From 1e830cafa56c6e3e1b08d246eaf5496fe81a0032 Mon Sep 17 00:00:00 2001 From: Nancy Durgin Date: Tue, 27 Nov 2018 12:36:14 -0800 Subject: [PATCH 5/7] Undef a bunch of internal things in gs_res.ps CVE: CVE-2019-6116 Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] Signed-off-by: Ovidiu Panait --- Resource/Init/gs_res.ps | 72 +++++++++++++++++++++++++-------------- Resource/Init/gs_resmp.ps | 4 +-- 2 files changed, 49 insertions(+), 27 deletions(-) diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps index d9b3459..18d5452 100644 --- a/Resource/Init/gs_res.ps +++ b/Resource/Init/gs_res.ps @@ -197,7 +197,7 @@ setglobal /.findresource { % findresource 2 copy dup /Category eq { pop //Category 0 get begin } { .findcategory } ifelse - /FindResource .resourceexec exch pop exch pop + /FindResource //.resourceexec exec exch pop exch pop } bind end % .Instances of Category def @@ -223,7 +223,7 @@ def not { /defineresource cvx /typecheck signaloperror } if } if } if - /DefineResource .resourceexec + /DefineResource //.resourceexec exec 4 1 roll pop pop pop } .errorexec } bind executeonly odef @@ -252,7 +252,7 @@ def % without the check. /resourcestatus cvx /typecheck signalerror } if - 2 copy .findcategory /ResourceStatus .resourceexec + 2 copy .findcategory /ResourceStatus //.resourceexec exec { 4 2 roll pop pop //true } { pop pop //false } ifelse } stopped { % Although resourcestatus is an operator, Adobe uses executable name @@ -266,7 +266,7 @@ def } if 1 .argindex 1 index % catch stackunderflow - { .findcategory /UndefineResource .resourceexec pop pop + { .findcategory /UndefineResource //.resourceexec exec pop pop } stopped { % Although undefineresource is an operator, Adobe uses executable name % here but uses operator for the errors above. CET 23-33 @@ -315,10 +315,10 @@ currentdict /pssystemparams known not { /pssystemparams 10 dict readonly def } if pssystemparams begin - .default_resource_dir - /FontResourceDir (Font) .resource_dir_name + //.default_resource_dir exec + /FontResourceDir (Font) //.resource_dir_name exec readonly .forcedef % pssys'params is r-o - /GenericResourceDir () .resource_dir_name + /GenericResourceDir () //.resource_dir_name exec readonly .forcedef % pssys'params is r-o pop % .default_resource_dir /GenericResourcePathSep @@ -387,13 +387,13 @@ status { } bind def /.localresourceforall { % .localr'forall - exch pop - 2 copy 0 get .stringmatch { .enumerateresource } { pop pop } ifelse + 2 copy 0 get .stringmatch { //.enumerateresource exec } { pop pop } ifelse } bind def /.globalresourceforall { % .globalr'forall - exch pop 2 copy 0 get .stringmatch { dup 3 get begin .LocalInstances end 2 index known not { - .enumerateresource + //.enumerateresource exec } { pop pop } ifelse @@ -408,7 +408,7 @@ status { 3 index known { pop pop pop } { - 2 index known { pop pop } { .enumerateresource } ifelse + 2 index known { pop pop } { //.enumerateresource exec } ifelse } ifelse } bind def @@ -468,19 +468,19 @@ status { % .knownget doesn't fail on null /findresource cvx /typecheck signaloperror } if - dup .getvminstance { + dup //.getvminstance exec { exch pop 0 get } { dup ResourceStatus { pop 1 gt { - .DoLoadResource .getvminstance not { - /findresource cvx .undefinedresource + .DoLoadResource //.getvminstance exec not { + /findresource cvx //.undefinedresource exec } if 0 get } { .GetInstance pop 0 get } ifelse } { - /findresource cvx .undefinedresource + /findresource cvx //.undefinedresource exec } ifelse } ifelse } bind executeonly @@ -621,7 +621,7 @@ status { .currentglobal not .setglobal vmstatus pop exch pop add } repeat -} bind def +} bind executeonly