1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
|
From 5c49efe24dda0f2dbd2a09b9159e683cce99b6d8 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 11 Jan 2019 13:36:36 +0000
Subject: [PATCH 7/7] Remove .forcedef, and harden .force* ops more
Remove .forcedef and replace all uses with a direct call to .forceput instead.
Ensure every procedure (named and trasient) that calls .forceput is
executeonly.
CVE: CVE-2019-6116
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
Resource/Init/gs_dps1.ps | 15 +++++++-----
Resource/Init/gs_init.ps | 28 ++++++++-------------
Resource/Init/gs_lev2.ps | 51 +++++++++++++++++++--------------------
Resource/Init/gs_ll3.ps | 5 ++--
Resource/Init/gs_res.ps | 29 +++++++++++-----------
Resource/Init/gs_statd.ps | 4 +--
6 files changed, 63 insertions(+), 69 deletions(-)
diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
index 8700c8c..3d2cf7a 100644
--- a/Resource/Init/gs_dps1.ps
+++ b/Resource/Init/gs_dps1.ps
@@ -33,14 +33,17 @@ systemdict begin
/SharedFontDirectory .FontDirectory .gcheck
{ .currentglobal //false .setglobal
+ currentdict
/LocalFontDirectory .FontDirectory dup maxlength dict copy
- .forcedef % LocalFontDirectory is local, systemdict is global
+ .forceput % LocalFontDirectory is local, systemdict is global
.setglobal .FontDirectory
- }
- { /LocalFontDirectory .FontDirectory
- .forcedef % LocalFontDirectory is local, systemdict is global
+ } executeonly
+ {
+ currentdict
+ /LocalFontDirectory .FontDirectory
+ .forceput % LocalFontDirectory is local, systemdict is global
50 dict
- }
+ }executeonly
ifelse def
end % systemdict
@@ -55,7 +58,7 @@ level2dict begin
{ //SharedFontDirectory }
{ /LocalFontDirectory .systemvar } % can't embed ref to local VM
ifelse .forceput pop % LocalFontDirectory is local, systemdict is global
- } .bind odef
+ } .bind executeonly odef
% Don't just copy (load) the definition of .setglobal:
% it gets redefined for LL3.
/setshared { /.setglobal .systemvar exec } odef
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index d9a0829..45bebf4 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -54,7 +54,7 @@ systemdict exch
dup /userdict
currentdict dup 200 .setmaxlength % userdict
.forceput % userdict is local, systemdict is global
- }
+ } executeonly
if begin
% Define dummy local/global operators if needed.
@@ -299,13 +299,6 @@ QUIET not { printgreeting flush } if
1 index exch .makeoperator def
} .bind def
-% Define a special version of def for storing local objects into global
-% dictionaries. Like .forceput, this exists only during initialization.
-/.forcedef { % <key> <value> .forcedef -
- 1 .argindex pop % check # of args
- currentdict 3 1 roll .forceput
-} .bind odef
-
% Define procedures for accessing variables in systemdict and userdict
% regardless of the contents of the dictionary stack.
/.systemvar { % <name> .systemvar <value>
@@ -347,7 +340,7 @@ DELAYBIND
}
ifelse
} .bind def
-} if
+} executeonly if
%**************** BACKWARD COMPATIBILITY ****************
/hwsizedict mark /HWSize //null .dicttomark readonly def
@@ -655,7 +648,7 @@ currentdict /.typenames .undef
/ifelse .systemvar
] cvx executeonly
exch .setglobal
-} odef
+} executeonly odef
systemdict /internaldict dup .makeinternaldict .makeoperator
.forceput % proc is local, systemdict is global
@@ -1093,7 +1086,7 @@ def
% Define $error. This must be in local VM.
.currentglobal //false .setglobal
-/$error 40 dict .forcedef % $error is local, systemdict is global
+currentdict /$error 40 dict .forceput % $error is local, systemdict is global
% newerror, errorname, command, errorinfo,
% ostack, estack, dstack, recordstacks,
% binary, globalmode,
@@ -1112,8 +1105,8 @@ end
% Define errordict similarly. It has one entry per error name,
% plus handleerror. However, some astonishingly badly written PostScript
% files require it to have at least one empty slot.
-/errordict ErrorNames length 3 add dict
-.forcedef % errordict is local, systemdict is global
+currentdict /errordict ErrorNames length 3 add dict
+.forceput % errordict is local, systemdict is global
.setglobal % back to global VM
% gserrordict contains all the default error handling methods, but unlike
% errordict it is noaccess after creation (also it is in global VM).
@@ -1273,8 +1266,9 @@ end
(END PROCS) VMDEBUG
% Define the font directory.
