeonly odef + + % We break out the code after calling the Install procedure into a + % separate procedure, since it is executed even if Install causes an error. +-- +2.17.2 + diff --git a/SOURCES/ghostscript-cve-2018-19134.patch b/SOURCES/ghostscript-cve-2018-19134.patch new file mode 100644 index 0000000..98f378a --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-19134.patch @@ -0,0 +1,153 @@ +From 693baf02152119af6e6afd30bb8ec76d14f84bbf Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 8 Nov 2018 14:43:32 +0000 +Subject: [PATCH] PS interpreter - check the Implementation of a Pattern before + use + +Bug #700141 "Type confusion in setpattern" + +As the bug thread says, we were not checking that the Implementation +of a pattern dictionary was a structure type, leading to a crash when +we tried to treat it as one. + +Here we make the st_pattern1_instance and st_pattern2_instance +structures public definitions and in zsetcolor we check the object +stored under the Implementation key in the supplied dictionary to see if +its a t_struct or t_astruct type, and if it is that its a +st_pattern1_instance or st_pattern2_instance structure. + +If either check fails we throw a typecheck error. + +We need to make the st_pattern1_instance and st_pattern2_instance +definitions public as they are defined in the graphics library and we +need to check in the interpreter. +--- + base/gsptype1.c | 2 +- + base/gsptype2.c | 6 +++--- + base/gsptype2.h | 4 ++-- + base/gxcolor2.h | 4 ++-- + psi/zcolor.c | 11 ++++++++--- + 5 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/base/gsptype1.c b/base/gsptype1.c +index 27fdd5a..e98dde1 100644 +--- a/base/gsptype1.c ++++ b/base/gsptype1.c +@@ -50,7 +50,7 @@ + + /* GC descriptors */ + private_st_pattern1_template(); +-private_st_pattern1_instance(); ++public_st_pattern1_instance(); + + /* GC procedures */ + static ENUM_PTRS_BEGIN(pattern1_instance_enum_ptrs) { +diff --git a/base/gsptype2.c b/base/gsptype2.c +index 791e538..c53eb2e 100644 +--- a/base/gsptype2.c ++++ b/base/gsptype2.c +@@ -33,7 +33,7 @@ + + /* GC descriptors */ + private_st_pattern2_template(); +-private_st_pattern2_instance(); ++public_st_pattern2_instance(); + + /* GC procedures */ + static ENUM_PTRS_BEGIN(pattern2_instance_enum_ptrs) { +@@ -206,10 +206,10 @@ gs_pattern2_set_color(const gs_client_color * pcc, gs_gstate * pgs) + + pinst->saved->overprint_mode = pgs->overprint_mode; + pinst->saved->overprint = pgs->overprint; +- ++ + num_comps = pgs->device->color_info.num_components; + for (k = 0; k < num_comps; k++) { +- pgs->color_component_map.color_map[k] = ++ pgs->color_component_map.color_map[k] = + pinst->saved->color_component_map.color_map[k]; + } + code = pcs->type->set_overprint(pcs, pgs); +diff --git a/base/gsptype2.h b/base/gsptype2.h +index f0f26d1..4186201 100644 +--- a/base/gsptype2.h ++++ b/base/gsptype2.h +@@ -57,8 +57,8 @@ typedef struct gs_pattern2_instance_s { + bool shfill; + } gs_pattern2_instance_t; + +-#define private_st_pattern2_instance() /* in gsptype2.c */\ +- gs_private_st_composite(st_pattern2_instance, gs_pattern2_instance_t,\ ++#define public_st_pattern2_instance() /* in gsptype2.c */\ ++ gs_public_st_composite(st_pattern2_instance, gs_pattern2_instance_t,\ + "gs_pattern2_instance_t", pattern2_instance_enum_ptrs,\ + pattern2_instance_reloc_ptrs) + +diff --git a/base/gxcolor2.h b/base/gxcolor2.h +index 62ec05e..d5b1095 100644 +--- a/base/gxcolor2.h ++++ b/base/gxcolor2.h +@@ -92,8 +92,8 @@ struct gs_pattern1_instance_s { + gx_bitmap_id id; /* key for cached bitmap (= id of mask) */ + }; + +-#define private_st_pattern1_instance() /* in gsptype1.c */\ +- gs_private_st_composite(st_pattern1_instance, gs_pattern1_instance_t,\ ++#define public_st_pattern1_instance() /* in gsptype1.c */\ ++ gs_public_st_composite(st_pattern1_instance, gs_pattern1_instance_t,\ + "gs_pattern1_instance_t", pattern1_instance_enum_ptrs,\ + pattern1_instance_reloc_ptrs) + +diff --git a/psi/zcolor.c b/psi/zcolor.c +index 7a00d4e..fe81e79 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -65,6 +65,8 @@ static const float default_0_1[] = {0, 1, 0, 1, 0, 1, 0, 1}; + + /* imported from gsht.c */ + extern void gx_set_effective_transfer(gs_gstate *); ++extern_st(st_pattern1_instance); ++extern_st(st_pattern2_instance); + + /* Essential forward declarations */ + static int validate_spaces(i_ctx_t *i_ctx_p, ref *arr, int *depth); +@@ -289,6 +291,9 @@ zsetcolor(i_ctx_t * i_ctx_p) + code = array_get(imemory, pImpl, 0, &pPatInst); + if (code < 0) + return code; ++ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance))) ++ return_error(gs_error_typecheck); ++ + cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t); + n_numeric_comps = ( pattern_instance_uses_base_space(cc.pattern) + ? n_comps - 1 +@@ -4421,7 +4426,7 @@ static int setindexedspace(i_ctx_t * i_ctx_p, ref *r, int *stage, int *cont, int + /* If we have a named color profile and the base space is DeviceN or + Separation use a different set of procedures to ensure the named + color remapping code is used */ +- if (igs->icc_manager->device_named != NULL && ++ if (igs->icc_manager->device_named != NULL && + (base_type == gs_color_space_index_Separation || + base_type == gs_color_space_index_DeviceN)) + pcs = gs_cspace_alloc(imemory, &gs_color_space_type_Indexed_Named); +@@ -5573,7 +5578,7 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace) + return 0; + + /* As a quick check see if current is same as new */ +- if (ICCdict1.value.bytes == ICCdict2.value.bytes) ++ if (ICCdict1.value.bytes == ICCdict2.value.bytes) + return 1; + + /* Need to check all the various parts */ +@@ -5593,7 +5598,7 