From: Chris Liddell Date: Sat, 29 Sep 2018 14:34:55 +0000 (+0100) Subject: Bug 699816: Improve hiding of security critical custom operators Bug 699816: Improve hiding of security critical custom operators Make procedures that use .forceput/.forcedef/.forceundef into operators. The result of this is that errors get reported against the "top" operator, rather than the "called" operator within the procedure. For example: /myproc { myop } bind def If 'myop' throws an error, the error handler will be passed the 'myop' operator. Promoting 'myproc' to a operator means the error handler will be passed 'myproc'. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a54c9e61e7d02bbc620bcba9b1c208462a876afb From: Chris Liddell Date: Wed, 10 Oct 2018 22:25:51 +0000 (+0100) Subject: Bug 699938: .loadfontloop must be an operator Bug 699938: .loadfontloop must be an operator In the fix for Bug 699816, I omitted to make .loadfontloop into an operator, to better hide .forceundef and .putgstringcopy. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a5a9bf8c6a63aa4ac6874234fe8cd63e72077291 From: Chris Liddell Date: Wed, 28 Nov 2018 17:12:08 +0000 (+0000) Subject: Bug 700290: Fix problems with DELAYBIND and font substitution Bug 700290: Fix problems with DELAYBIND and font substitution Judicious use of immediate evaluation for .setnativefontmapbuilt and .putgstringcopy to avoid problems with DELAYBIND https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2756f0efae1d3966989b15a6526c5d80848b5015 --- diff -up ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_diskn.ps --- ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/gs_diskn.ps 2018-12-10 14:51:03.208407266 +0100 @@ -53,7 +53,7 @@ systemdict begin exch .setglobal } if -} .bind executeonly def % must be bound and hidden for .forceput +} .bind executeonly odef % must be bound and hidden for .forceput % Modify .putdevparams to force regeneration of .searchabledevs list /.putdevparams { diff -up ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_dps.ps --- ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/gs_dps.ps 2018-12-10 14:51:03.208407266 +0100 @@ -71,7 +71,7 @@ //true .setglobal //systemdict /savedinitialgstate gstate readonly put .setglobal -} .bind def +} .bind executeonly odef % must be bound and hidden for .forceput % Initialize local dictionaries and gstate when creating a new context. % Note that until this completes, we are in the anomalous situation of diff -up ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_fntem.ps --- ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/gs_fntem.ps 2018-12-10 14:51:03.209407249 +0100 @@ -432,7 +432,7 @@ currentdict end def exit } loop exch setglobal -} bind def +} .bind executeonly odef % must be bound and hidden for .forceput currentdict end /ProcSet defineresource pop diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_fonts.ps --- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2018-17961 2018-12-10 14:51:03.002410648 +0100 +++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2018-12-10 14:51:03.209407249 +0100 @@ -375,7 +375,7 @@ FONTPATH length 0 eq { (%END FONTPATH) . % and the access path. /.setnativefontmapbuilt { % set whether we've been run systemdict exch /.nativefontmapbuilt exch .forceput -} .bind executeonly def +} .bind executeonly odef systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt /.buildnativefontmap { % - .buildnativefontmap QUIET not { @@ -404,7 +404,7 @@ systemdict /NONATIVEFONTMAP known .setna } forall } if % record that we've been run - //true .setnativefontmapbuilt + //true //.setnativefontmapbuilt } bind def % Create the dictionary that registers the .buildfont procedure @@ -1082,7 +1082,7 @@ $error /SubstituteFont { } put % Check to make sure the font was actually loaded. dup 3 index .fontknownget - { dup /PathLoad 4 index //.putgstringcopy exec + { dup /PathLoad 4 index //.putgstringcopy 4 1 roll pop pop pop //true exit } if @@ -1094,7 +1094,7 @@ $error /SubstituteFont { } put { % Stack: origfontname fontdirectory path filefontname 2 index 1 index .fontknownget { % Yes. Stack: origfontname fontdirectory path filefontname fontdict - dup 4 -1 roll /PathLoad exch //.putgstringcopy exec + dup 4 -1 roll /PathLoad exch //.putgstringcopy % Stack: origfontname fontdirectory filefontname fontdict 3 -1 roll pop exch % Stack: origfontname fontdict filefontname @@ -1122,9 +1122,8 @@ $error /SubstituteFont { } put } loop % end of loop - } bind executeonly def % must be bound and hidden for .putgstringcopy - -currentdict /.putgstringcopy .undef + } bind executeonly odef % must be bound and hidden for .putgstringcopy +currentdict /.putgstringcopy .forceundef % Define a procedure to load all known fonts. % This isn't likely to be very useful. diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_lev2.ps --- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/gs_lev2.ps 2018-12-10 14:51:03.210407233 +0100 @@ -163,9 +163,10 @@ end % Set them again to the new values. From here on, we are safe, % since a context switch will consult userparams. .setuserparams -} .bind def +} .bind executeonly odef % must be bound and hidden for .forceput /setuserparams { % setuserparams - - .setuserparams2 + {.setuserparams2} stopped + {/setuserparams load $error /errorname get signalerror} if } .bind odef % Initialize user parameters managed here. /JobName () .definepsuserparam @@ -414,7 +415,9 @@ psuserparams /ProcessDSCComment {.checkp % VMReclaim and VMThreshold are user parameters. /setvmthreshold { % setvmthreshold - - mark /VMThreshold 2 .argindex .dicttomark .setuserparams2 pop + mark /VMThreshold 2 .argindex .dicttomark {.setuserparams2} stopped + {pop /setvmthreshold load $error /errorname get signalerror} + {pop} ifelse } odef /vmreclaim { % vmreclaim - dup 0 gt { @@ -426,7 +429,9 @@ psuserparams /ProcessDSCComment {.checkp ifelse } { % VMReclaim userparam controls enable/disable GC - mark /VMReclaim 2 index .dicttomark .setuserparams2 pop + mark /VMReclaim 2 index .dicttomark {.setuserparams2} stopped + {pop /vmreclaim load $error /errorname get signalerror} + {pop} ifelse } ifelse } odef -1 setvmthreshold diff -up ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_pdfwr.ps --- ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/gs_pdfwr.ps 2018-12-10 14:51:03.210407233 +0100 @@ -547,8 +547,7 @@ currentdict /.pdfmarkparams .undef } { pop } ifelse -} -bind def +} .bind executeonly odef % must be bound and hidden for .forceput % Use the DSC processing hook to pass DSC comments to the driver. % We use a pseudo-parameter named DSC whose value is an array: diff -up ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_setpd.ps --- ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2018-17961 2018-12-10 14:51:03.194407496 +0100 +++ ghostscript-9.07/Resource/Init/gs_setpd.ps 2018-12-10 14:51:03.210407233 +0100 @@ -544,6 +544,20 @@ NOMEDIAATTRS { % in the dictionary with the policy value, % and we replace the key in the dictionary with its prior value % (or remove it if it had no prior value). + +% Making this an operator means we can properly hide +% the contents - specifically .forceput +/1Policy +{ + % Roll back the failed request to its previous status. + SETPDDEBUG { (Rolling back.) = pstack flush } if + 3 index 2 index 3 -1 roll .forceput + 4 index 1 index .knownget + { 4 index 3 1 roll .forceput } + { 3 index exch .undef } + ifelse +} bind executeonly odef + /.policyprocs mark % These procedures are called with the following on the stack: % @@ -567,14 +581,7 @@ NOMEDIAATTRS { /setpagedevice .systemvar /configurationerror signalerror } ifelse } bind - 1 { % Roll back the failed request to its previous status. -SETPDDEBUG { (Rolling back.) = pstack flush } if - 3 index 2 index 3 -1 roll .forceput - 4 index 1 index .knownget - { 4 index 3 1 roll .forceput } - { 3 index exch .undef } - ifelse - } .bind + 1 /1Policy load 7 { % For PageSize only, just impose the request. 1 index /PageSize eq { pop pop 1 index /PageSize 7 put } @@ -582,6 +589,8 @@ SETPDDEBUG { (Rolling back.) = pstack fl ifelse } bind .dicttomark readonly def +currentdict /1Policy undef + /.applypolicies % .applypolicies % { 1 index /Policies get 1 index diff -up ghostscript-9.07/Resource/Init/gs_typ32.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_typ32.ps --- ghostscript-9.07/Resource/Init/gs_typ32.