+currentdict
/FontDirectory //false .setglobal 100 dict //true .setglobal
-.forcedef % FontDirectory is local, systemdict is global
+.forceput % FontDirectory is local, systemdict is global
% Define the encoding dictionary.
/EncodingDirectory 16 dict def % enough for Level 2 + PDF standard encodings
@@ -2333,7 +2327,6 @@ SAFER { .setsafeglobal } if
//systemdict /UndefinePostScriptOperators get exec
//systemdict /UndefinePDFOperators get exec
//systemdict /.forcecopynew .forceundef % remove temptation
- //systemdict /.forcedef .forceundef % ditto
//systemdict /.forceput .forceundef % ditto
//systemdict /.undef .forceundef % ditto
//systemdict /.forceundef .forceundef % ditto
@@ -2368,9 +2361,9 @@ SAFER { .setsafeglobal } if
% (and, if implemented, context switching).
.currentglobal //false .setglobal
mark userparams { } forall .dicttomark readonly
- /userparams exch .forcedef % systemdict is read-only
+ currentdict exch /userparams exch .forceput % systemdict is read-only
.setglobal
-} if
+} executeonly if
/.currentsystemparams where {
pop
% Remove real system params from pssystemparams.
@@ -2458,7 +2451,6 @@ end
DELAYBIND not {
systemdict /.bindnow .undef % We only need this for DELAYBIND
systemdict /.forcecopynew .undef % remove temptation
- systemdict /.forcedef .undef % ditto
systemdict /.forceput .undef % ditto
systemdict /.forceundef .undef % ditto
} if
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
index 0f0d573..9c0c3a6 100644
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -304,31 +304,30 @@ end
psuserparams exch /.checkFilePermitparams load put
.setglobal
-pssystemparams begin
- /CurDisplayList 0 .forcedef
- /CurFormCache 0 .forcedef
- /CurInputDevice () .forcedef
- /CurOutlineCache 0 .forcedef
- /CurOutputDevice () .forcedef
- /CurPatternCache 0 .forcedef
- /CurUPathCache 0 .forcedef
- /CurScreenStorage 0 .forcedef
- /CurSourceList 0 .forcedef
- /DoPrintErrors //false .forcedef
- /JobTimeout 0 .forcedef
- /LicenseID (LN-001) .forcedef % bogus
- /MaxDisplayList 140000 .forcedef
- /MaxFormCache 100000 .forcedef
- /MaxImageBuffer 524288 .forcedef
- /MaxOutlineCache 65000 .forcedef
- /MaxPatternCache 100000 .forcedef
- /MaxUPathCache 300000 .forcedef
- /MaxScreenStorage 84000 .forcedef
- /MaxSourceList 25000 .forcedef
- /PrinterName product .forcedef
- /RamSize 4194304 .forcedef
- /WaitTimeout 40 .forcedef
-end
+pssystemparams
+dup /CurDisplayList 0 .forceput
+dup /CurFormCache 0 .forceput
+dup /CurInputDevice () .forceput
+dup /CurOutlineCache 0 .forceput
+dup /CurOutputDevice () .forceput
+dup /CurPatternCache 0 .forceput
+dup /CurUPathCache 0 .forceput
+dup /CurScreenStorage 0 .forceput
+dup /CurSourceList 0 .forceput
+dup /DoPrintErrors //false .forceput
+dup /JobTimeout 0 .forceput
+dup /LicenseID (LN-001) .forceput % bogus
+dup /MaxDisplayList 140000 .forceput
+dup /MaxFormCache 100000 .forceput
+dup /MaxImageBuffer 524288 .forceput
+dup /MaxOutlineCache 65000 .forceput
+dup /MaxPatternCache 100000 .forceput
+dup /MaxUPathCache 300000 .forceput
+dup /MaxScreenStorage 84000 .forceput
+dup /MaxSourceList 25000 .forceput
+dup /PrinterName product .forceput
+dup /RamSize 4194304 .forceput
+ /WaitTimeout 40 .forceput
% Define the procedures for handling comment scanning. The names
% %ProcessComment and %ProcessDSCComment are known to the interpreter.
@@ -710,7 +709,7 @@ pop % currentsystemparams
/statusdict currentdict def
currentdict end
-/statusdict exch .forcedef % statusdict is local, systemdict is global
+currentdict exch /statusdict exch .forceput % statusdict is local, systemdict is global
% The following compatibility operators are in systemdict. They are
% defined here, rather than in gs_init.ps, because they require the
diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
index c86721f..881af44 100644
--- a/Resource/Init/gs_ll3.ps
+++ b/Resource/Init/gs_ll3.ps
@@ -521,9 +521,8 @@ end
% Define additional user and system parameters.
