From: Ken Sharp Date: Thu, 23 Aug 2018 13:12:48 +0000 (+0100) Subject: Fix Bug 699660 "shading_param incomplete type checking" Fix Bug 699660 "shading_param incomplete type checking" Its possible to pass a t_struct parameter to .shfill which is not a shading function built by .buildshading. This could then lead to memory corruption or a segmentation fault by treating the object passed in as if it were a shading. Its non-trivial to check the t_struct, because this function can take 7 different kinds of structures as a parameter. Checking these is possible, of course, but would add a performance penalty. However, we can note that we never call .shfill without first calling .buildshading, and we never call .buildshading without immediately calling .shfill. So we can treat these as an atomic operation. The .buildshading function takes all its parameters as PostScript objects and validates them, so that should be safe. This allows us to 'hide' the .shfill operator preventing the possibility of passing an invalid parameter. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0b6cd1918e1ec4ffd087400a754a845180a4522b From: Ken Sharp Date: Fri, 24 Aug 2018 11:44:26 +0000 (+0100) Subject: Hide the .shfill operator Hide the .shfill operator Commit 0b6cd1918e1ec4ffd087400a754a845180a4522b was supposed to make the .shfill operator unobtainable, but I accidentally left a comment in the line doing so. Fix it here, without this the operator can still be exploited. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6 --- diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-15909 ghostscript-9.07/Resource/Init/gs_init.ps --- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-15909 2018-12-10 11:23:36.732179705 +0100 +++ ghostscript-9.07/Resource/Init/gs_init.ps 2018-12-10 11:23:36.738179607 +0100 @@ -2136,8 +2136,8 @@ SAFER { .setsafe } if /.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize /.oserrno /.setoserrno /.oserrorstring /.getCPSImode /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep -/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern -/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring +/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern +/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath diff -up ghostscript-9.07/Resource/Init/gs_ll3.ps.cve-2018-15909 ghostscript-9.07/Resource/Init/gs_ll3.ps --- ghostscript-9.07/Resource/Init/gs_ll3.ps.cve-2018-15909 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/gs_ll3.ps 2018-12-10 11:23:36.739179591 +0100 @@ -406,6 +406,11 @@ systemdict /.reuseparamdict mark /shfill .systemvar /undefined signalerror } ifelse } bind def + +/.buildshading_and_shfill { + .buildshading .shfill +} bind def + systemdict /.reuseparamdict undef /.buildpattern2 { %