diff options
author | Pavel Vinogradov | 2019-01-24 20:06:51 -0500 |
---|---|---|
committer | Pavel Vinogradov | 2019-01-24 22:40:28 -0500 |
commit | 7cbb30972e2ccdc57b413e4e0a9d178cc9f44fad (patch) | |
tree | bdd7e0837e37273454dda61d9c52a28226d1ffda /printer | |
parent | 7ed3296a3dcc80457f08aeeb34328c631eca6bd1 (diff) |
printer/ghostscript: SECURITY_PATCH++ for 9.26
Diffstat (limited to 'printer')
-rwxr-xr-x | printer/ghostscript/DETAILS | 2 | ||||
-rw-r--r-- | printer/ghostscript/HISTORY | 4 | ||||
-rw-r--r-- | printer/ghostscript/patches/0001-cve-2019-6116.patch | 166 | ||||
-rw-r--r-- | printer/ghostscript/patches/0002-cve-2019-6116.patch | 421 | ||||
-rw-r--r-- | printer/ghostscript/patches/0003-cve-2019-6116.patch | 24 | ||||
-rw-r--r-- | printer/ghostscript/patches/0004-cve-2019-6116.patch | 126 | ||||
-rw-r--r-- | printer/ghostscript/patches/0005-cve-2019-6116.patch | 589 | ||||
-rw-r--r-- | printer/ghostscript/patches/0006-cve-2019-6116.patch | 333 |
8 files changed, 1664 insertions, 1 deletions
diff --git a/printer/ghostscript/DETAILS b/printer/ghostscript/DETAILS index 3e6d0e0244..c7521a9ab3 100755 --- a/printer/ghostscript/DETAILS +++ b/printer/ghostscript/DETAILS @@ -1,7 +1,7 @@ SPELL=ghostscript VERSION=9.26 SOURCE_HASH="sha512:3ddb83029edf32282357bf606f4045a9ac73df6543cd423cfad09158ec12ada083a0dbb5aac3b73ae24cbc6c1e9d7574257a5c1fae63ba8776fbb00150ef2a3e:UPSTREAM_HASH" - SECURITY_PATCH=5 + SECURITY_PATCH=6 SOURCE=$SPELL-$VERSION.tar.xz SOURCE_DIRECTORY="$BUILD_DIRECTORY/$SPELL-$VERSION" WEB_SITE=http://www.ghostscript.com/ diff --git a/printer/ghostscript/HISTORY b/printer/ghostscript/HISTORY index b4ed1c6984..f2baaec25a 100644 --- a/printer/ghostscript/HISTORY +++ b/printer/ghostscript/HISTORY @@ -1,3 +1,7 @@ +2019-01-24 Pavel Vinogradov <public@sourcemage.org> + * DETAILS. patches/000[1-6]-cve-2019-6116.patch: SECURITY_PATCH++, + (CVE-2019-6116) + 2018-11-22 Pavel Vinogradov <public@sourcemage.org> * DETAILS: version 9.26, SECURITY_PATCH++, (CVE-2018-17961, CVE-2018-18073, CVE-2018-18284) diff --git a/printer/ghostscript/patches/0001-cve-2019-6116.patch b/printer/ghostscript/patches/0001-cve-2019-6116.patch new file mode 100644 index 0000000000..4a196133b3 --- /dev/null +++ b/printer/ghostscript/patches/0001-cve-2019-6116.patch @@ -0,0 +1,166 @@ +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 5 Dec 2018 12:22:13 +0000 (+0000) +Subject: Sanitize op stack for error conditions +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=13b0a36f8181db66a91bcc8cea139998b53a8996 + +Sanitize op stack for error conditions + +We save the stacks to an array and store the array for the error handler to +access. + +For SAFER, we traverse the array, and deep copy any op arrays (procedures). As +we make these copies, we check for operators that do *not* exist in systemdict, +when we find one, we replace the operator with a name object (of the form +"/--opname--"). +--- + +diff --git a/psi/int.mak b/psi/int.mak +index 81bc59d..5dfb66c 100644 +--- a/psi/int.mak ++++ b/psi/int.mak +@@ -203,7 +203,8 @@ $(PSOBJ)iparam.$(OBJ) : $(PSSRC)iparam.c $(GH)\ + $(PSOBJ)istack.$(OBJ) : $(PSSRC)istack.c $(GH) $(memory__h)\ + $(ierrors_h) $(gsstruct_h) $(gsutil_h)\ + $(ialloc_h) $(istack_h) $(istkparm_h) $(istruct_h) $(iutil_h) $(ivmspace_h)\ +- $(store_h) $(INT_MAK) $(MAKEDIRS) ++ $(store_h) $(icstate_h) $(iname_h) $(dstack_h) $(idict_h) \ ++ $(INT_MAK) $(MAKEDIRS) + $(PSCC) $(PSO_)istack.$(OBJ) $(C_) $(PSSRC)istack.c + + $(PSOBJ)iutil.$(OBJ) : $(PSSRC)iutil.c $(GH) $(math__h) $(memory__h) $(string__h)\ +diff --git a/psi/interp.c b/psi/interp.c +index 16cce23..68f977c 100644 +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -797,6 +797,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) + uint size = ref_stack_count(pstack) - skip; + uint save_space = ialloc_space(idmemory); + int code, i; ++ ref *safety, *safe; + + if (size > 65535) + size = 65535; +@@ -814,6 +815,13 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) + make_null(&arr->value.refs[i]); + } + } ++ if (pstack == &o_stack && dict_find_string(systemdict, "SAFETY", &safety) > 0 && ++ dict_find_string(safety, "safe", &safe) > 0 && r_has_type(safe, t_boolean) && ++ safe->value.boolval == true) { ++ code = ref_stack_array_sanitize(i_ctx_p, arr, arr); ++ if (code < 0) ++ return code; ++ } + ialloc_set_space(idmemory, save_space); + return code; + } +diff --git a/psi/istack.c b/psi/istack.c +index 2c030f8..1bfcde4 100644 +--- a/psi/istack.c ++++ b/psi/istack.c +@@ -27,6 +27,10 @@ + #include "iutil.h" + #include "ivmspace.h" /* for local/global test */ + #include "store.h" ++#include "icstate.h" ++#include "iname.h" ++#include "dstack.h" ++#include "idict.h" + + /* Forward references */ + static void init_block(ref_stack_t *pstack, const ref *pblock_array, +@@ -294,6 +298,80 @@ ref_stack_store_check(const ref_stack_t *pstack, ref *parray, uint count, + return 0; + } + ++int ++ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr) ++{ ++ int i, code; ++ ref obj, arr2; ++ ref *pobj2; ++ gs_memory_t *mem = (gs_memory_t *)idmemory->current; ++ ++ if (!r_is_array(sarr) || !r_has_type(darr, t_array)) ++ return_error(gs_error_typecheck); ++ ++ for (i = 0; i < r_size(sarr); i++) { ++ code = array_get(mem, sarr, i, &obj); ++ if (code < 0) ++ make_null(&obj); ++ switch(r_type(&obj)) { ++ case t_operator: ++ { ++ int index = op_index(&obj); ++ ++ if (index > 0 && index < op_def_count) { ++ const byte *data = (const byte *)(op_index_def(index)->oname + 1); ++ if (dict_find_string(systemdict, (const char *)data, &pobj2) <= 0) { ++ byte *s = gs_alloc_bytes(mem, strlen((char *)data) + 5, "ref_stack_array_sanitize"); ++ if (s) { ++ s[0] = '\0'; ++ strcpy((char *)s, "--"); ++ strcpy((char *)s + 2, (char *)data); ++ strcpy((char *)s + strlen((char *)data) + 2, "--"); ++ } ++ else { ++ s = (byte *)data; ++ } ++ code = name_ref(imemory, s, strlen((char *)s), &obj, 1); ++ if (code < 0) make_null(&obj); ++ if (s != data) ++ gs_free_object(mem, s, "ref_stack_array_sanitize"); ++ } ++ } ++ else { ++ make_null(&obj); ++ } ++ ref_assign(darr->value.refs + i, &obj); ++ break; ++ } ++ case t_array: ++ case t_shortarray: ++ case t_mixedarray: ++ { ++ int attrs = r_type_attrs(&obj) & (a_write | a_read | a_execute | a_executable); ++ /* We only want to copy executable arrays */ ++ if (attrs & (a_execute | a_executable)) { ++ code = ialloc_ref_array(&arr2, attrs, r_size(&obj), "ref_stack_array_sanitize"); ++ if (code < 0) { ++ make_null(&arr2); ++ } ++ else { ++ code = ref_stack_array_sanitize(i_ctx_p, &obj, &arr2); ++ } ++ ref_assign(darr->value.refs + i, &arr2); ++ } ++ else { ++ ref_assign(darr->value.refs + i, &obj); ++ } ++ break; ++ } ++ default: ++ ref_assign(darr->value.refs + i, &obj); ++ } ++ } ++ return 0; ++} ++ ++ + /* + * Store the top 'count' elements of a stack, starting 'skip' elements below + * the top, into an array, with or without store/undo checking. age=-1 for +diff --git a/psi/istack.h b/psi/istack.h +index 4619a3b..7c33844 100644 +--- a/psi/istack.h ++++ b/psi/istack.h +@@ -125,6 +125,9 @@ int ref_stack_store(const ref_stack_t *pstack, ref *parray, uint count, + uint skip, int age, bool check, + gs_dual_memory_t *idmem, client_name_t cname); + ++int ++ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr); ++ + /* + * Pop the top N elements off a stack. + * The number must not exceed the number of elements in use. diff --git a/printer/ghostscript/patches/0002-cve-2019-6116.patch b/printer/ghostscript/patches/0002-cve-2019-6116.patch new file mode 100644 index 0000000000..7dc657992d --- /dev/null +++ b/printer/ghostscript/patches/0002-cve-2019-6116.patch @@ -0,0 +1,421 @@ +From: Chris Liddell <chris.liddell@artifex.com> +Date: Thu, 13 Dec 2018 15:28:34 +0000 (+0000) +Subject: Any transient procedures that call .force* operators +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=2db98f9c66135601efb103d8db7d020a672308db + +Any transient procedures that call .force* operators + +(i.e. for conditionals or loops) make them executeonly. +--- + +diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps +index da3add7..d3872d6 100644 +--- a/Resource/Init/gs_diskn.ps ++++ b/Resource/Init/gs_diskn.ps +@@ -51,7 +51,7 @@ systemdict begin + mark 5 1 roll ] mark exch { { } forall } forall ] + //systemdict /.searchabledevs 2 index .forceput + exch .setglobal +- } ++ } executeonly + if + } .bind executeonly odef % must be bound and hidden for .forceput + +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps +index 63948f4..947d281 100644 +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -78,7 +78,7 @@ level2dict begin + .currentglobal + { % Current mode is global; delete from local directory too. + //systemdict /LocalFontDirectory .knownget +- { 1 index .forceundef } % LocalFontDirectory is readonly ++ { 1 index .forceundef } executeonly % LocalFontDirectory is readonly + if + } + { % Current mode is local; if there was a shadowed global +@@ -126,7 +126,7 @@ level2dict begin + } + ifelse + } forall +- pop counttomark 2 idiv { .forceundef } repeat pop % readonly ++ pop counttomark 2 idiv { .forceundef } executeonly repeat pop % readonly + } + if + //SharedFontDirectory exch .forcecopynew pop +diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps +index 9b579fd..196c864 100644 +--- a/Resource/Init/gs_fntem.ps ++++ b/Resource/Init/gs_fntem.ps +@@ -401,12 +401,12 @@ currentdict end def + .forceput % FontInfo can be read-only. + pop % bool <font> + exit +- } if ++ } executeonly if + dup /FontInfo get % bool <font> <FI> + /GlyphNames2Unicode /Unicode /Decoding findresource + .forceput % FontInfo can be read-only. + exit +- } loop ++ } executeonly loop + exch setglobal + } .bind executeonly odef % must be bound and hidden for .forceput + +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 4cf23f8..ee3275f 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -374,7 +374,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if + /.setnativefontmapbuilt { % set whether we've been run + dup type /booleantype eq { + systemdict exch /.nativefontmapbuilt exch .forceput +- } ++ } executeonly + {pop} + ifelse + } .bind executeonly odef +@@ -1007,11 +1007,11 @@ $error /SubstituteFont { } put + { 2 index gcheck currentglobal + 2 copy eq { + pop pop .forceput +- } { ++ } executeonly { + 5 1 roll setglobal + dup length string copy + .forceput setglobal +- } ifelse ++ } executeonly ifelse + } .bind executeonly odef % must be bound and hidden for .forceput + + % Attempt to load a font from a file. +@@ -1084,7 +1084,7 @@ $error /SubstituteFont { } put + .FontDirectory 3 index .forceundef % readonly + 1 index (r) file .loadfont .FontDirectory exch + /.setglobal .systemvar exec +- } ++ } executeonly + { .loadfont .FontDirectory + } + ifelse +@@ -1105,7 +1105,7 @@ $error /SubstituteFont { } put + dup 3 index .fontknownget + { dup /PathLoad 4 index //.putgstringcopy + 4 1 roll pop pop pop //true exit +- } if ++ } executeonly if + + % Maybe the file had a different FontName. + % See if we can get a FontName from the file, and if so, +@@ -1134,7 +1134,7 @@ $error /SubstituteFont { } put + ifelse % Stack: origfontname fontdict + exch pop //true exit + % Stack: fontdict +- } ++ } executeonly + if pop % Stack: origfontname fontdirectory path + } + if pop pop % Stack: origfontname +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 65ab5c0..e4902a5 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2386,7 +2386,7 @@ SAFER { .setsafeglobal } if + % Update the copy of the user parameters. + mark .currentuserparams counttomark 2 idiv { + userparams 3 1 roll .forceput % userparams is read-only +- } repeat pop ++ } executeonly repeat pop + % Turn on idiom recognition, if available. + currentuserparams /IdiomRecognition known { + /IdiomRecognition //true .definepsuserparam +@@ -2405,7 +2405,7 @@ SAFER { .setsafeglobal } if + % Remove real system params from pssystemparams. + mark .currentsystemparams counttomark 2 idiv { + pop pssystemparams exch .forceundef +- } repeat pop ++ } executeonly repeat pop + } if + + % Set up AlignToPixels : +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index 577c20b..5c8ac11 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -154,7 +154,8 @@ end + % protect top level of parameters that we copied + dup type dup /arraytype eq exch /stringtype eq or { readonly } if + /userparams .systemvar 3 1 roll .forceput % userparams is read-only +- } { ++ } executeonly ++ { + pop pop + } ifelse + } forall +@@ -224,7 +225,7 @@ end + % protect top level parameters that we copied + dup type dup /arraytype eq exch /stringtype eq or { readonly } if + //pssystemparams 3 1 roll .forceput % pssystemparams is read-only +- } ++ } executeonly + { pop pop + } + ifelse +@@ -941,7 +942,7 @@ mark + dup /PaintProc get + 1 index /Implementation known not { + 1 index dup /Implementation //null .forceput readonly pop +- } if ++ } executeonly if + exec + }.bind odef + +@@ -965,7 +966,7 @@ mark + dup /PaintProc get + 1 index /Implementation known not { + 1 index dup /Implementation //null .forceput readonly pop +- } if ++ } executeonly if + /UNROLLFORMS where {/UNROLLFORMS get}{false}ifelse not + %% [CTM] <<Form>> PaintProc .beginform - + { +@@ -1012,7 +1013,7 @@ mark + %% Form dictioanry using the /Implementation key). + 1 dict dup /FormID 4 -1 roll put + 1 index exch /Implementation exch .forceput readonly pop +- } ++ } executeonly + ifelse + } + { +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +index 1c417ad..aa4313d 100644 +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -650,7 +650,7 @@ currentdict /.pdfmarkparams .undef + } ifelse + } bind .makeoperator .forceput + systemdict /.pdf_hooked_DSC_Creator //true .forceput +- } if ++ } executeonly if + pop + } if + } { +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps +index 67b82b5..b711562 100644 +--- a/Resource/Init/gs_res.ps ++++ b/Resource/Init/gs_res.ps +@@ -152,7 +152,7 @@ setglobal + % use .forceput / .forcedef later to replace the dummy, + % empty .Instances dictionary with the real one later. + readonly +- } { ++ }{ + /defineresource cvx /typecheck signaloperror + } ifelse + } bind executeonly odef +@@ -424,7 +424,7 @@ status { + % As noted above, Category dictionaries are read-only, + % so we have to use .forcedef here. + /.Instances 1 index .forcedef % Category dict is read-only +- } if ++ } executeonly if + } + { .LocalInstances dup //.emptydict eq + { pop 3 dict localinstancedict Category 2 index put +diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps +index 893a2bb..0379a51 100644 +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -689,7 +689,7 @@ SETPDDEBUG { (Result of putting.) = pstack flush } if + SETPDDEBUG { (Rolling back.) = pstack flush } if + 3 index 2 index 3 -1 roll .forceput + 4 index 1 index .knownget +- { 4 index 3 1 roll .forceput } ++ { 4 index 3 1 roll .forceput } executeonly + { 3 index exch .undef } + ifelse + } bind executeonly odef +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index 2932efc..0ea99a3 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -130,26 +130,29 @@ currentdict /num-chars-dict .undef + + /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ? + PDFDEBUG { +- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } if ++ pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if + PDFSTEP { + pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput + PDFSTEPcount 1 gt { + pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput +- } { ++ } executeonly ++ { + dup ==only + ( step # ) print PDFtokencount =only + ( ? ) print flush 1 //false .outputpage + (%stdin) (r) file 255 string readline { + token { + exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput +- } { ++ } executeonly ++ { + pdfdict /PDFSTEPcount 1 .forceput +- } ifelse % token ++ } executeonly ifelse % token + } { + pop /PDFSTEP //false def % EOF on stdin + } ifelse % readline + } ifelse % PDFSTEPcount > 1 +- } { ++ } executeonly ++ { + dup ==only () = flush + } ifelse % PDFSTEP + } if % PDFDEBUG +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 0da8181..36c41a9 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -1131,14 +1131,14 @@ currentdict end readonly def + pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror +- } ifelse ++ } executeonly ifelse + } + { + currentglobal pdfdict gcheck .setglobal + pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror +- } ifelse ++ } executeonly ifelse + end + } ifelse + } loop +@@ -1154,14 +1154,14 @@ currentdict end readonly def + pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror +- } ifelse ++ } executeonly ifelse + } + { + currentglobal pdfdict gcheck .setglobal + pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror +- } ifelse ++ } executeonly ifelse + } if + pop + +@@ -2363,9 +2363,10 @@ currentdict /last-ditch-bpc-csp undef + /IncrementAppearanceNumber { + pdfdict /AppearanceNumber .knownget { + 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput +- }{ ++ } executeonly ++ { + pdfdict /AppearanceNumber 0 .forceput +- } ifelse ++ } executeonly ifelse + }bind executeonly odef + + /MakeAppearanceName { +@@ -2523,7 +2524,8 @@ currentdict /last-ditch-bpc-csp undef + %% want to preserve it. + pdfdict /.PreservePDFForm false .forceput + /q cvx /execform cvx 5 -2 roll +- }{ ++ } executeonly ++ { + /q cvx /PDFexecform cvx 5 -2 roll + } ifelse + +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index 2153033..a3b9699 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -714,7 +714,7 @@ currentdict end readonly def + pop pop pop + currentdict /.stackdepth .forceundef + currentdict /.dstackdepth .forceundef +- } ++ } executeonly + {pop pop pop} + ifelse + +@@ -1232,7 +1232,7 @@ currentdict /eexec_pdf_param_dict .undef + (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + pdfformatwarning + pdfdict /.Qqwarning_issued //true .forceput +- } if ++ } executeonly if + Q + } repeat + Q +@@ -2016,7 +2016,7 @@ currentdict /CMap_read_dict undef + /CIDFallBack /CIDFont findresource + } if + exit +- } if ++ } executeonly if + } if + } if + +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 78b6438..ee17905 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -2701,14 +2701,14 @@ currentdict /PDF2PS_matrix_key undef + pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror +- } ifelse ++ } executeonly ifelse + } + { + currentglobal pdfdict gcheck .setglobal + pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror +- } ifelse ++ } executeonly ifelse + } if + } if + pop +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index e830aaa..34e2fbd 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -184,14 +184,14 @@ currentdict /gput_always_allow .undef + pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror +- } ifelse ++ } executeonly ifelse + } + { + currentglobal pdfdict gcheck .setglobal + pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror +- } ifelse ++ } executeonly ifelse + } if + } bind executeonly odef + +@@ -439,7 +439,8 @@ currentdict /gput_always_allow .undef + dup type /booleantype eq { + .currentSMask type /dicttype eq { + .currentSMask /Processed 2 index .forceput +- } { ++ } executeonly ++ { + .setSMask + }ifelse + }{ diff --git a/printer/ghostscript/patches/0003-cve-2019-6116.patch b/printer/ghostscript/patches/0003-cve-2019-6116.patch new file mode 100644 