ghostscript/SOURCES/ghostscript-cve-2018-18073.patch
2021-10-08 11:20:11 +00:00

290 lines
12 KiB
Diff

From c76bf1cb7cc419534006631ea139ae20801fd824 Mon Sep 17 00:00:00 2001
From: Nancy Durgin <nancy.durgin@artifex.com>
Date: Tue, 18 Sep 2018 11:54:58 -0700
Subject: [PATCH 1/3] Undefine some additional internal operators.
.type, .writecvs, .setSMask, .currentSMask
These don't seem to be referenced anywhere outside of the initialization code,
which binds their usages. Passes cluster if they are removed.
---
Resource/Init/gs_init.ps | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 55d6923..4aff036 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2212,6 +2212,7 @@ SAFER { .setsafeglobal } if
/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice
+ /.type /.writecvs /.setSMask /.currentSMask
% Used by a free user in the Library of Congress. Apparently this is used to
% draw a partial page, which is then filled in by the results of a barcode
@@ -2230,7 +2231,7 @@ SAFER { .setsafeglobal } if
% test files/utilities, or engineers expressed a desire to keep them visible.
%
%/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11
- %/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors
+ %/.buildfont32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors
%/currentdevice /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget
%/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9
%/.tempfile /.numicc_components /.set_outputintent /.max /.min /.vmreclaim /.getpath /.setglobal
--
2.17.2
From f8ccc7dfb990336b1ca55f65f2e1a8ecdcb76adf Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 25 Sep 2018 15:38:14 +0100
Subject: [PATCH 2/3] Bug 699793: Hide the .needinput operator
This removes the .needinput operator from systemdict, ensuring it can only
be used in the initialization code, and not called erroneously from random
Postscript.
---
Resource/Init/gs_init.ps | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 4aff036..6a5c1df 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -831,12 +831,26 @@ userdict /.currentresourcefile //null put
/.runstring {
0 0 .systemvmstring .systemvmSFD cvx { .runexec } execute0
} bind def
+
% Define the procedure that the C code uses to set up for executing
% a string that may be received in pieces.
+%
+% Immediate evaluation doesn't work on operators (like .needinput)
+% so calling .runstringbegin will throw an undefined error if we
+% undefined .needinput so it cannot be accessed outside the init
+% code. But, we can store the operator in an array, use immediate
+% evaluation on the array to get the operator, then undefined the
+% array (and because they are both of the same name, the operator
+% get undefined too).
+% This prevents random Postscript from erroneously calling .needinput
+% and forcing the interpreter into an invalid state.
+/.needinput
+1 .systemvmarray dup 0 /.needinput load put
+def
/.runstringbegin {
- 1 .systemvmarray dup 0 /.needinput load put cvx % { .needinput } in systemvm
+ 1 .systemvmarray dup 0 //.needinput 0 get put cvx % { .needinput } in systemvm
0 0 .systemvmstring .systemvmSFD cvx .runexec
-} bind def
+} bind executeonly def
% Define a special version of runlibfile that aborts on errors.
/runlibfile0
@@ -2212,7 +2226,7 @@ SAFER { .setsafeglobal } if
/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice
- /.type /.writecvs /.setSMask /.currentSMask
+ /.type /.writecvs /.setSMask /.currentSMask /.needinput
% Used by a free user in the Library of Congress. Apparently this is used to
% draw a partial page, which is then filled in by the results of a barcode
--
2.17.2
From 34cc326eb2c5695833361887fe0b32e8d987741c Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 10 Oct 2018 15:38:10 +0100
Subject: [PATCH 3/3] Bug 699927: don't include operator arrays in execstack
output
When we transfer the contents of the execution stack into the array, take the
extra step of replacing any operator arrays on the stack with the operator
that reference them.
This prevents the contents of Postscript defined, internal only operators (those
created with .makeoperator) being exposed via execstack (and thus, via error
handling).
This necessitates a change in the resource remapping 'resource', which contains
a procedure which relies on the contents of the operators arrays being present.
As we already had internal-only variants of countexecstack and execstack
(.countexecstack and .execstack) - using those, and leaving thier operation
including the operator arrays means the procedure continues to work correctly.
Both .countexecstack and .execstack are undefined after initialization.
Also, when we store the execstack (or part thereof) for an execstackoverflow
error, make the same oparray/operator substitution as above for execstack.
---
Resource/Init/gs_init.ps | 4 ++--
Resource/Init/gs_resmp.ps | 2 +-
psi/int.mak | 2 +-
psi/interp.c | 14 +++++++++++---
psi/interp.h | 2 ++
psi/zcontrol.c | 13 ++++++++++---
6 files changed, 27 insertions(+), 10 deletions(-)
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 6a5c1df..5bec480 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2187,7 +2187,7 @@ SAFER { .setsafeglobal } if
%% but can be easily restored (just delete the name from the list in the array). In future
%% we may remove the operator and the code implementation entirely.