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace) + code2 = dict_find_string(&ICCdict2, "DataSource", &tempref2); + if (code2 <= 0) + return 0; +- if (r_size(tempref1) != r_size(tempref2)) ++ if (r_size(tempref1) != r_size(tempref2)) + return 0; + + buff_size = r_size(tempref1); +-- +2.17.2 + diff --git a/SOURCES/ghostscript-cve-2018-19409.patch b/SOURCES/ghostscript-cve-2018-19409.patch new file mode 100644 index 0000000..9accb69 --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-19409.patch @@ -0,0 +1,322 @@ +From 661e8d8fb8248c38d67958beda32f3a5876d0c3f Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 14 Nov 2018 09:50:08 +0000 +Subject: [PATCH 1/4] Bug 700176: check the *output* device for + LockSafetyParams + +When calling .setdevice we were checking if LockSafetyParams was set, and if so +throwing an invalidaccess error. + +The problem is, if another device, for example the pdf14 compositor is the 'top' +device, that does not (and cannot) honour LockSafetyParams. + +To solve this, we'll now use the (relatively new) gxdso_current_output_device +spec_op to retrieve the *actual* output device, and check the LockSafetyParams +flag in that. +--- + psi/zdevice.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/psi/zdevice.c b/psi/zdevice.c +index 8d48b74..c276746 100644 +--- a/psi/zdevice.c ++++ b/psi/zdevice.c +@@ -461,13 +461,17 @@ zputdeviceparams(i_ctx_t *i_ctx_p) + int + zsetdevice(i_ctx_t *i_ctx_p) + { +- gx_device *dev = gs_currentdevice(igs); ++ gx_device *odev = NULL, *dev = gs_currentdevice(igs); + os_ptr op = osp; +- int code = 0; ++ int code = dev_proc(dev, dev_spec_op)(dev, ++ gxdso_current_output_device, (void *)&odev, 0); ++ ++ if (code < 0) ++ return code; + + check_write_type(*op, t_device); +- if (dev->LockSafetyParams) { /* do additional checking if locked */ +- if(op->value.pdevice != dev) /* don't allow a different device */ ++ if (odev->LockSafetyParams) { /* do additional checking if locked */ ++ if(op->value.pdevice != odev) /* don't allow a different device */ + return_error(gs_error_invalidaccess); + } + dev->ShowpageCount = 0; +-- +2.17.2 + + +From ea1b3ef437f39e45874f821c06bd953196625ac5 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 14 Nov 2018 21:04:46 +0000 +Subject: [PATCH 2/4] Bug 700176: Use the actual output device for both devices + in setdevice + +Also fixes bug 700189. + +The pdf14 compositor device, despite being a forwarding device, does not forward +all spec_ops to it's target, only a select few are special cased for that. +gxdso_current_output_device needs to be included in those special cases. + +The original commit (661e8d8fb8248) changed the code to use the spec_op to +retrieve the output device, checking that for LockSafetyParams. If +LockSafetyParams is set, it returns an invalidaccess error if the new device +differs from the current device. + +When we do the comparison between the two devices, we need to check the +output device in both cases. + +This is complicated by the fact that the new device may not have ever been set +(and thus fully initialised), and may not have a spec_op method available at +that point. +--- + base/gdevp14.c | 3 ++- + psi/zdevice.c | 18 ++++++++++++++++-- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/base/gdevp14.c b/base/gdevp14.c +index f89bc04..f47ed30 100644 +--- a/base/gdevp14.c ++++ b/base/gdevp14.c +@@ -5618,7 +5618,8 @@ pdf14_dev_spec_op(gx_device *pdev, int dev_spec_op, + return 0; + } + } +- if (dev_spec_op == gxdso_get_dev_param || dev_spec_op == gxdso_restrict_bbox) { ++ if (dev_spec_op == gxdso_get_dev_param || dev_spec_op == gxdso_restrict_bbox ++ || dev_spec_op == gxdso_current_output_device) { + return dev_proc(p14dev->target, dev_spec_op)(p14dev->target, dev_spec_op, data, size); + } + +diff --git a/psi/zdevice.c b/psi/zdevice.c +index c276746..4beda04 100644 +--- a/psi/zdevice.c ++++ b/psi/zdevice.c +@@ -462,16 +462,30 @@ int + zsetdevice(i_ctx_t *i_ctx_p) + { + gx_device *odev = NULL, *dev = gs_currentdevice(igs); ++ gx_device *ndev = NULL; + os_ptr op = osp; + int code = dev_proc(dev, dev_spec_op)(dev, + gxdso_current_output_device, (void *)&odev, 0); + + if (code < 0) + return code; +- + check_write_type(*op, t_device); ++ ++ /* slightly icky special case: the new device may not have had ++ * it's procs initialised, at this point - but we need to check ++ * whether we're being asked to change the device here ++ */ ++ if (dev_proc((op->value.pdevice), dev_spec_op) == NULL) ++ ndev = op->value.pdevice; ++ else ++ code = dev_proc((op->value.pdevice), dev_spec_op)(op->value.pdevice, ++ gxdso_current_output_device, (void *)&ndev, 0); ++ ++ if (code < 0) ++ return code; ++ + if (odev->LockSafetyParams) { /* do additional checking if locked */ +- if(op->value.pdevice != odev) /* don't allow a different device */ ++ if(ndev != odev) /* don't allow a different device */ + return_error(gs_error_invalidaccess); + } + dev->ShowpageCount = 0; +-- +2.17.2 + + +From 7c3e7eee829cc3d2582e4aa7ae1fd495ca72cef1 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 17 Sep 2018 14:06:12 +0100 +Subject: [PATCH 3/4] Implement .currentoutputdevice operator + +The currentdevice operator returns the device currently installed in the +graphics state. This can be the output/page device, but also could be a +forwarding device (bbox device), compositor (pdf14) or subclass device +(erasepage optimisation, First/Last page etc). + +In certain circumstances (for example during a setpagedevice) we want to be +sure we're retrieving the *actual* output/page device. + +The new .currentoutputdevice operator uses the spec_op device method to traverse +any chain of devices and retrieve the final device in the chain, which +should always be the output/page device. +--- + Resource/Init/gs_init.ps | 2 +- + Resource/Init/gs_setpd.ps | 8 +++++++- + base/gdevdflt.c | 5 +++++ + base/gxdevsop.h | 4 ++++ + psi/zdevice.c | 30 ++++++++++++++++++++++++++++++ + 5 files changed, 47 insertions(+), 2 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index bec307d..55d6923 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2211,7 +2211,7 @@ SAFER { .setsafeglobal } if + /.