index 0000000000..c81aa1647e --- /dev/null +++ b/printer/ghostscript/patches/0003-cve-2019-6116.patch @@ -0,0 +1,24 @@ +From: Chris Liddell <chris.liddell@artifex.com> +Date: Sat, 15 Dec 2018 09:08:32 +0000 (+0000) +Subject: Bug700317: Fix logic for an older change +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=99f13091a3f309bdc95d275ea9fec10bb9f42d9a + +Bug700317: Fix logic for an older change + +Unlike almost every other function in gs, dict_find_string() returns 1 on +success 0 or <0 on failure. The logic for this case was wrong. +--- + +diff --git a/psi/interp.c b/psi/interp.c +index 68f977c..3ac5c70 100644 +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -707,7 +707,7 @@ again: + * i.e. it's an internal operator we have hidden + */ + code = dict_find_string(systemdict, (const char *)bufptr, &tobj); +- if (code < 0) { ++ if (code <= 0) { + buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; + rlen += 4; + bufptr = buf; diff --git a/printer/ghostscript/patches/0004-cve-2019-6116.patch b/printer/ghostscript/patches/0004-cve-2019-6116.patch new file mode 100644 index 0000000000..a1fbae8232 --- /dev/null +++ b/printer/ghostscript/patches/0004-cve-2019-6116.patch @@ -0,0 +1,126 @@ +From: Chris Liddell <chris.liddell@artifex.com> +Date: Tue, 18 Dec 2018 10:42:10 +0000 (+0000) +Subject: Harden some uses of .force* operators +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=59d8f4deef90c1598ff50616519d5576756b4495 + +Harden some uses of .force* operators + +by adding a few immediate evalutions +--- + +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps +index 947d281..b681ec7 100644 +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -74,7 +74,7 @@ level2dict begin + } odef + % undefinefont has to take local/global VM into account. + /undefinefont % <fontname> undefinefont - +- { .FontDirectory 1 .argindex .forceundef % FontDirectory is readonly ++ { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly + .currentglobal + { % Current mode is global; delete from local directory too. + //systemdict /LocalFontDirectory .knownget +@@ -85,7 +85,7 @@ level2dict begin + % definition, copy it into the local directory. + //systemdict /SharedFontDirectory .knownget + { 1 index .knownget +- { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly ++ { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly + if + } + if +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index ee3275f..48b1b2d 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -516,7 +516,7 @@ buildfontdict 3 /.buildfont3 cvx put + if + } + if +- dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly ++ dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly + % If the font originated as a resource, register it. + currentfile .currentresourcefile eq { dup .registerfont } if + readonly +@@ -943,7 +943,7 @@ $error /SubstituteFont { } put + % Try to find a font using only the present contents of Fontmap. + /.tryfindfont { % <fontname> .tryfindfont <font> true + % <fontname> .tryfindfont false +- .FontDirectory 1 index .fontknownget ++ //.FontDirectory 1 index .fontknownget + { % Already loaded + exch pop //true + } +@@ -975,7 +975,7 @@ $error /SubstituteFont { } put + { % Font with a procedural definition + exec % The procedure will load the font. + % Check to make sure this really happened. +- .FontDirectory 1 index .knownget ++ //.FontDirectory 1 index .knownget + { exch pop //true exit } + if + } +@@ -1081,11 +1081,11 @@ $error /SubstituteFont { } put + % because it's different depending on language level. + .currentglobal exch /.setglobal .systemvar exec + % Remove the fake definition, if any. +- .FontDirectory 3 index .forceundef % readonly +- 1 index (r) file .loadfont .FontDirectory exch ++ //.FontDirectory 3 index .forceundef % readonly ++ 1 index (r) file .loadfont //.FontDirectory exch + /.setglobal .systemvar exec + } executeonly +- { .loadfont .FontDirectory ++ { .loadfont //.FontDirectory + } + ifelse + % Stack: fontname fontfilename fontdirectory +@@ -1119,8 +1119,8 @@ $error /SubstituteFont { } put + % Stack: origfontname fontdirectory filefontname fontdict + 3 -1 roll pop + % Stack: origfontname filefontname fontdict +- dup /FontName get dup FontDirectory exch .forceundef +- GlobalFontDirectory exch .forceundef ++ dup /FontName get dup //.FontDirectory exch .forceundef ++ /GlobalFontDirectory .systemvar exch .forceundef + dup length dict .copydict dup 3 index /FontName exch put + 2 index exch definefont + exch +@@ -1175,10 +1175,10 @@ currentdict /.putgstringcopy .forceundef + { + { + pop dup type /stringtype eq { cvn } if +- .FontDirectory 1 index known not { ++ //.FontDirectory 1 index known not { + 2 dict dup /FontName 3 index put + dup /FontType 1 put +- .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly ++ //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly + } { + pop + } ifelse +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index e4902a5..f9efe4e 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -1165,8 +1165,8 @@ errordict /unknownerror .undef + }ifelse + }forall + noaccess pop +- systemdict /.setsafeerrors .forceundef +- systemdict /.SAFERERRORLIST .forceundef ++ //systemdict /.setsafeerrors .forceundef ++ //systemdict /.SAFERERRORLIST .forceundef + } bind executeonly odef + + SAFERERRORS {.setsafererrors} if +@@ -2144,7 +2144,7 @@ currentdict /tempfilepaths undef + + /.locksafe { + .locksafe_userparams +- systemdict /getenv {pop //false} .forceput ++ //systemdict /getenv {pop //false} .forceput + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device + % properties and pagedevice .LockSafetyParams in agreement even diff --git a/printer/ghostscript/patches/0005-cve-2019-6116.patch b/printer/ghostscript/patches/0005-cve-2019-6116.patch new file mode 100644 index 0000000000..5dd2d4ebce --- /dev/null +++ b/printer/ghostscript/patches/0005-cve-2019-6116.patch @@ -0,0 +1,589 @@ +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 9 Jan 2019 14:24:07 +0000 (+0000) +Subject: Undefine a bunch of gs_fonts.ps specific procs +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=2768d1a6dddb83f5c061207a7ed2813999c1b5c9 + +Undefine a bunch of gs_fonts.ps specific procs + +Also reorder and add some immediate evaluation, so it still works with the +undefining. +--- + +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps +index b681ec7..719e7e1 100644 +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -67,7 +67,8 @@ level2dict begin + + /selectfont % <fontname> <size> selectfont - + { +- { 1 .argindex findfont ++ { ++ 1 .argindex findfont + 1 index dup type /arraytype eq { makefont } { scalefont } ifelse + setfont pop pop + } stopped { /selectfont .systemvar $error /errorname get signalerror } if +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 48b1b2d..63164d0 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -100,7 +100,7 @@ + { 2 index token not + { (Fontmap entry for ) print 1 index =only + ( ends prematurely! Giving up.) = flush +- {.loadFontmap} 0 get 1 .quit ++ {//.loadFontmap exec} 0 get 1 .quit + } if + dup /; eq { pop 3 index 3 1 roll .growput exit } if + pop +@@ -202,6 +202,14 @@ + { pop } + { /FONTPATH (GS_FONTPATH) getenv not { () } if def } + ifelse ++ ++% The following are dummy definitions that, if we have a FONTPATH, will ++% be replaced in the following section. ++% They are here so immediately evaulation will work, and allow them to ++% undefined at the bottom of the file. ++/.scanfontbegin{} bind def ++/.scanfontdir {} bind def ++ + FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if + /FONTPATH [ FONTPATH .pathlist ] def + +@@ -242,12 +250,12 @@ + /.scanfontbegin + { % Construct the table of all file names already in Fontmap. + currentglobal //true setglobal +- .scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength ++ //.scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength + Fontmap + { exch pop + { dup type /stringtype eq +- { .splitfilename pop .fonttempstring copy .lowerstring cvn +- .scanfontdict exch //true put ++ { //.splitfilename exec pop //.fonttempstring copy //.lowerstring exec cvn ++ //.scanfontdict exch //true put + } + { pop + } +@@ -280,9 +288,9 @@ + /txt //true + .dicttomark def + /.scan1fontstring 8192 string def +-% %%BeginFont: is not per Adobe documentation, but a few fonts have it. ++% BeginFont: is not per Adobe documentation, but a few fonts have it. + /.scanfontheaders [(%!PS-Adobe*) (%!FontType*) (%%BeginFont:*)] def +-0 .scanfontheaders { length .max } forall 6 add % extra for PFB header ++0 //.scanfontheaders { length .max } forall 6 add % extra for PFB header + /.scan1fontfirst exch string def + /.scanfontdir % <dirname> .scanfontdir - + { currentglobal exch //true setglobal +@@ -291,10 +299,10 @@ + 0 0 0 4 -1 roll % found scanned files + { % stack: <fontcount> <scancount> <filecount> <filename> + exch 1 add exch % increment filecount +- dup .splitfilename .fonttempstring copy .lowerstring ++ dup //.splitfilename exec //.fonttempstring copy //.lowerstring exec + % stack: <fontcount> <scancount> <filecount+1> <filename> + % <BASE> <ext> +- .scanfontskip exch known exch .scanfontdict exch known or ++ //.scanfontskip exch known exch //.scanfontdict exch known or + { pop + % stack: <fontcount> <scancount> <filecount+1> + } +@@ -309,7 +317,7 @@ + % On some platforms, the file operator will open directories, + % but an error will occur if we try to read from one. + % Handle this possibility here. +- dup .scan1fontfirst { readstring } .internalstopped ++ dup //.scan1fontfirst { readstring } .internalstopped + { pop pop () } + { pop } + ifelse +@@ -322,7 +330,7 @@ + { dup length 6 sub 6 exch getinterval } + if + % Check for font file headers. +- //false .scanfontheaders ++ //false //.scanfontheaders + { 2 index exch .stringmatch or + } + forall exch pop +@@ -335,7 +343,7 @@ + { exch copystring exch + DEBUG { ( ) print dup =only flush } if + 1 index .definenativefontmap +- .splitfilename pop //true .scanfontdict 3 1 roll .growput ++ //.splitfilename exec pop //true //.scanfontdict 3 1 roll .growput + % Increment fontcount. + 3 -1 roll 1 add 3 1 roll + } +@@ -352,7 +360,7 @@ + } + ifelse + } +- .scan1fontstring filenameforall ++ //.scan1fontstring filenameforall + QUIET + { pop pop pop } + { ( ) print =only ( files, ) print =only ( scanned, ) print +@@ -422,7 +430,6 @@ + //true .setnativefontmapbuilt + } ifelse + } bind def +-currentdict /.setnativefontmapbuilt .forceundef + + % Create the dictionary that registers the .buildfont procedure + % (called by definefont) for each FontType. +@@ -526,7 +533,8 @@ + % We use this only for explicitly aliased fonts, not substituted fonts: + % we think this matches the observed behavior of Adobe interpreters. + /.aliasfont % <name> <font> .aliasfont <newFont> +- { .currentglobal 3 1 roll dup .gcheck .setglobal ++ { ++ currentglobal 3 1 roll dup gcheck setglobal + % <bool> <name> <font> + dup length 2 add dict % <bool> <name> <font> <dict> + dup 3 -1 roll % <bool> <name> <dict> <dict> <font> +@@ -541,7 +549,7 @@ + % whose FontName is a local non-string, if someone passed a + % garbage value to findfont. In this case, just don't + % call definefont at all. +- 2 index dup type /stringtype eq exch .gcheck or 1 index .gcheck not or ++ 2 index dup type /stringtype eq exch gcheck or 1 index gcheck not or + { pop % <bool> <name> <dict> + 1 index dup type /stringtype eq { cvn } if + % <bool> <name> <dict> <name1> +@@ -566,10 +574,11 @@ + % Don't bind in definefont, since Level 2 redefines it. + /definefont .systemvar exec + } +- { /findfont cvx {.completefont} .errorexec pop exch pop ++ { ++ /findfont cvx {.completefont} //.errorexec exec pop exch pop + } + ifelse +- exch .setglobal ++ exch setglobal + } odef % so findfont will bind it + + % Define .loadfontfile for loading a font. If we recognize Type 1 and/or +@@ -669,10 +678,19 @@ + [(Cn) 4] [(Cond) 4] [(Narrow) 4] [(Pkg) 4] [(Compr) 4] + [(Serif) 8] [(Sans) -8] + ] readonly def ++ ++/.fontnamestring { % <fontname> .fontnamestring <string|name> ++ dup type dup /nametype eq { ++ pop .namestring ++ } { ++ /stringtype ne { pop () } if ++ } ifelse ++} bind def ++ + /.fontnameproperties { % <int> <string|name> .fontnameproperties + % <int'> +- .fontnamestring +- .substituteproperties { ++ //.fontnamestring exec ++ //.substituteproperties { + 2 copy 0 get search { + pop pop pop dup length 1 sub 1 exch getinterval 3 -1 roll exch { + dup 0 ge { or } { neg not and } ifelse +@@ -710,13 +728,7 @@ + % <other> .nametostring <other> + dup type /nametype eq { .namestring } if + } bind def +-/.fontnamestring { % <fontname> .fontnamestring <string|name> +- dup type dup /nametype eq { +- pop .namestring +- } { +- /stringtype ne { pop () } if +- } ifelse +-} bind def ++ + /.substitutefontname { % <fontname> <properties> .substitutefontname + % <altname|null> + % Look for properties and/or a