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/gs_typ32.ps 2018-12-10 14:51:03.211407216 +0100 @@ -79,15 +79,19 @@ systemdict /.removeglyphs .undef .dicttomark /ProcSet defineresource pop /.cidfonttypes where { pop } { /.cidfonttypes 6 dict def } ifelse -.cidfonttypes begin - -4 % CIDFontType 4 = FontType 32 -{ dup /FontType 32 .forceput +/CIDFontType4 +{ + dup /FontType 32 .forceput dup /CharStrings 20 dict .forceput 1 index exch .buildfont32 exch pop -} bind def +} .bind executeonly odef +.cidfonttypes begin + + +4 /CIDFontType4 load def % CIDFontType 4 = FontType 32 end % .cidfonttypes +currentdict /CIDFontType4 .forceundef % Define the BuildGlyph procedure. % Since Type 32 fonts are indexed by CID, there is no BuildChar procedure. diff -up ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/gs_type1.ps --- ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/gs_type1.ps 2018-12-10 14:51:03.211407216 +0100 @@ -215,7 +215,7 @@ currentdict /closesourcedict .undef } if 2 copy /WeightVector exch .forceput .setweightvector -} .bind executeonly def +} .bind executeonly odef end % Register the font types for definefont. diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_base.ps --- ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/pdf_base.ps 2018-12-10 14:51:03.211407216 +0100 @@ -177,7 +177,7 @@ currentdict /num-chars-dict .undef } ifelse } ifelse } ifelse -} bind def +} bind executeonly odef /PDFScanRules_true << /PDFScanRules //true >> def /PDFScanRules_null << /PDFScanRules //null >> def /.pdfrun { % .pdfrun - diff -up ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_draw.ps --- ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2018-17961 2018-12-10 14:51:03.177407775 +0100 +++ ghostscript-9.07/Resource/Init/pdf_draw.ps 2018-12-10 14:51:03.212407200 +0100 @@ -948,7 +948,7 @@ currentdict end readonly def Q PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if PDFfile exch setfileposition -} bdef +}bind executeonly odef /resolvepattern { % resolvepattern % Don't do the resolvestream now: just capture the data @@ -1809,7 +1809,7 @@ currentdict /last-ditch-bpc-csp undef } if pop /pdfemptycount exch store -} bdef +} bind executeonly odef /_dops_save 1 array def diff -up ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_font.ps --- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/pdf_font.ps 2018-12-10 14:51:03.213407183 +0100 @@ -641,7 +641,7 @@ currentdict end readonly def } if } if pop pop pop -} bind def +} bind executeonly odef % ---------------- Descriptors ---------------- % @@ -1097,7 +1097,7 @@ currentdict /eexec_pdf_param_dict .undef } bdef dup currentdict Encoding .processToUnicode currentdict end .completefont exch pop -} bdef +} bind executeonly odef /.adjustcharwidth { % .adjustcharwidth % Enforce the metrics, in glyph space, to the values found in the PDF Font object % - force wy == 0 (assumed, and not stored in the PDF font) @@ -1794,7 +1794,7 @@ currentdict /CMap_read_dict undef } if /findresource cvx /undefined signalerror } loop -} bdef +} bind executeonly odef /buildCIDType0 { % buildCIDType0 dup /BaseFont get findCIDFont exch pop @@ -1964,7 +1964,7 @@ currentdict /CMap_read_dict undef /Type0 //buildType0 /Type1 //buildType1 /MMType1 //buildType1 - /Type3 //buildType3 + /Type3 /buildType3 load /TrueType //buildTrueType /CIDFontType0 //buildCIDType0 /CIDFontType2 //buildCIDType2 diff -up ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_main.ps --- ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2018-17961 2018-12-10 14:51:03.168407922 +0100 +++ ghostscript-9.07/Resource/Init/pdf_main.ps 2018-12-10 14:51:03.213407183 +0100 @@ -382,7 +382,7 @@ currentdict /runpdfstring .undef } forall pop } ifelse -} bind def +} bind executeonly odef currentdict /pdf_collection_files .undef @@ -1878,7 +1878,7 @@ currentdict /PDF2PS_matrix_key undef Repaired % pass Repaired state around the restore PDFSave restore /Repaired exch def -} bind def +} bind executeonly odef % Display the contents of a page (including annotations). /showpagecontents { % showpagecontents - diff -up ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2018-17961 ghostscript-9.07/Resource/Init/pdf_ops.ps --- ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2018-17961 2013-02-14 08:58:16.000000000 +0100 +++ ghostscript-9.07/Resource/Init/pdf_ops.ps 2018-12-10 14:51:03.214407167 +0100 @@ -128,7 +128,7 @@ nodict readonly pop { (\n **** File has unbalanced q/Q operators \(too many Q's\) ****\n) pdfformaterror } if -} bdef +} bind executeonly odef % Save PDF gstate /qstate { % - qstate @@ -282,7 +282,7 @@ nodict readonly pop } bdef /ca { /FillConstantAlpha gput } bdef /CA { /StrokeConstantAlpha gput } bdef -/SMask { /SoftMask gput } bdef +/SMask { /SoftMask gput } bind executeonly odef /AIS { /AlphaIsShape gput } bdef /BM { /.setblendmode where {