odef /.DoLoadResource { % .LoadResource may push entries on the operand stack. % It is an undocumented feature of Adobe implementations, @@ -633,8 +633,8 @@ status { {.LoadResource} 4 1 roll 4 .execn % Stack: ... count key memused .vmused exch sub - 1 index .getvminstance not { - pop dup .undefinedresource % didn't load + 1 index //.getvminstance exec not { + pop dup //.undefinedresource exec % didn't load } if dup 1 1 put 2 3 -1 roll put @@ -648,7 +648,7 @@ status { { //true setglobal { .runresource } stopped //false setglobal { stop } if } ifelse } - { dup .undefinedresource + { dup //.undefinedresource exec } ifelse } bind @@ -758,7 +758,7 @@ counttomark 2 idiv /FindResource { .Instances 1 index .knownget { exch pop } - { /findresource cvx .undefinedresource } + { /findresource cvx //.undefinedresource exec } ifelse } bind executeonly /ResourceStatus @@ -862,7 +862,7 @@ userdict /.localcsdefaults //false put 2 copy /Generic /Category findresource /DefineResource get exec exch pop exch //.defaultcsnames exch .knownget { - 1 index .definedefaultcs + 1 index //.definedefaultcs exec currentglobal not { .userdict /.localcsdefaults //true put } if } if } bind executeonly @@ -872,13 +872,13 @@ userdict /.localcsdefaults //false put //.defaultcsnames 1 index .knownget { % Stack: resname index currentglobal { - .undefinedefaultcs pop + //.undefinedefaultcs exec pop } { % We removed the local definition, but there might be a global one. exch .GetInstance { - 0 get .definedefaultcs + 0 get //.definedefaultcs exec } { - .undefinedefaultcs + //.undefinedefaultcs exec } ifelse % Recompute .localcsdefaults by scanning. This is rarely needed. .userdict /.localcsdefaults //false //.defaultcsnames { @@ -997,7 +997,7 @@ currentdict /.fontstatusaux .undef /Generic /Category findresource /UndefineResource get exec } bind executeonly /FindResource { - dup .getvminstance { + dup //.getvminstance exec { exch pop 0 get } { dup ResourceStatus { @@ -1024,7 +1024,7 @@ currentdict /.fontstatusaux .undef % stack: name font vmused % findfont has the prerogative of not calling definefont % in certain obscure cases of font substitution. - 2 index .getvminstance { + 2 index //.getvminstance exec { dup 1 1 put 2 3 -1 roll put } { @@ -1159,3 +1159,25 @@ end % level2dict %% Replace 1 (gs_resmp.ps) (gs_resmp.ps) dup runlibfile VMDEBUG + +[ + /.default_resource_dir + /.resource_dir_name +] +{systemdict exch .forceundef} forall + +[ + /.definedefaultcs + /.undefinedefaultcs + /.defaultcsnames + /.enumerateresource + /.externalresourceforall + /.getvminstance + /.globalresourceforall + /.localresourceforall + /resourceforall1 + /.resourceexec + /.undefinedresource + /.vmused +] +{level2dict exch .forceundef} forall diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps index 9bb4263..cb948d1 100644 --- a/Resource/Init/gs_resmp.ps +++ b/Resource/Init/gs_resmp.ps @@ -230,7 +230,7 @@ currentpacking //false setpacking } { dup dup .map exch .knownget { % /Name /Name <> dup dup /RecordVirtualMethods get /IsActive get exec { - 1 index .getvminstance { % /Name /Name <> holder + 1 index //.getvminstance exec { % /Name /Name <> holder 1 get 1 eq } { //true @@ -242,7 +242,7 @@ currentpacking //false setpacking DefineResource exec % size bStatusIs1 /Name Instance % Make ResourceStatus to return correct values for this instance : % Hack: we replace status values in the instance holder : - exch .getvminstance pop % size bStatusIs1 Instance holder + exch //.getvminstance exec pop % size bStatusIs1 Instance holder dup 5 -1 roll 2 exch put % bStatusIs1 Instance holder 3 2 roll { % Instance holder 1 1 put % Instance -- 2.18.1