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams +- /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath ++ /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps +index 8fa7c51..aa79b3f 100644 +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -877,7 +877,13 @@ SETPDDEBUG { (Selecting.) = pstack flush } if + % Stack: mark + SETPDDEBUG { (Constructing.) = pstack flush } if + +- currentdevice .devicename 2 index /OutputDevice get eq ++ % Non-obvious: we need to check the name of the output device, to tell ++ % whether we're going to have to replace the entire device chain (which ++ % may be only one device, or may be multiple devices. ++ % If we're not replacing the entire change, we have to use the device in ++ % the graphics state, so the configuration of the entire device chain is ++ % correctly set. ++ .currentoutputdevice .devicename 2 index /OutputDevice get eq + { currentdevice } + { 1 index /OutputDevice get finddevice } + ifelse +diff --git a/base/gdevdflt.c b/base/gdevdflt.c +index 3cb9fbd..b5bd82b 100644 +--- a/base/gdevdflt.c ++++ b/base/gdevdflt.c +@@ -1044,6 +1044,11 @@ gx_default_dev_spec_op(gx_device *pdev, int dev_spec_op, void *data, int size) + dev_param_req_t *request = (dev_param_req_t *)data; + return gx_default_get_param(pdev, request->Param, request->list); + } ++ case gxdso_current_output_device: ++ { ++ *(gx_device **)data = pdev; ++ return 0; ++ } + } + return_error(gs_error_undefined); + } +diff --git a/base/gxdevsop.h b/base/gxdevsop.h +index cd3b632..27e3e84 100644 +--- a/base/gxdevsop.h ++++ b/base/gxdevsop.h +@@ -327,6 +327,10 @@ enum { + gxdso_JPEG_passthrough_data, + gxdso_JPEG_passthrough_end, + gxdso_supports_iccpostrender, ++ /* Retrieve the last device in a device chain ++ (either forwarding or subclass devices). ++ */ ++ gxdso_current_output_device, + /* Add new gxdso_ keys above this. */ + gxdso_pattern__LAST + }; +diff --git a/psi/zdevice.c b/psi/zdevice.c +index 4beda04..03285dc 100644 +--- a/psi/zdevice.c ++++ b/psi/zdevice.c +@@ -57,6 +57,7 @@ zcopydevice2(i_ctx_t *i_ctx_p) + } + + /* - currentdevice */ ++/* Returns the current device in the graphics state */ + int + zcurrentdevice(i_ctx_t *i_ctx_p) + { +@@ -71,6 +72,34 @@ zcurrentdevice(i_ctx_t *i_ctx_p) + return 0; + } + ++/* - .currentoutputdevice */ ++/* Returns the *output* device - which will often ++ be the same as above, but not always: if a compositor ++ or other forwarding device, or subclassing device is ++ in force, that will be referenced by the graphics state ++ rather than the output device. ++ This is equivalent of currentdevice device, but returns ++ the *device* object, rather than the dictionary describing ++ the device and device state. ++ */ ++static int ++zcurrentoutputdevice(i_ctx_t *i_ctx_p) ++{ ++ os_ptr op = osp; ++ gx_device *odev = NULL, *dev = gs_currentdevice(igs); ++ gs_ref_memory_t *mem = (gs_ref_memory_t *) dev->memory; ++ int code = dev_proc(dev, dev_spec_op)(dev, ++ gxdso_current_output_device, (void *)&odev, 0); ++ if (code < 0) ++ return code; ++ ++ push(1); ++ make_tav(op, t_device, ++ (mem == 0 ? avm_foreign : imemory_space(mem)) | a_all, ++ pdevice, odev); ++ return 0; ++} ++ + /* .devicename */ + static int + zdevicename(i_ctx_t *i_ctx_p) +@@ -632,6 +661,7 @@ const op_def zdevice_op_defs[] = + { + {"1.copydevice2", zcopydevice2}, + {"0currentdevice", zcurrentdevice}, ++ {"0.currentoutputdevice", zcurrentoutputdevice}, + {"1.devicename", zdevicename}, + {"0.doneshowpage", zdoneshowpage}, + {"0flushpage", zflushpage}, +-- +2.17.2 + + +From 4d98293c72cc5b5fe456065a3252d39e9ab28e4d Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 19 Nov 2018 09:00:54 +0000 +Subject: [PATCH 4/4] Coverity ID 327264 - move pointer NULL check + +Due to recent changes in this code, the pointer was being dereferenced +before we checked it to see if it was NULL. Moe the check so that we +check for NULL before dereferencing. + +The 'pvalue' of the operand can be NULL, even if the object is a t_device +type, because invalidate_stack_devices traverses the operand stack +looking for devices, and sets their pvalue member to NULL in order to +invalidate them so that they cannot be used. +--- + psi/zdevice.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/psi/zdevice.c b/psi/zdevice.c +index 03285dc..63865f1 100644 +--- a/psi/zdevice.c ++++ b/psi/zdevice.c +@@ -500,6 +500,9 @@ zsetdevice(i_ctx_t *i_ctx_p) + return code; + check_write_type(*op, t_device); + ++ if (op->value.pdevice == 0) ++ return gs_note_error(gs_error_undefined); ++ + /* slightly icky special case: the new device may not have had + * it's procs initialised, at this point - but we need to check + * whether we're being asked to change the device here +@@ -519,9 +522,6 @@ zsetdevice(i_ctx_t *i_ctx_p) + } + dev->ShowpageCount = 0; + +- if (op->value.pdevice == 0) +- return gs_note_error(gs_error_undefined); +- + code = gs_setdevice_no_erase(igs, op->value.pdevice); + if (code < 0) + return code; +-- +2.17.2 + diff --git a/SOURCES/ghostscript-cve-2018-19475.patch b/SOURCES/ghostscript-cve-2018-19475.patch new file mode 100644 index 0000000..108ebf2 --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-19475.patch @@ -0,0 +1,29 @@ +From aeea342904978c9fe17d85f4906a0f6fcce2d315 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 12 Nov 2018 17:21:33 +0000 +Subject: [PATCH] Bug 700153: restore: always check available stack + +Previously, we were checking there was enough stack space available when the +restore operation required a device change, but since we have to use +Postscript to reset the userparams (ick!), we need the stack check even when +not changing the device. +--- + psi/zdevice2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/psi/zdevice2.c b/psi/zdevice2.c +index 159a0c0..e11b075 100644 +--- a/psi/zdevice2.c ++++ b/psi/zdevice2.c +@@ -277,7 +277,7 @@ restore_page_device(i_ctx_t *i_ctx_p, const gs_gstate * pgs_old, const gs_gstate + samepagedevice = false; + } + +- if (LockSafetyParams && !samepagedevice) { ++ if (LockSafetyParams) { + const int required_ops = 512; + const int required_es = 32; + +-- +2.17.2 + diff --git a/SOURCES/ghostscript-cve-2018-19476.patch b/SOURCES/ghostscript-cve-2018-19476.patch new file mode 100644 index 0000000..e20e390 --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-19476.patch @@ -0,0 +1,666 @@ +From fac7eb144135f3ed8fbb0028ab1f33ce4dcc1985 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Fri, 21 Sep 2018 13:02:56 +0100 +Subject: [PATCH 1/3] Check all uses of dict_find* to ensure 0 return properly + handled + +dict_find and friends have the surprising quirk of returning < 0 for +an error and > 0 for no error. But they can also return 0 which means +'not found' without it being an error. + +From bug 699801, if the code assumes the usual case where 0 is a success +then an attempt might be made to use the empty dictionary slot returned +by dict_find*, which can lead to seg faults, and certainly won't have +the expected result. +--- + psi/icontext.c | 4 ++-- + psi/zcid.c | 6 ++++-- + psi/zfapi.c | 33 ++++++++++++++++++--------------- + psi/zfcid0.c | 39 +++++++++++++++++++++++++++++---------- + psi/zfcid1.c | 14 ++++++++++---- + psi/zicc.c | 4 ++++ + psi/zpdf_r6.c | 31 +++++++++++++++++++++++-------- + psi/ztoken.c | 2 +- + 8 files changed, 91 insertions(+), 42 deletions(-) + +diff --git a/psi/icontext.c b/psi/icontext.c +index 4db78e0..1fbe486 100644 +--- a/psi/icontext.c ++++ b/psi/icontext.c +@@ -162,7 +162,7 @@ context_state_alloc(gs_context_state_t ** ppcst, + uint size; + ref *system_dict = &pcst->dict_stack.system_dict; + +- if (dict_find_string(system_dict, "userparams", &puserparams) >= 0) ++ if (dict_find_string(system_dict, "userparams", &puserparams) > 0) + size = dict_length(puserparams); + else + size = 300; +@@ -286,7 +286,7 @@ context_state_store(gs_context_state_t * pcst) + /* We need i_ctx_p for access to the d_stack. */ + i_ctx_t *i_ctx_p = pcst; + +- if (dict_find_string(systemdict, "userparams", &puserparams) < 0) ++ if (dict_find_string(systemdict, "userparams", &puserparams) <= 0) + return_error(gs_error_Fatal); + pcst->userparams = *puserparams; + } +diff --git a/psi/zcid.c b/psi/zcid.c +index e394877..5c98fc9 100644 +--- a/psi/zcid.c ++++ b/psi/zcid.c +@@ -72,11 +72,13 @@ TT_char_code_from_CID_no_subst(const gs_memory_t *mem, + } else + return false; /* Must not happen. */ + for (;n--; i++) { ++ int code; ++ + if (array_get(mem, DecodingArray, i, &char_code1) < 0 || + !r_has_type(&char_code1, t_integer)) + return false; /* Must not happen. */ +- if (dict_find(TT_cmap, &char_code1, &glyph_index) >= 0 && +- r_has_type(glyph_index, t_integer)) { ++ code = dict_find(TT_cmap, &char_code1, &glyph_index); ++ if (code > 0 && r_has_type(glyph_index, t_integer)) { + *c = glyph_index->value.intval; + found = true; + if (*c != 0) +diff --git a/psi/zfapi.c b/psi/zfapi.c +index 48e1d54..1b687b0 100644 +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -1826,6 +1826,9 @@ FAPI_get_xlatmap(i_ctx_t *i_ctx_p, char **xlatmap) + + if ((code = dict_find_string(systemdict, ".xlatmap", &pref)) < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ + if (r_type(pref) != t_string) + return_error(gs_error_typecheck); + *xlatmap = (char *)pref->value.bytes; +@@ -1881,11 +1884,11 @@ ps_get_server_param(gs_fapi_server *I, const byte *subtype, + ref *FAPIconfig, *options, *server_options; + i_ctx_t *i_ctx_p = (i_ctx_t *) I->client_ctx_p; + +- if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) >= 0 ++ if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) > 0 + && r_has_type(FAPIconfig, t_dictionary)) { +- if (dict_find_string(FAPIconfig, "ServerOptions", &options) >= 0 ++ if (dict_find_string(FAPIconfig, "ServerOptions", &options) > 0 + && r_has_type(options, t_dictionary)) { +- if (dict_find_string(options, (char *)subtype, &server_options) >= ++ if (dict_find_string(options, (char *)subtype, &server_options) > + 0 && r_has_type(server_options, t_string)) { + *server_param = (byte *) server_options->value.const_bytes; + *server_param_size = r_size(server_options); +@@ -2070,7 +2073,7 @@ zFAPIrebuildfont(i_ctx_t *i_ctx_p) + pdata = (font_data *) pfont->client_data; + I = pbfont->FAPI; + +- if (dict_find_string((op - 1), "SubfontId", &v) >= 0 ++ if (dict_find_string((op - 1), "SubfontId", &v) > 0 + && r_has_type(v, t_integer)) + subfont = v->value.intval; + else +@@ -2277,8 +2280,8 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum, + if (pbfont->FontType == ft_CID_TrueType && font_file_path) { + ref *pdr2, *fidr, *dummy; + pdr2 = pfont_dict(gs_rootfont(igs)); +- if (dict_find_string(pdr2, "FontInfo", &fidr) && +- dict_find_string(fidr, "GlyphNames2Unicode", &dummy)) ++ if (dict_find_string(pdr2, "FontInfo", &fidr) > 0 && ++ dict_find_string(fidr, "GlyphNames2Unicode", &dummy) > 