From 30cd347f37bfb293ffdc407397d1023628400b81 Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Mon, 15 Oct 2018 13:35:15 +0100 Subject: [PATCH 1/6] font parsing - prevent SEGV in .cffparse Bug #699961 "currentcolortransfer procs crash .parsecff" zparsecff checked the operand for being an array (and not a packed array) but the returned procedures from the default currentcolortransfer are arrays, not packed arrays. This led to the code trying to dereference a NULL pointer. Add a specific check for the 'refs' pointer being NULL before we try to use it. Additionally, make the StartData procedure in the CFF Font Resource executeonly to prevent pulling the hidden .parsecff operator out and using it. Finally, extend this to other resource types. --- Resource/Init/gs_cff.ps | 4 +-- Resource/Init/gs_cidcm.ps | 6 ++-- Resource/Init/gs_ciddc.ps | 4 +-- Resource/Init/gs_cmap.ps | 2 +- Resource/Init/gs_res.ps | 60 +++++++++++++++++++-------------------- psi/zfont2.c | 4 +++ 6 files changed, 42 insertions(+), 38 deletions(-) diff --git a/Resource/Init/gs_cff.ps b/Resource/Init/gs_cff.ps index 20c35a5..b60e374 100644 --- a/Resource/Init/gs_cff.ps +++ b/Resource/Init/gs_cff.ps @@ -199,7 +199,7 @@ def % ordinary CFF font. /StartData { % StartData - currentfile exch subfilefilter //false //false ReadData pop -} bind def +} bind executeonly def /ReadData { % ReadData % Initialize. @@ -234,7 +234,7 @@ def end % FontSetInit ProcSet /FontSet defineresource -} bind def +} bind executeonly def % ---------------- Resource category definition ---------------- % diff --git a/Resource/Init/gs_cidcm.ps b/Resource/Init/gs_cidcm.ps index 0201ea8..60b0fdb 100644 --- a/Resource/Init/gs_cidcm.ps +++ b/Resource/Init/gs_cidcm.ps @@ -327,7 +327,7 @@ currentdict end def //FindResource exec } ifelse } ifelse -} bind def +} bind executeonly def /ResourceStatus { % ResourceStatus true % ResourceStatus false @@ -359,7 +359,7 @@ currentdict end def //false } ifelse } ifelse -} bind def +} bind executeonly def /ResourceForAll { %