[
- /.bitadd /.charboxpath /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter
+ /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter
/.execfile /.filenamesplit /.file_name_parent
/.setdefaultmatrix /.isprocfilter /.unread /.psstringencode
/.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength
@@ -2226,7 +2226,7 @@ SAFER { .setsafeglobal } if
/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice
- /.type /.writecvs /.setSMask /.currentSMask /.needinput
+ /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack
% Used by a free user in the Library of Congress. Apparently this is used to
% draw a partial page, which is then filled in by the results of a barcode
diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps
index 7cacaf8..9bb4263 100644
--- a/Resource/Init/gs_resmp.ps
+++ b/Resource/Init/gs_resmp.ps
@@ -183,7 +183,7 @@ setpacking
% We don't check them.
currentglobal //false setglobal % <object> bGlobal
- countexecstack array execstack % <object> bGlobal [execstack]
+ //false .countexecstack array //false .execstack % <object> bGlobal [execstack]
dup //null exch % <object> bGlobal [execstack] null [execstack]
length 3 sub -1 0 { % <object> bGlobal [execstack] null i
2 index exch get % <object> bGlobal [execstack] null proc
diff --git a/psi/int.mak b/psi/int.mak
index 5d9b3d5..6ab5bf0 100644
--- a/psi/int.mak
+++ b/psi/int.mak
@@ -323,7 +323,7 @@ $(PSOBJ)zarray.$(OBJ) : $(PSSRC)zarray.c $(OP) $(memory__h)\
$(PSOBJ)zcontrol.$(OBJ) : $(PSSRC)zcontrol.c $(OP) $(string__h)\
$(estack_h) $(files_h) $(ipacked_h) $(iutil_h) $(store_h) $(stream_h)\
- $(INT_MAK) $(MAKEDIRS)
+ $(interp_h) $(INT_MAK) $(MAKEDIRS)
$(PSCC) $(PSO_)zcontrol.$(OBJ) $(C_) $(PSSRC)zcontrol.c
$(PSOBJ)zdict.$(OBJ) : $(PSSRC)zdict.c $(OP)\
diff --git a/psi/interp.c b/psi/interp.c
index 3dd5f7a..1dec9b6 100644
--- a/psi/interp.c
+++ b/psi/interp.c
@@ -142,7 +142,6 @@ static int oparray_pop(i_ctx_t *);
static int oparray_cleanup(i_ctx_t *);
static int zerrorexec(i_ctx_t *);
static int zfinderrorobject(i_ctx_t *);
-static int errorexec_find(i_ctx_t *, ref *);
static int errorexec_pop(i_ctx_t *);
static int errorexec_cleanup(i_ctx_t *);
static int zsetstackprotect(i_ctx_t *);
@@ -737,7 +736,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
{
uint size = ref_stack_count(pstack) - skip;
uint save_space = ialloc_space(idmemory);
- int code;
+ int code, i;
if (size > 65535)
size = 65535;
@@ -746,6 +745,15 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
if (code >= 0)
code = ref_stack_store(pstack, arr, size, 0, 1, true, idmemory,
"copy_stack");
+ /* If we are copying the exec stack, try to replace any oparrays with
+ * with the operator than references them
+ */
+ if (pstack == &e_stack) {
+ for (i = 0; i < size; i++) {
+ if (errorexec_find(i_ctx_p, &arr->value.refs[i]) < 0)
+ make_null(&arr->value.refs[i]);
+ }
+ }
ialloc_set_space(idmemory, save_space);
return code;
}
@@ -1910,7 +1918,7 @@ zfinderrorobject(i_ctx_t *i_ctx_p)
* .errorexec with errobj != null, store it in *perror_object and return 1,
* otherwise return 0;
*/
-static int
+int
errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object)
{
long i;
diff --git a/psi/interp.h b/psi/interp.h
index e9275b9..4f551d1 100644
--- a/psi/interp.h
+++ b/psi/interp.h
@@ -91,5 +91,7 @@ void gs_interp_reset(i_ctx_t *i_ctx_p);
/* Define the top-level interface to the interpreter. */
int gs_interpret(i_ctx_t **pi_ctx_p, ref * pref, int user_errors,
int *pexit_code, ref * perror_object);
+int
+errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object);
#endif /* interp_INCLUDED */
diff --git a/psi/zcontrol.c b/psi/zcontrol.c
index 36da22c..0362cf4 100644
--- a/psi/zcontrol.c
+++ b/psi/zcontrol.c
@@ -24,6 +24,7 @@
#include "ipacked.h"
#include "iutil.h"
#include "store.h"
+#include "interp.h"
/* Forward references */
static int check_for_exec(const_os_ptr);
@@ -787,7 +788,7 @@ zexecstack2(i_ctx_t *i_ctx_p)
/* Continuation operator to do the actual transfer. */
/* r_size(op1) was set just above. */
static int
-do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1)
+do_execstack(i_ctx_t *i_ctx_p, bool include_marks, bool include_oparrays, os_ptr op1)
{
os_ptr op = osp;
ref *arefs = op1->value.refs;
@@ -829,6 +830,12 @@ do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1)
strlen(tname), (const byte *)tname);
break;
}
+ case t_array:
+ case t_shortarray:
+ case t_mixedarray:
+ if (!include_oparrays && errorexec_find(i_ctx_p, rq) < 0)
+ make_null(rq);
+ break;
default:
;
}
@@ -841,14 +848,14 @@ execstack_continue(i_ctx_t *i_ctx_p)
{
os_ptr op = osp;
- return do_execstack(i_ctx_p, false, op);
+ return do_execstack(i_ctx_p, false, false, op);
}
static int
execstack2_continue(i_ctx_t *i_ctx_p)
{
os_ptr op = osp;
- return do_execstack(i_ctx_p, op->value.boolval, op - 1);
+ return do_execstack(i_ctx_p, op->value.boolval, true, op - 1);
}
/* - .needinput - */
--
2.17.2