0) + { + unsigned char uc[4] = {0}; + unsigned int cc = 0; +@@ -2417,13 +2420,13 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum, + + fdict = pfont_dict(gs_rootfont(igs)); + code = dict_find_string(fdict, "CMap", &CMapDict); +- if (code >= 0 && r_has_type(CMapDict, t_dictionary)) { ++ if (code > 0 && r_has_type(CMapDict, t_dictionary)) { + code = dict_find_string(CMapDict, "WMode", &WMode); +- if (code >= 0 && r_has_type(WMode, t_integer)) { ++ if (code > 0 && r_has_type(WMode, t_integer)) { + wmode = WMode->value.intval; + } + code = dict_find_string(CMapDict, "CMapName", &CMapName); +- if (code >= 0 && r_has_type(CMapName, t_name)) { ++ if (code > 0 && r_has_type(CMapName, t_name)) { + name_string_ref(imemory, CMapName, &CMapNameStr); + cmapnm = (char *)CMapNameStr.value.bytes; + cmapnmlen = r_size(&CMapNameStr); +@@ -2432,10 +2435,10 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum, + /* We only have to lookup the char code if we're *not* using an identity ordering + with the exception of Identity-UTF16 which is a different beast altogether */ + if (unicode_cp || (cmapnmlen > 0 && !strncmp(cmapnm, utfcmap, cmapnmlen > utfcmaplen ? utfcmaplen : cmapnmlen)) +- || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) >= 0 ++ || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) > 0 + && r_has_type(CIDSystemInfo, t_dictionary) + && dict_find_string(CIDSystemInfo, "Ordering", +- &Ordering) >= 0 ++ &Ordering) > 0 + && r_has_type(Ordering, t_string) + && strncmp((const char *)Ordering->value.bytes, + "Identity", 8) != 0)) { +@@ -2463,7 +2466,7 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum, + ref cc32; + ref *gid; + make_int(&cc32, 32); +- if (dict_find(TT_cmap, &cc32, &gid) >= 0) ++ if (dict_find(TT_cmap, &cc32, &gid) > 0) + c = gid->value.intval; + } + cr->char_codes[0] = c; +@@ -2536,7 +2539,7 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum, + if (dict_find_string(pdr, "CharStrings", &CharStrings) <= 0 + || !r_has_type(CharStrings, t_dictionary)) + return_error(gs_error_invalidfont); +- if ((dict_find(CharStrings, &char_name, &glyph_index) < 0) ++ if ((dict_find(CharStrings, &char_name, &glyph_index) <= 0) + || r_has_type(glyph_index, t_null)) { + #ifdef DEBUG + ref *pvalue; +@@ -2955,7 +2958,7 @@ zFAPIpassfont(i_ctx_t *i_ctx_p) + if (code < 0) + return code; + +- if (dict_find_string(op, "SubfontId", &v) >= 0 ++ if (dict_find_string(op, "SubfontId", &v) > 0 + && r_has_type(v, t_integer)) + subfont = v->value.intval; + else +@@ -2968,7 +2971,7 @@ zFAPIpassfont(i_ctx_t *i_ctx_p) + /* If the font dictionary contains a FAPIPlugInReq key, the the PS world wants us + * to try to use a specific FAPI plugin, so find it, and try it.... + */ +- if (dict_find_string(op, "FAPIPlugInReq", &v) >= 0 && r_type(v) == t_name) { ++ if (dict_find_string(op, "FAPIPlugInReq", &v) > 0 && r_type(v) == t_name) { + + name_string_ref(imemory, v, &reqstr); + +diff --git a/psi/zfcid0.c b/psi/zfcid0.c +index 2aba09a..ba00b21 100644 +--- a/psi/zfcid0.c ++++ b/psi/zfcid0.c +@@ -410,13 +410,25 @@ zbuildfont9(i_ctx_t *i_ctx_p) + * from a file, GlyphData will be an integer, and DataSource will be + * a (reusable) stream. + */ +- if (code < 0 || +- (code = cid_font_data_param(op, &common, &GlyphDirectory)) < 0 || +- (code = dict_find_string(op, "FDArray", &prfda)) < 0 || +- (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 || +- (code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes)) < 0 +- ) ++ if (code < 0) ++ return code; ++ code = cid_font_data_param(op, &common, &GlyphDirectory); ++ if (code < 0) ++ return code; ++ code = dict_find_string(op, "FDArray", &prfda); ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ code = dict_find_string(op, "CIDFontName", &pCIDFontName); ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes); ++ if (code < 0) + return code; ++ + /* + * Since build_gs_simple_font may resize the dictionary and cause + * pointers to become invalid, save CIDFontName +@@ -426,17 +438,24 @@ zbuildfont9(i_ctx_t *i_ctx_p) + /* Standard CIDFont, require GlyphData and CIDMapOffset. */ + ref *pGlyphData; + +- if ((code = dict_find_string(op, "GlyphData", &pGlyphData)) < 0 || +- (code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1, +- max_uint, &CIDMapOffset)) < 0) ++ code = dict_find_string(op, "GlyphData", &pGlyphData); ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1, max_uint, &CIDMapOffset); ++ if (code < 0) + return code; + GlyphData = *pGlyphData; + if (r_has_type(&GlyphData, t_integer)) { + ref *pds; + stream *ignore_s; + +- if ((code = dict_find_string(op, "DataSource", &pds)) < 0) ++ code = dict_find_string(op, "DataSource", &pds); ++ if (code < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); + check_read_file(i_ctx_p, ignore_s, pds); + DataSource = *pds; + } else { +diff --git a/psi/zfcid1.c b/psi/zfcid1.c +index ef3ece0..e3643a0 100644 +--- a/psi/zfcid1.c ++++ b/psi/zfcid1.c +@@ -347,11 +347,17 @@ zbuildfont11(i_ctx_t *i_ctx_p) + ref rcidmap, ignore_gdir, file, *pfile, cfnstr, *pCIDFontName, CIDFontName, *t; + ulong loca_glyph_pos[2][2]; + int code = cid_font_data_param(op, &common, &ignore_gdir); ++ if (code < 0) ++ return code; + +- if (code < 0 || +- (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 || +- (code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount)) < 0 +- ) ++ code = dict_find_string(op, "CIDFontName", &pCIDFontName); ++ if (code <= 0) { ++ if (code == 0) ++ return_error(gs_error_undefined); ++ return code; ++ } ++ code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount); ++ if (code < 0) + return code; + /* + * Since build_gs_simple_font