/HalftoneMode 0 .definepsuserparam
/MaxSuperScreen 1016 .definepsuserparam
-pssystemparams begin % read-only, so use .forcedef
- /MaxDisplayAndSourceList 160000 .forcedef
-end
+% read-only, so use .forceput
+pssystemparams /MaxDisplayAndSourceList 160000 .forceput
% Define the IdiomSet resource category.
{ /IdiomSet } {
diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
index b016113..89c0ed6 100644
--- a/Resource/Init/gs_res.ps
+++ b/Resource/Init/gs_res.ps
@@ -41,10 +41,10 @@ level2dict begin
% However, Ed Taft of Adobe says their interpreters don't implement this
% either, so we aren't going to worry about it for a while.
-currentglobal //false setglobal systemdict begin
- /localinstancedict 5 dict
- .forcedef % localinstancedict is local, systemdict is global
-end //true setglobal
+currentglobal //false setglobal
+ systemdict /localinstancedict 5 dict
+ .forceput % localinstancedict is local, systemdict is global
+//true setglobal
/.emptydict 0 dict readonly def
setglobal
@@ -149,7 +149,7 @@ setglobal
dup [ exch 0 -1 ] exch
.Instances 4 2 roll put
% Make the Category dictionary read-only. We will have to
- % use .forceput / .forcedef later to replace the dummy,
+ % use .forceput / .forceput later to replace the dummy,
% empty .Instances dictionary with the real one later.
readonly
}{
@@ -304,7 +304,8 @@ systemdict begin
dup () ne {
.file_name_directory_separator concatstrings
} if
- 2 index exch //false .file_name_combine not {
+ 2 index exch //false
+ .file_name_combine not {
(Error: .default_resource_dir returned ) print exch print ( that can't combine with ) print =
/.default_resource_dir cvx /configurationerror signalerror
} if
@@ -317,14 +318,14 @@ currentdict /pssystemparams known not {
pssystemparams begin
//.default_resource_dir exec
/FontResourceDir (Font) //.resource_dir_name exec
- readonly .forcedef % pssys'params is r-o
+ readonly currentdict 3 1 roll .forceput % pssys'params is r-o
/GenericResourceDir () //.resource_dir_name exec
- readonly .forcedef % pssys'params is r-o
+ readonly currentdict 3 1 roll .forceput % pssys'params is r-o
pop % .default_resource_dir
/GenericResourcePathSep
- .file_name_separator readonly .forcedef % pssys'params is r-o
- (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forcedef % pssys'params is r-o
- (%diskGenericResourceDir) cvn (/Resource/) readonly .forcedef % pssys'params is r-o
+ .file_name_separator readonly currentdict 3 1 roll .forceput % pssys'params is r-o
+ currentdict (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forceput % pssys'params is r-o
+ currentdict (%diskGenericResourceDir) cvn (/Resource/) readonly .forceput % pssys'params is r-o
end
end
@@ -422,8 +423,8 @@ status {
.Instances dup //.emptydict eq {
pop 3 dict
% As noted above, Category dictionaries are read-only,
- % so we have to use .forcedef here.
- /.Instances 1 index .forcedef % Category dict is read-only
+ % so we have to use .forceput here.
+ currentdict /.Instances 2 index .forceput % Category dict is read-only
} executeonly if
}
{ .LocalInstances dup //.emptydict eq
@@ -441,7 +442,7 @@ status {
{ /defineresource cvx /typecheck signaloperror
}
ifelse
-} .bind executeonly .makeoperator % executeonly to prevent access to .forcedef
+} .bind executeonly .makeoperator % executeonly to prevent access to .forceput
/UndefineResource
{ { dup 2 index .knownget
{ dup 1 get 1 ge
diff --git a/Resource/Init/gs_statd.ps b/Resource/Init/gs_statd.ps
index 20d4c96..b6a7659 100644
--- a/Resource/Init/gs_statd.ps
+++ b/Resource/Init/gs_statd.ps
@@ -21,10 +21,10 @@ systemdict begin
% We make statusdict a little larger for Level 2 stuff.
% Note that it must be allocated in local VM.
.currentglobal //false .setglobal
- /statusdict 91 dict .forcedef % statusdict is local, sys'dict global
+ currentdict /statusdict 91 dict .forceput % statusdict is local, sys'dict global
% To support the Level 2 job control features,
% serverdict must also be in local VM.
- /serverdict 10 dict .forcedef % serverdict is local, sys'dict global
+ currentdict /serverdict 10 dict .forceput % serverdict is local, sys'dict global
.setglobal
end
--
2.18.1
|
