Commit | Line | Data |
---|---|---|
a01f1575 LF |
1 | Fix CVE-2017-8291: |
2 | ||
d6158fe7 LF |
3 | https://bugs.ghostscript.com/show_bug.cgi?id=697799 |
4 | https://bugs.ghostscript.com/show_bug.cgi?id=697808 (duplicate) | |
5 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291 | |
a01f1575 | 6 | |
d6158fe7 | 7 | Patches copied from upstream source repository: |
a01f1575 | 8 | |
d6158fe7 LF |
9 | https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3 |
10 | https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d | |
11 | https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e | |
12 | https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad | |
13 | ||
14 | From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001 | |
15 | From: Chris Liddell <chris.liddell@artifex.com> | |
16 | Date: Thu, 27 Apr 2017 13:03:33 +0100 | |
17 | Subject: [PATCH] Bug 697799: have .eqproc check its parameters | |
18 | ||
19 | The Ghostscript custom operator .eqproc was not check the number or type of | |
20 | the parameters it was given. | |
21 | --- | |
22 | psi/zmisc3.c | 6 ++++++ | |
23 | 1 file changed, 6 insertions(+) | |
24 | ||
25 | diff --git a/psi/zmisc3.c b/psi/zmisc3.c | |
26 | index 54b304246..37293ff4b 100644 | |
27 | --- a/psi/zmisc3.c | |
28 | +++ b/psi/zmisc3.c | |
29 | @@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p) | |
30 | ref2_t stack[MAX_DEPTH + 1]; | |
31 | ref2_t *top = stack; | |
32 | ||
33 | + if (ref_stack_count(&o_stack) < 2) | |
34 | + return_error(gs_error_stackunderflow); | |
35 | + if (!r_is_array(op - 1) || !r_is_array(op)) { | |
36 | + return_error(gs_error_typecheck); | |
37 | + } | |
38 | + | |
39 | make_array(&stack[0].proc1, 0, 1, op - 1); | |
40 | make_array(&stack[0].proc2, 0, 1, op); | |
41 | for (;;) { | |
42 | -- | |
43 | 2.13.0 | |
44 | ||
45 | From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001 | |
46 | From: Chris Liddell <chris.liddell@artifex.com> | |
47 | Date: Thu, 27 Apr 2017 13:21:31 +0100 | |
48 | Subject: [PATCH] Bug 697799: have .rsdparams check its parameters | |
49 | ||
50 | The Ghostscript internal operator .rsdparams wasn't checking the number or | |
51 | type of the operands it was being passed. Do so. | |
52 | --- | |
53 | psi/zfrsd.c | 22 +++++++++++++++------- | |
54 | 1 file changed, 15 insertions(+), 7 deletions(-) | |
a01f1575 LF |
55 | |
56 | diff --git a/psi/zfrsd.c b/psi/zfrsd.c | |
d6158fe7 | 57 | index 191107d8a..950588d69 100644 |
a01f1575 LF |
58 | --- a/psi/zfrsd.c |
59 | +++ b/psi/zfrsd.c | |
60 | @@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p) | |
61 | ref *pFilter; | |
62 | ref *pDecodeParms; | |
63 | int Intent = 0; | |
64 | - bool AsyncRead; | |
65 | + bool AsyncRead = false; | |
66 | ref empty_array, filter1_array, parms1_array; | |
67 | uint i; | |
68 | - int code; | |
69 | + int code = 0; | |
70 | + | |
71 | + if (ref_stack_count(&o_stack) < 1) | |
d6158fe7 | 72 | + return_error(gs_error_stackunderflow); |
a01f1575 | 73 | + if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { |
d6158fe7 | 74 | + return_error(gs_error_typecheck); |
a01f1575 LF |
75 | + } |
76 | ||
77 | make_empty_array(&empty_array, a_readonly); | |
78 | - if (dict_find_string(op, "Filter", &pFilter) > 0) { | |
79 | + if (r_has_type(op, t_dictionary) | |
80 | + && dict_find_string(op, "Filter", &pFilter) > 0) { | |
81 | if (!r_is_array(pFilter)) { | |
82 | if (!r_has_type(pFilter, t_name)) | |
d6158fe7 | 83 | return_error(gs_error_typecheck); |
a01f1575 | 84 | @@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p) |
d6158fe7 | 85 | return_error(gs_error_typecheck); |
a01f1575 LF |
86 | } |
87 | } | |
88 | - code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); | |
89 | + if (r_has_type(op, t_dictionary)) | |
90 | + code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); | |
d6158fe7 | 91 | if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */ |
a01f1575 LF |
92 | return code; |