may resize the dictionary and cause +diff --git a/psi/zicc.c b/psi/zicc.c +index ebf25fe..53bdf34 100644 +--- a/psi/zicc.c ++++ b/psi/zicc.c +@@ -261,6 +261,8 @@ zset_outputintent(i_ctx_t * i_ctx_p) + code = dict_find_string(op, "N", &pnval); + if (code < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); + ncomps = pnval->value.intval; + + /* verify the DataSource entry. Creat profile from stream */ +@@ -491,6 +493,8 @@ znumicc_components(i_ctx_t * i_ctx_p) + code = dict_find_string(op, "N", &pnval); + if (code < 0) + return code; ++ if (code == 0) ++ return_error(gs_error_undefined); + ncomps = pnval->value.intval; + /* verify the DataSource entry. Create profile from stream */ + if (dict_find_string(op, "DataSource", &pstrmval) <= 0) +diff --git a/psi/zpdf_r6.c b/psi/zpdf_r6.c +index bcd4907..992f316 100644 +--- a/psi/zpdf_r6.c ++++ b/psi/zpdf_r6.c +@@ -145,21 +145,36 @@ zcheck_r6_password(i_ctx_t * i_ctx_p) + return_error(gs_error_typecheck); + + code = dict_find_string(CryptDict, "O", &Oref); +- if (code < 0 || !r_has_type(Oref, t_string)) { ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ if (!r_has_type(Oref, t_string)) + return_error(gs_error_typecheck); +- } ++ + code = dict_find_string(CryptDict, "OE", &OEref); +- if (code < 0 || !r_has_type(OEref, t_string)) { ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ if (!r_has_type(OEref, t_string)) + return_error(gs_error_typecheck); +- } ++ + code = dict_find_string(CryptDict, "U", &Uref); +- if (code < 0 || !r_has_type(Uref, t_string)) { ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ if (!r_has_type(Uref, t_string)) + return_error(gs_error_typecheck); +- } ++ + code = dict_find_string(CryptDict, "UE", &UEref); +- if (code < 0 || !r_has_type(UEref, t_string)) { ++ if (code < 0) ++ return code; ++ if (code == 0) ++ return_error(gs_error_undefined); ++ if (!r_has_type(UEref, t_string)) + return_error(gs_error_typecheck); +- } + + pop(2); + op = osp; +diff --git a/psi/ztoken.c b/psi/ztoken.c +index 519cd09..9314d97 100644 +--- a/psi/ztoken.c ++++ b/psi/ztoken.c +@@ -356,7 +356,7 @@ ztoken_scanner_options(const ref *upref, int old_options) + int code = dict_find_string(upref, pnso->pname, &ppcproc); + + /* Update the options only if the parameter has changed. */ +- if (code >= 0) { ++ if (code > 0) { + if (r_has_type(ppcproc, t_null)) + options &= ~pnso->option; + else +-- +2.17.2 + + +From 434753adbe8be5534bfb9b7d91746023e8073d16 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 14 Nov 2018 09:25:13 +0000 +Subject: [PATCH 2/3] Bug #700169 - unchecked type + +Bug #700169 "Type confusion in setcolorspace" + +In seticc() we extract "Name" from a dictionary, if it succeeds we then +use it as a string, without checking the type to see if it is in fact +a string. + +Add a check on the type, and add a couple to check that 'N' is an integer +in a few places too. +--- + psi/zicc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/psi/zicc.c b/psi/zicc.c +index 53bdf34..dbd2562 100644 +--- a/psi/zicc.c ++++ b/psi/zicc.c +@@ -76,7 +76,7 @@ int seticc(i_ctx_t * i_ctx_p, int ncomps, ref *ICCdict, float *range_buff) + want to have this buffer. */ + /* Check if we have the /Name entry. This is used to associate with + specs that have enumerated types to indicate sRGB sGray etc */ +- if (dict_find_string(ICCdict, "Name", &pnameval) > 0){ ++ if (dict_find_string(ICCdict, "Name", &pnameval) > 0 && r_has_type(pnameval, t_string)){ + uint size = r_size(pnameval); + char *str = (char *)gs_alloc_bytes(gs_gstate_memory(igs), size+1, "seticc"); + memcpy(str, (const char *)pnameval->value.bytes, size); +@@ -263,6 +263,8 @@ zset_outputintent(i_ctx_t * i_ctx_p) + return code; + if (code == 0) + return_error(gs_error_undefined); ++ if (r_type(pnval) != t_integer) ++ return gs_note_error(gs_error_typecheck); + ncomps = pnval->value.intval; + + /* verify the DataSource entry. Creat profile from stream */ +@@ -495,6 +497,8 @@ znumicc_components(i_ctx_t * i_ctx_p) + return code; + if (code == 0) + return_error(gs_error_undefined); ++ if (r_type(pnval) != t_integer) ++ return gs_note_error(gs_error_typecheck); + ncomps = pnval->value.intval; + /* verify the DataSource entry. Create profile from stream */ + if (dict_find_string(op, "DataSource", &pstrmval) <= 0) +-- +2.17.2 + + +From 9a1b3ac61761094713f44dedfce56013308a3b1d Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 14 Nov 2018 09:31:10 +0000 +Subject: [PATCH 3/3] PS interpreter - add some type checking + +These were 'probably' safe anyway, since they mostly treat the objects +as integers without checking, which at least can't result in a crash. + +Nevertheless, we ought to check. + +The return from comparedictkeys could be wrong if one of the keys had +a value which was not an array, it could incorrectly decide the two +were in fact the same. +--- + psi/zbfont.c | 15 +++++++++------ + psi/zcolor.c | 24 +++++++++++++++++++++++- + psi/zcrd.c | 4 +++- + psi/zfjpx.c | 2 ++ + psi/zfont.c | 3 +++ + psi/zfont0.c | 3 +++ + psi/zimage3.c | 2 ++ + psi/ztrans.c | 4 ++++ + 8 files changed, 49 insertions(+), 8 deletions(-) + +diff --git a/psi/zbfont.c b/psi/zbfont.c +index c1d0461..5b830a2 100644 +--- a/psi/zbfont.c ++++ b/psi/zbfont.c +@@ -666,6 +666,9 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom + return_error(gs_error_invalidfont); + if (dict_find_string(op, "OrigFont", &porigfont) <= 0) + porigfont = NULL; ++ if (porigfont != NULL && !r_has_type(porigfont, t_dictionary)) ++ return_error(gs_error_typecheck); ++ + if (pomat!