From 485904772c5f0aa1140032746e5a0abfc40f4cef Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 5 Nov 2019 09:45:27 +0000
Subject: [PATCH] Bug 701841: remove .forceput from /.charkeys

When loading Type 1 or Truetype fonts from disk, we attempt to extend the glyph
name table to include all identifiable glyph names from the Adobe Glyph List.

In the case of Type 1 fonts, the font itself (almost always) marks the
CharStrings dictionary as read-only, hence we have to use .forceput for that
case.

But for Truetype fonts, the CharStrings dictionary is created internally and is
not read-only until *after* we have fully populated it (including the extended
glyph names from the AGL), hence there is no need for .forceput, and no need to
carry the security risk of using it.

Replace with regular put.

CVE: CVE-2019-14869
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]

Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
---
 Resource/Init/gs_ttf.ps | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
index e34967d..5354ff0 100644
--- a/Resource/Init/gs_ttf.ps
+++ b/Resource/Init/gs_ttf.ps
@@ -1301,7 +1301,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
           TTFDEBUG { (\n1 setting alias: ) print dup ==only
                 ( to be the same as  ) print 2 index //== exec } if
 
-          7 index 2 index 3 -1 roll exch .forceput
+          7 index 2 index 3 -1 roll exch put
         } forall
         pop pop pop
       }
@@ -1319,7 +1319,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
           exch pop
           TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
                      ( to use glyph index: ) print dup //== exec } if
-          5 index 3 1 roll .forceput
+          5 index 3 1 roll put
           //false
         }
         {
@@ -1336,7 +1336,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
         {                            %  CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
           TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
                 ( to be index: ) print dup //== exec } if
-          exch pop 5 index 3 1 roll .forceput
+          exch pop 5 index 3 1 roll put
         }
         {
           pop pop
@@ -1366,7 +1366,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
       } ifelse
     ]
   TTFDEBUG { (Encoding: ) print dup === flush } if
-} .bind executeonly odef		% hides .forceput
+} .bind odef
 
 % ---------------- CIDFontType 2 font loading ---------------- %
 
-- 
2.20.1