93 | - if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 | |
94 | - ) | |
95 | - return code; | |
96 | + if (r_has_type(op, t_dictionary)) | |
97 | + if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) | |
98 | + return code; | |
99 | push(1); | |
100 | op[-1] = *pFilter; | |
101 | if (pDecodeParms) | |
d6158fe7 LF |
102 | -- |
103 | 2.13.0 | |
104 | ||
105 | From 57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e Mon Sep 17 00:00:00 2001 | |
106 | From: Chris Liddell <chris.liddell@artifex.com> | |
107 | Date: Wed, 3 May 2017 12:05:45 +0100 | |
108 | Subject: [PATCH] Bug 697846: revision to commit 4f83478c88 (.eqproc) | |
109 | ||
110 | When using the "DELAYBIND" feature, it turns out that .eqproc can be called with | |
111 | parameters that are not both procedures. In this case, it turns out, the | |
112 | expectation is for the operator to return 'false', rather than throw an error. | |
113 | --- | |
114 | psi/zmisc3.c | 15 +++++++++++++-- | |
115 | 1 file changed, 13 insertions(+), 2 deletions(-) | |
116 | ||
a01f1575 | 117 | diff --git a/psi/zmisc3.c b/psi/zmisc3.c |
d6158fe7 | 118 | index 37293ff4b..3f01d39a3 100644 |
a01f1575 LF |
119 | --- a/psi/zmisc3.c |
120 | +++ b/psi/zmisc3.c | |
d6158fe7 LF |
121 | @@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p) |
122 | return gs_cliprestore(igs); | |
123 | } | |
a01f1575 | 124 | |
d6158fe7 LF |
125 | +static inline bool |
126 | +eqproc_check_type(ref *r) | |
127 | +{ | |
128 | + return r_has_type(r, t_array) | |
129 | + || r_has_type(r, t_mixedarray) | |
130 | + || r_has_type(r, t_shortarray) | |
131 | + || r_has_type(r, t_oparray); | |
132 | +} | |
a01f1575 | 133 | + |
d6158fe7 LF |
134 | /* <proc1> <proc2> .eqproc <bool> */ |
135 | /* | |
136 | * Test whether two procedures are equal to depth 10. | |
137 | @@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p) | |
138 | ||
139 | if (ref_stack_count(&o_stack) < 2) | |
140 | return_error(gs_error_stackunderflow); | |
141 | - if (!r_is_array(op - 1) || !r_is_array(op)) { | |
142 | - return_error(gs_error_typecheck); | |
143 | + if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) { | |
144 | + make_false(op - 1); | |
145 | + pop(1); | |
146 | + return 0; | |
147 | } | |
148 | ||
a01f1575 | 149 | make_array(&stack[0].proc1, 0, 1, op - 1); |
d6158fe7 LF |
150 | -- |
151 | 2.13.0 | |
152 | ||
153 | From ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad Mon Sep 17 00:00:00 2001 | |
154 | From: Chris Liddell <chris.liddell@artifex.com> | |
155 | Date: Thu, 11 May 2017 14:07:48 +0100 | |
156 | Subject: [PATCH] Bug 697892: fix check for op stack underflow. | |
157 | ||
158 | In the original fix, I used the wrong method to check for stack underflow, this | |
159 | is using the correct method. | |
160 | --- | |
161 | psi/zfrsd.c | 3 +-- | |
162 | psi/zmisc3.c | 3 +-- | |
163 | 2 files changed, 2 insertions(+), 4 deletions(-) | |
164 | ||
165 | diff --git a/psi/zfrsd.c b/psi/zfrsd.c | |
166 | index 950588d69..9c035b96d 100644 | |
167 | --- a/psi/zfrsd.c | |
168 | +++ b/psi/zfrsd.c | |
169 | @@ -54,8 +54,7 @@ zrsdparams(i_ctx_t *i_ctx_p) | |
170 | uint i; | |
171 | int code = 0; | |
172 | ||
173 | - if (ref_stack_count(&o_stack) < 1) | |
174 | - return_error(gs_error_stackunderflow); | |
175 | + check_op(1); | |
176 | if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { | |
177 | return_error(gs_error_typecheck); | |
178 | } | |
179 | diff --git a/psi/zmisc3.c b/psi/zmisc3.c | |
180 | index 3f01d39a3..43803b55b 100644 | |
181 | --- a/psi/zmisc3.c | |
182 | +++ b/psi/zmisc3.c | |
183 | @@ -65,8 +65,7 @@ zeqproc(i_ctx_t *i_ctx_p) | |
184 | ref2_t stack[MAX_DEPTH + 1]; | |
185 | ref2_t *top = stack; | |
186 | ||
187 | - if (ref_stack_count(&o_stack) < 2) | |
188 | - return_error(gs_error_stackunderflow); | |
189 | + check_op(2); | |
190 | if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) { | |
191 | make_false(op - 1); | |
192 | pop(1); | |
193 | -- | |
194 | 2.13.0 | |
195 |