= NULL) { + if (porigfont == NULL || + dict_find_string(porigfont, "FontMatrix", &pmatrix) <= 0 || +@@ -676,8 +679,8 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom + /* Use the FontInfo/OrigFontName key preferrentially (created by MS PSCRIPT driver) */ + if ((dict_find_string((porigfont != NULL ? porigfont : op), "FontInfo", &pfontinfo) > 0) && + r_has_type(pfontinfo, t_dictionary) && +- (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0)) { +- if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) && ++ (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string))) { ++ if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string)) && + r_size(pfontstyle) > 0) { + const byte *tmpStr1 = pfontname->value.const_bytes; + const byte *tmpStr2 = pfontstyle->value.const_bytes; +@@ -775,11 +778,11 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype, + avm_space useglob = r_is_local(pencoding) ? avm_local : avm_global; + + ialloc_set_space(idmemory, useglob); +- ++ + count = r_size(pencoding); + if ((code = ialloc_ref_array(&penc, (r_type_attrs(pencoding) & a_readonly), count, "build_gs_font")) < 0) + return code; +- ++ + while (count--) { + ref r; + if (array_get(imemory, pencoding, count, &r) < 0){ +@@ -790,7 +793,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype, + ref_assign(&(penc.value.refs[count]), &r); + } + else { +- ++ + if ((code = obj_cvs(imemory, &r, (byte *)buf, 32, &size, (const byte **)(&bptr))) < 0) { + return(code); + } +@@ -799,7 +802,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype, + ref_assign(&(penc.value.refs[count]), &r); + } + } +- ++ + if ((code = dict_put_string(osp, "Encoding", &penc, NULL)) < 0) + return code; + ialloc_set_space(idmemory, curglob); +diff --git a/psi/zcolor.c b/psi/zcolor.c +index fe81e79..b69b8f5 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -1877,7 +1877,12 @@ static int comparedictkey(i_ctx_t * i_ctx_p, ref *CIEdict1, ref *CIEdict2, char + if (r_type(tempref1) == t_null) + return 1; + +- return comparearrays(i_ctx_p, tempref1, tempref2); ++ code = comparearrays(i_ctx_p, tempref1, tempref2); ++ ++ if (code > 0) ++ return 1; ++ else ++ return 0; + } + + static int hasharray(i_ctx_t * i_ctx_p, ref *m1, gs_md5_state_t *md5) +@@ -5473,6 +5478,9 @@ static int seticcspace(i_ctx_t * i_ctx_p, ref *r, int *stage, int *cont, int CIE + return code; + if (code == 0) + return gs_note_error(gs_error_undefined); ++ if (r_type(tempref) != t_integer) ++ return gs_note_error(gs_error_typecheck); ++ + components = tempref->value.intval; + if (components > count_of(range)/2) + return_error(gs_error_rangecheck); +@@ -5584,6 +5592,10 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace) + /* Need to check all the various parts */ + code1 = dict_find_string(&ICCdict1, "N", &tempref1); + code2 = dict_find_string(&ICCdict2, "N", &tempref2); ++ ++ if (!r_has_type(tempref1, t_integer) || !r_has_type(tempref2, t_integer)) ++ return 0; ++ + if (code1 != code2) + return 0; + if (tempref1->value.intval != tempref2->value.intval) +@@ -5737,6 +5749,8 @@ static int iccalternatespace(i_ctx_t * i_ctx_p, ref *space, ref **r, int *CIESub + return code; + if (code == 0) + return gs_note_error(gs_error_undefined); ++ if (!r_has_type(tempref, t_integer)) ++ return_error(gs_error_typecheck); + + components = tempref->value.intval; + +@@ -5775,6 +5789,9 @@ static int icccomponents(i_ctx_t * i_ctx_p, ref *space, int *n) + return code; + if (code == 0) + return gs_note_error(gs_error_undefined); ++ if (!r_has_type(tempref, t_integer)) ++ return gs_note_error(gs_error_typecheck); ++ + *n = tempref->value.intval; + return 0; + } +@@ -5791,6 +5808,9 @@ static int iccdomain(i_ctx_t * i_ctx_p, ref *space, float *ptr) + return code; + if (code == 0) + return gs_note_error(gs_error_undefined); ++ if (!r_has_type(tempref, t_integer)) ++ return gs_note_error(gs_error_typecheck); ++ + components = tempref->value.intval; + code = dict_find_string(&ICCdict, "Range", &tempref); + if (code > 0 && !r_has_type(tempref, t_null)) { +@@ -5824,6 +5844,8 @@ static int iccrange(i_ctx_t * i_ctx_p, ref *space, float *ptr) + return code; + if (code == 0) + return gs_note_error(gs_error_undefined); ++ if (!r_has_type(tempref, t_integer)) ++ return gs_note_error(gs_error_typecheck); + components = tempref->value.intval; + code = dict_find_string(&ICCdict, "Range", &tempref); + if (code > 0 && !r_has_type(tempref, t_null)) { +diff --git a/psi/zcrd.c b/psi/zcrd.c +index 7993b15..d58160d 100644 +--- a/psi/zcrd.c ++++ b/psi/zcrd.c +@@ -231,8 +231,10 @@ zcrd1_params(os_ptr op, gs_cie_render * pcrd, + return code; + + if (dict_find_string(op, "RenderTable", &pRT) > 0) { +- const ref *prte = pRT->value.const_refs; ++ const ref *prte; + ++ check_read_type(*pRT, t_array); ++ prte = pRT->value.const_refs; + /* Finish unpacking and checking the RenderTable parameter. */ + check_type_only(prte[4], t_integer); + if (!(prte[4].value.intval == 3 || prte[4].value.intval == 4)) +diff --git a/psi/zfjpx.c b/psi/zfjpx.c +index c622f48..db1fae2 100644 +--- a/psi/zfjpx.c ++++ b/psi/zfjpx.c +@@ -115,6 +115,8 @@ z_jpx_decode(i_ctx_t * i_ctx_p) + dict_find_string(csdict, "N", &nref) > 0) { + if_debug1m('w', imemory, "[w] JPX image has an external %"PRIpsint + " channel colorspace\n", nref->value.intval); ++ if (r_type(nref) != t_integer) ++ return gs_note_error(gs_error_typecheck); + switch (nref->value.intval) { + case 1: state.colorspace = gs_jpx_cs_gray; + break; +diff --git a/psi/zfont.c b/psi/zfont.c +index 9c51792..f6c5ae1 100644 +--- a/psi/zfont.c ++++ b/psi/zfont.c +@@ -596,6 +596,9 @@ zfont_info(gs_font *font, const gs_point *pscale, int members, + info->members |= FONT_INFO_FULL_NAME; + if ((members & FONT_INFO_EMBEDDING_RIGHTS) + && (dict_find_string(pfontinfo, "FSType", &pvalue) > 0)) { ++ if (r_type(pvalue) != t_integer) ++ return gs_note_error(gs_error_typecheck); ++ + info->EmbeddingRights = pvalue->value.intval; + info->members |= FONT_INFO_EMBEDDING_RIGHTS; + } +diff --git a/psi/zfont0.c b/psi/zfont0.c +index 4b01c20..a179d7b 100644 +--- a/psi/zfont0.c ++++ b/psi/zfont0.c +@@ -243,6 +243,9 @@ zbuildfont0(i_ctx_t *i_ctx_p) + array_get(pfont->memory, &fdepvector, i, &fdep); + /* The lookup can't fail, because of the pre-check above. */ + dict_find_string(&fdep, "FID", &pfid); ++ if (!r_has_type(pfid, t_fontID)) ++ return gs_note_error(gs_error_typecheck); ++ + data.FDepVector[i] = r_ptr(pfid, gs_font); + } + pfont->data = data; +diff --git a/psi/zimage3.c b/psi/zimage3.c +index 87a3dce..2beda9f 100644 +--- a/psi/zimage3.c ++++ b/psi/zimage3.c +@@ -53,6 +53,8 @@ zimage3(i_ctx_t *i_ctx_p) + dict_find_string(op, "MaskDict", &pMaskDict) <= 0 + ) + return_error(gs_error_rangecheck); ++ check_type(*pDataDict, t_dictionary); ++ check_type(*pMaskDict, t_dictionary); + if ((code = pixel_image_params(i_ctx_p, pDataDict, + (gs_pixel_image_t *)&image, &ip_data, + 12, false, gs_currentcolorspace(igs))) < 0 || +diff --git a/psi/ztrans.c b/psi/ztrans.c +index 64defda..0550a10 100644 +--- a/psi/ztrans.c ++++ b/psi/ztrans.c +@@ -417,6 +417,7 @@ zimage3x(i_ctx_t *i_ctx_p) + gs_image3x_t_init(&image, NULL); + if (dict_find_string(op, "DataDict", &pDataDict) <= 0) + return_error(gs_error_rangecheck); ++ check_type(*pDataDict, t_dictionary); + if ((code = pixel_image_params(i_ctx_p, pDataDict, + (gs_pixel_image_t *)&image, &ip_data, + 16, false, gs_currentcolorspace(igs))) < 0 || +@@ -453,6 +454,9 @@ image_params *pip_data, const char *dict_name, + + if (dict_find_string(op, dict_name, &pMaskDict) <= 0) + return 1; ++ if (!r_has_type(pMaskDict, t_dictionary)) ++ return gs_note_error(gs_error_typecheck); ++ + if ((mcode = code = data_image_params(mem, pMaskDict, &pixm->MaskDict, + &ip_mask, false, 1, 16, false, false)) < 0 || + (code = dict_int_param(pMaskDict, "ImageType", 1, 1, 0, &ignored)) < 0 || +-- +2.17.2 + diff --git a/SOURCES/ghostscript-cve-2018-19477.patch b/SOURCES/ghostscript-cve-2018-19477.patch new file mode 100644 index 0000000..a4dfb31 --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-19477.patch @@ -0,0 +1,32 @@ +From 606a22e77e7f081781e99e44644cd0119f559e03 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 14 Nov 2018 09:27:00 +0000 +Subject: [PATCH] Bug #700168 - add a type check + +Bug #700168 "Type confusion in JBIG2Decode" + +The code was assuming that .jbig2globalctx was a structure allocated +by the graphics library, without checking. + +Add a check to see that it is a structure and that its the correct +type of structure. +--- + psi/zfjbig2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/psi/zfjbig2.c b/psi/zfjbig2.c +index a3d13a2..07b470f 100644 +--- a/psi/zfjbig2.c ++++ b/psi/zfjbig2.c +@@ -72,6 +72,8 @@ z_jbig2decode(i_ctx_t * i_ctx_p) + if (r_has_type(op, t_dictionary)) { + check_dict_read(*op); + if ( dict_find_string(op, ".jbig2globalctx", &sop) > 0) { ++ if (!r_is_struct(sop) || !r_has_stype(sop, imemory, st_jbig2_global_data_t)) ++ return_error(gs_error_typecheck); + gref = r_ptr(sop, s_jbig2_global_data_t); + s_jbig2decode_set_global_data((stream_state*)&state, gref); + } +-- +2.17.2 + diff --git a/SOURCES/ghostscript-cve-2019-6116.patch b/SOURCES/ghostscript-cve-2019-6116.patch new file mode 100644 index 0000000..9535366 --- /dev/null +++ b/SOURCES/ghostscript-cve-2019-6116.patch @@ -0,0 +1,1178 @@ +From 30cd347f37bfb293ffdc407397d1023628400b81 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 15 Oct 2018 13:35:15 +0100 +Subject: [PATCH 1/6] font parsing - prevent SEGV in .cffparse + +Bug #699961 "currentcolortransfer procs crash .parsecff" + +zparsecff checked the operand for being an array (and not a packed +array) but the returned procedures from the default currentcolortransfer +are arrays, not packed arrays. This led to the code trying to +dereference a NULL pointer. + +Add a specific check for the 'refs' pointer being NULL before we try +to use it. + +Additionally, make the StartData procedure in the CFF Font Resource +executeonly to prevent pulling the hidden .parsecff operator out and +using it. Finally, extend this to other resource types. +--- + Resource/Init/gs_cff.ps | 4 +-- + Resource/Init/gs_cidcm.ps | 6 ++-- + Resource/Init/gs_ciddc.ps | 4 +-- + Resource/Init/gs_cmap.ps | 2 +- + Resource/Init/gs_res.ps | 60 +++++++++++++++++++-------------------- + psi/zfont2.c | 4 +++ + 6 files changed, 42 insertions(+), 38 deletions(-) + +diff --git a/Resource/Init/gs_cff.ps b/Resource/Init/gs_cff.ps +index 20c35a5..b60e374 100644 +--- a/Resource/Init/gs_cff.ps ++++ b/Resource/Init/gs_cff.ps +@@ -199,7 +199,7 @@ def + % ordinary CFF font. + /StartData { % StartData - + currentfile exch subfilefilter //false //false ReadData pop +-} bind def ++} bind executeonly def + /ReadData { % ReadData + % Initialize. + +@@ -234,7 +234,7 @@ def + end % FontSetInit ProcSet + /FontSet defineresource + +-} bind def ++} bind executeonly def + + % ---------------- Resource category definition ---------------- % + +diff --git a/Resource/Init/gs_cidcm.ps b/Resource/Init/gs_cidcm.ps +index 0201ea8..60b0fdb 100644 +--- a/Resource/Init/gs_cidcm.ps ++++ b/Resource/Init/gs_cidcm.ps +@@ -327,7 +327,7 @@ currentdict end def + //FindResource exec + } ifelse + } ifelse +-} bind def ++} bind executeonly def + + /ResourceStatus { % ResourceStatus true + % ResourceStatus false +@@ -359,7 +359,7 @@ currentdict end def + //false + } ifelse + } ifelse +-} bind def ++} bind executeonly def + + /ResourceForAll { %