face name in the font name. +@@ -724,7 +736,7 @@ + % base font; otherwise, use the default font. + % Note that the "substituted" font name may be the same as + % the requested one; the caller must check this. +- exch .fontnamestring { ++ exch //.fontnamestring exec { + defaultfontname /Helvetica-Oblique /Helvetica-Bold /Helvetica-BoldOblique + /Helvetica-Narrow /Helvetica-Narrow-Oblique + /Helvetica-Narrow-Bold /Helvetica-Narrow-BoldOblique +@@ -734,12 +746,12 @@ + } 3 1 roll + % Stack: facelist properties fontname + % Look for a face name. +- .substitutefaces { ++ //.substitutefaces { + 2 copy 0 get search { + pop pop pop + % Stack: facelist properties fontname [(pattern) family properties] + dup 2 get 4 -1 roll or 3 1 roll +- 1 get .substitutefamilies exch get ++ 1 get //.substitutefamilies exch get + 4 -1 roll pop 3 1 roll + } { + pop pop +@@ -748,7 +760,7 @@ + 1 index length mod get exec + } bind def + /.substitutefont { % <fontname> .substitutefont <altname> +- dup 0 exch .fontnameproperties .substitutefontname ++ dup 0 exch //.fontnameproperties exec .substitutefontname + % Only accept fonts known in the Fontmap. + Fontmap 1 index known not + { +@@ -814,7 +826,7 @@ + counttomark 1 sub { .aliasfont } repeat end + % <fontname> mark <font> + exch pop exch pop +-} odef ++} bind odef + /findfont { + .findfont + } bind def +@@ -860,7 +872,7 @@ + } { + dup .substitutefont + 2 copy eq { pop defaultfontname } if +- .checkalias ++ //.checkalias exec + QUIET not { + SHORTERRORS { + (%%[) print 1 index =only +@@ -886,8 +898,8 @@ + //null 0 1 FONTPATH length 1 sub { + FONTPATH 1 index get //null ne { exch pop exit } if pop + } for dup //null ne { +- dup 0 eq { .scanfontbegin } if +- FONTPATH 1 index get .scanfontdir ++ dup 0 eq { //.scanfontbegin exec} if ++ FONTPATH 1 index get //.scanfontdir exec + FONTPATH exch //null put //true + } { + pop //false +@@ -897,11 +909,10 @@ + % scanning of FONTPATH. + /.dofindfont { % mark <fontname> .dofindfont % mark <alias> ... <font> + .tryfindfont not { +- + % We didn't find the font. If we haven't scanned + % all the directories in FONTPATH, scan the next one + % now and look for the font again. +- .scannextfontdir { ++ //.scannextfontdir exec { + % Start over with an empty alias list. + counttomark 1 sub { pop } repeat % mark <fontname> + .dofindfont +@@ -927,6 +938,7 @@ + } if + % Substitute for the font. Don't alias. + % Same stack as at the beginning of .dofindfont. ++ + $error /SubstituteFont get exec + % + % igorm: I guess the surrounding code assumes that .stdsubstfont +@@ -935,72 +947,11 @@ + % used in .dofindfont and through .stdsubstfont + % just to represent a simple iteration, + % which accumulates the aliases after the mark. +- .stdsubstfont ++ //.stdsubstfont exec + } ifelse + } ifelse + } if + } bind def +-% Try to find a font using only the present contents of Fontmap. +-/.tryfindfont { % <fontname> .tryfindfont <font> true +- % <fontname> .tryfindfont false +- //.FontDirectory 1 index .fontknownget +- { % Already loaded +- exch pop //true +- } +- { +- dup Fontmap exch .knownget +- { //true //true } +- { % Unknown font name. Look for a file with the +- % same name as the requested font. +- dup .tryloadfont +- { exch pop //true //false } +- { +- % if we can't load by name check the native font map +- dup .nativeFontmap exch .knownget +- { //true //true } +- { //false //false } ifelse +- } ifelse +- } ifelse +- +- { % Try each element of the Fontmap in turn. +- pop +- //false exch % (in case we exhaust the list) +- % Stack: fontname false fontmaplist +- { exch pop +- dup type /nametype eq +- { % Font alias +- .checkalias .tryfindfont exit +- } +- { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and +- { % Font with a procedural definition +- exec % The procedure will load the font. +- % Check to make sure this really happened. +- //.FontDirectory 1 index .knownget +- { exch pop //true exit } +- if +- } +- { % Font file name +- //true .loadfontloop { //true exit } if +- } +- ifelse +- } +- ifelse //false +- } +- forall +- % Stack: font true -or- fontname false +- { //true +- } +- { % None of the Fontmap entries worked. +- % Try loading a file with the same name +- % as the requested font. +- .tryloadfont +- } +- ifelse +- } +- if +- } +- ifelse +- } bind def + + % any user of .putgstringcopy must use bind and executeonly + /.putgstringcopy % <dict> <name> <string> .putgstringcopy - +@@ -1014,25 +965,6 @@ + } executeonly ifelse + } .bind executeonly odef % must be bound and hidden for .forceput + +-% Attempt to load a font from a file. +-/.tryloadfont { % <fontname> .tryloadfont <font> true +- % <fontname> .tryloadfont false +- dup .nametostring +- % Hack: check for the presence of the resource machinery. +- /.genericrfn where { +- pop +- pop dup .fonttempstring /FontResourceDir getsystemparam .genericrfn +- {//false .loadfontloop} .internalstopped {//false} if { +- //true +- } { +- dup .nametostring +- {//true .loadfontloop} .internalstopped {//false} if +- } ifelse +- } { +- {//true .loadfontloop} .internalstopped {//false} if +- } ifelse +-} bind def +- + /.loadfontloop { % <fontname> <filename> <libflag> .loadfontloop + % <font> true + % -or- +@@ -1102,7 +1034,7 @@ + } if + + % Check to make sure the font was actually loaded. +- dup 3 index .fontknownget ++ dup 3 index //.fontknownget exec + { dup /PathLoad 4 index .putgstringcopy + 4 1 roll pop pop pop //true exit + } executeonly if +@@ -1113,7 +1045,7 @@ + exch dup % Stack: origfontname fontdirectory path path + (r) file .findfontname + { % Stack: origfontname fontdirectory path filefontname +- 2 index 1 index .fontknownget ++ 2 index 1 index //.fontknownget exec + { % Yes. Stack: origfontname fontdirectory path filefontname fontdict + dup 4 -1 roll /PathLoad exch .putgstringcopy + % Stack: origfontname fontdirectory filefontname fontdict +@@ -1136,7 +1068,7 @@ + % Stack: fontdict + } executeonly + if pop % Stack: origfontname fontdirectory path +- } ++ } executeonly + if pop pop % Stack: origfontname + + % The font definitely did not load correctly. +@@ -1150,7 +1082,90 @@ + + } bind executeonly odef % must be bound and hidden for .putgstringcopy + +-currentdict /.putgstringcopy .undef ++% Attempt to load a font from a file. ++/.tryloadfont { % <fontname> .tryloadfont <font> true ++ % <fontname> .tryloadfont false ++ dup //.nametostring exec ++ % Hack: check for the presence of the resource machinery. ++ /.genericrfn where { ++ pop ++ pop dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn ++ {//false .loadfontloop} .internalstopped {//false} if { ++ //true ++ } { ++ dup //.nametostring exec ++ {//true .loadfontloop} .internalstopped {//false} if ++ } ifelse ++ } { ++ {//true .loadfontloop} .internalstopped {//false} if ++ } ifelse ++} bind def ++ ++% Try to find a font using only the present contents of Fontmap. ++/.tryfindfont { % <fontname> .tryfindfont <font> true ++ % <fontname> .tryfindfont false ++ //.FontDirectory 1 index //.fontknownget exec ++ { % Already loaded ++ exch pop //true ++ } ++ { ++ dup Fontmap exch .knownget ++ { //true //true } ++ { % Unknown font name. Look for a file with the ++ % same name as the requested font. ++ dup //.tryloadfont exec ++ { exch pop //true //false } ++ { ++ % if we can't load by name check the native font map ++ dup .nativeFontmap exch .knownget ++ { //true //true } ++ { //false //false } ifelse ++ } ifelse ++ } ifelse ++ ++ { % Try each element of the Fontmap in turn. ++ pop ++ //false exch % (in case we exhaust the list) ++ % Stack: fontname false fontmaplist ++ { exch pop ++ dup type /nametype eq ++ { % Font alias ++ //.checkalias exec ++ .tryfindfont exit ++ } ++ { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and ++ { % Font with a procedural definition ++ exec % The procedure will load the font. ++ % Check to make sure this really happened. ++ //.FontDirectory 1 index .knownget ++ { exch pop //true exit } ++ if ++ } ++ { % Font file name ++ //true .loadfontloop { //true exit } if ++ } ++ ifelse ++ } ++ ifelse //false ++ } ++ forall ++ % Stack: font true -or- fontname false ++ { //true ++ } ++ { % None of the Fontmap entries worked. ++ % Try loading a file with the same name ++ % as the requested font. ++ //.tryloadfont exec ++ } ++ ifelse ++ } ++ if ++ } ++ ifelse ++ } bind def ++ ++ % Define a procedure to load all known fonts. ++ % This isn't likely to be very useful. + + % Define a procedure to load all known fonts. + % This isn't likely to be very useful. +@@ -1192,9 +1207,9 @@ + /.loadinitialfonts + { NOFONTMAP not + { /FONTMAP where +- { pop [ FONTMAP .pathlist ] ++ { pop [ FONTMAP //.pathlist exec] + { dup VMDEBUG findlibfile +- { exch pop .loadFontmap } ++ { exch pop //.loadFontmap exec } + { /undefinedfilename signalerror } + ifelse + } +@@ -1208,7 +1223,7 @@ + pop pop + defaultfontmap_content { .definefontmap } forall + } { +- .loadFontmap ++ //.loadFontmap exec + } ifelse + } { + pop pop +@@ -1272,3 +1287,18 @@ + { .makemodifiedfont + dup /FontName get exch definefont pop + } bind def ++ ++% Undef these, not needed outside this file ++[ ++ % /.fonttempstring /.scannextfontdir - are also used in gs_res.ps, so are undefined there ++ % /.fontnameproperties - is used in pdf_font.ps ++ % /.scanfontheaders - used in gs_cff.ps, gs_ttf.ps ++ /.loadfontloop /.tryloadfont /.findfont /.pathlist /.loadFontmap /.lowerstring ++ /.splitfilename /.scanfontdict /.scanfontbegin ++ /.scanfontskip /.scan1fontstring ++ /.scan1fontfirst /.scanfontdir ++ /.setnativefontmapbuilt /.aliasfont ++ /.setloadingfont /.substitutefaces /.substituteproperties /.substitutefamilies ++ /.nametostring /.fontnamestring /.checkalias /.fontknownget /.stdsubstfont ++ /.putgstringcopy ++] {systemdict exch .forceundef} forall +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps +index b711562..d1f9f92 100644 +--- a/Resource/Init/gs_res.ps ++++ b/Resource/Init/gs_res.ps +@@ -961,7 +961,7 @@ + dup type /nametype eq { .namestring } if + dup type /stringtype ne { //false exit } if + % Check the resource directory. +- dup .fonttempstring /FontResourceDir getsystemparam .genericrfn ++ dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn + status { + pop pop pop pop //true exit + } if +@@ -969,7 +969,7 @@ + % as the font. + findlibfile { closefile //true exit } if + % Scan a FONTPATH directory and try again. +- .scannextfontdir not { //false exit } if ++ //.scannextfontdir exec not { //false exit } if + } loop + } bind def + +@@ -1008,7 +1008,7 @@ + } ifelse + } bind executeonly + /ResourceForAll { +- { .scannextfontdir not { exit } if } loop ++ { //.scannextfontdir exec not { exit } if } loop + /Generic /Category findresource /ResourceForAll get exec + } bind executeonly + /.ResourceFileStatus { +@@ -1152,6 +1152,7 @@ + dup /.Instances get readonly pop + .LocalInstances readonly pop + readonly pop ++ /.fonttempstring /.scannextfontdir % from gs_fonts.ps + } forall + % clean up + systemdict /.fixresources undef diff --git a/printer/ghostscript/patches/0006-cve-2019-6116.patch b/printer/ghostscript/patches/0006-cve-2019-6116.patch new file mode 100644 index 0000000000..330a1bc31c --- /dev/null +++ b/printer/ghostscript/patches/0006-cve-2019-6116.patch @@ -0,0 +1,333 @@ +From: Chris Liddell <chris.liddell@artifex.com> +Date: Fri, 11 Jan 2019 13:36:36 +0000 (+0000) +Subject: Remove .forcedef, and harden .force* ops more +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=49c8092da88ef6bb0aa281fe294ae0925a44b5b9 + +Remove .forcedef, and harden .force* ops more + +Remove .forcedef and replace all uses with a direct call to .forceput instead. + +Ensure every procedure (named and trasient) that calls .forceput is +executeonly. +--- + +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps +index 719e7e1..0b0dff3 100644 +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -33,14 +33,17 @@ systemdict begin + + /SharedFontDirectory .FontDirectory .gcheck + { .currentglobal //false .setglobal ++ currentdict + /LocalFontDirectory .FontDirectory dup maxlength dict copy +- .forcedef % LocalFontDirectory is local, systemdict is global ++ .forceput % LocalFontDirectory is local, systemdict is global + .setglobal .FontDirectory +- } +- { /LocalFontDirectory .FontDirectory +- .forcedef % LocalFontDirectory is local, systemdict is global ++ } executeonly ++ { ++ currentdict ++ /LocalFontDirectory .FontDirectory ++ .forceput % LocalFontDirectory is local, systemdict is global + 50 dict +- } ++ }executeonly + ifelse def + + end % systemdict +@@ -55,7 +58,7 @@ level2dict begin + { //SharedFontDirectory } + { /LocalFontDirectory .systemvar } % can't embed ref to local VM + ifelse .forceput pop % LocalFontDirectory is local, systemdict is global +- } .bind odef ++ } .bind executeonly odef + % Don't just copy (load) the definition of .setglobal: + % it gets redefined for LL3. + /setshared { /.setglobal .systemvar exec } odef +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index f9efe4e..9377f52 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -54,7 +54,7 @@ systemdict exch + dup /userdict + currentdict dup 200 .setmaxlength % userdict + .forceput % userdict is local, systemdict is global +- } ++ } executeonly + if begin + + % Define dummy local/global operators if needed. +@@ -296,13 +296,6 @@ QUIET not { printgreeting flush } if + 1 index exch .makeoperator def + } .bind def + +-% Define a special version of def for storing local objects into global +-% dictionaries. Like .forceput, this exists only during initialization. +-/.forcedef { % <key> <value> .forcedef - +- 1 .argindex pop % check # of args +- currentdict 3 1 roll .forceput +-} .bind odef +- + % Define procedures for accessing variables in systemdict and userdict + % regardless of the contents of the dictionary stack. + /.systemvar { % <name> .systemvar <value> +@@ -344,7 +337,7 @@ DELAYBIND + } + ifelse + } .bind def +-} if ++} executeonly if + + %**************** BACKWARD COMPATIBILITY **************** + /hwsizedict mark /HWSize //null .dicttomark readonly def +@@ -652,7 +645,7 @@ currentdict /.typenames .undef + /ifelse .systemvar + ] cvx executeonly + exch .setglobal +-} odef ++} executeonly odef + systemdict /internaldict dup .makeinternaldict .makeoperator + .forceput % proc is local, systemdict is global + +@@ -1090,7 +1083,7 @@ def + + % Define $error. This must be in local VM. + .currentglobal //false .setglobal +-/$error 40 dict .forcedef % $error is local, systemdict is global ++currentdict /$error 40 dict .forceput % $error is local, systemdict is global + % newerror, errorname, command, errorinfo, + % ostack, estack, dstack, recordstacks, + % binary, globalmode, +@@ -1109,8 +1102,8 @@ end + % Define errordict similarly. It has one entry per error name, + % plus handleerror. However, some astonishingly badly written PostScript + % files require it to have at least one empty slot. +-/errordict ErrorNames length 3 add dict +-.forcedef % errordict is local, systemdict is global ++currentdict /errordict ErrorNames length 3 add dict ++.forceput % errordict is local, systemdict is global + .setglobal % back to global VM + % gserrordict contains all the default error handling methods, but unlike + % errordict it is noaccess after creation (also it is in global VM). +@@ -1283,8 +1276,9 @@ end + (END PROCS) VMDEBUG + + % Define the font directory. ++currentdict + /FontDirectory //false .setglobal 100 dict //true .setglobal +-.forcedef % FontDirectory is local, systemdict is global ++.forceput % FontDirectory is local, systemdict is global + + % Define the encoding dictionary. + /EncodingDirectory 16 dict def % enough for Level 2 + PDF standard encodings +@@ -2362,7 +2356,6 @@ SAFER { .setsafeglobal } if + //systemdict /UndefinePostScriptOperators get exec + //systemdict /UndefinePDFOperators get exec + //systemdict /.forcecopynew .forceundef % remove temptation +- //systemdict /.forcedef .forceundef % ditto + //systemdict /.forceput .forceundef % ditto + //systemdict /.undef .forceundef % ditto + //systemdict /.forceundef .forceundef % ditto +@@ -2397,9 +2390,9 @@ SAFER { .setsafeglobal } if + % (and, if implemented, context switching). + .currentglobal //false .setglobal + mark userparams { } forall .dicttomark readonly +- /userparams exch .forcedef % systemdict is read-only ++ currentdict exch /userparams exch .forceput % systemdict is read-only + .setglobal +-} if ++} executeonly if + /.currentsystemparams where { + pop + % Remove real system params from pssystemparams. +@@ -2474,7 +2467,6 @@ end + DELAYBIND not { + systemdict /.bindnow .undef % We only need this for DELAYBIND + systemdict /.forcecopynew .undef % remove temptation +- systemdict /.forcedef .undef % ditto + systemdict /.forceput .undef % ditto + systemdict /.forceundef .undef % ditto + } if +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index 5c8ac11..da19360 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -304,31 +304,30 @@ end + psuserparams exch /.checkFilePermitparams load put + .setglobal + +-pssystemparams begin +- /CurDisplayList 0 .forcedef +- /CurFormCache 0 .forcedef +- /CurInputDevice () .forcedef +- /CurOutlineCache 0 .forcedef +- /CurOutputDevice () .forcedef +- /CurPatternCache 0 .forcedef +- /CurUPathCache 0 .forcedef +- /CurScreenStorage 0 .forcedef +- /CurSourceList 0 .forcedef +- /DoPrintErrors //false .forcedef +- /JobTimeout 0 .forcedef +- /LicenseID (LN-001) .forcedef % bogus +- /MaxDisplayList 140000 .forcedef +- /MaxFormCache 100000 .forcedef +- /MaxImageBuffer 524288 .forcedef +- /MaxOutlineCache 65000 .forcedef +- /MaxPatternCache 100000 .forcedef +- /MaxUPathCache 300000 .forcedef +- /MaxScreenStorage 84000 .forcedef +- /MaxSourceList 25000 .forcedef +- /PrinterName product .forcedef +- /RamSize 4194304 .forcedef +- /WaitTimeout 40 .forcedef +-end ++pssystemparams ++dup /CurDisplayList 0 .forceput ++dup /CurFormCache 0 .forceput ++dup /CurInputDevice () .forceput ++dup /CurOutlineCache 0 .forceput ++dup /CurOutputDevice () .forceput ++dup /CurPatternCache 0 .forceput ++dup /CurUPathCache 0 .forceput ++dup /CurScreenStorage 0 .forceput ++dup /CurSourceList 0 .forceput ++dup /DoPrintErrors //false .forceput ++dup /JobTimeout 0 .forceput ++dup /LicenseID (LN-001) .forceput % bogus ++dup /MaxDisplayList 140000 .forceput ++dup /MaxFormCache 100000 .forceput ++dup /MaxImageBuffer 524288 .forceput ++dup /MaxOutlineCache 65000 .forceput ++dup /MaxPatternCache 100000 .forceput ++dup /MaxUPathCache 300000 .forceput ++dup /MaxScreenStorage 84000 .forceput ++dup /MaxSourceList 25000 .forceput ++dup /PrinterName product .forceput ++dup /RamSize 4194304 .forceput ++ /WaitTimeout 40 .forceput + + % Define the procedures for handling comment scanning. The names + % %ProcessComment and %ProcessDSCComment are known to the interpreter. +@@ -695,7 +694,7 @@ pop % currentsystemparams + /statusdict currentdict def + + currentdict end +-/statusdict exch .forcedef % statusdict is local, systemdict is global ++currentdict exch /statusdict exch .forceput % statusdict is local, systemdict is global + + % The following compatibility operators are in systemdict. They are + % defined here, rather than in gs_init.ps, because they require the +diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps +index 11d4aa7..0f98876 100644 +--- a/Resource/Init/gs_ll3.ps ++++ b/Resource/Init/gs_ll3.ps +@@ -521,9 +521,8 @@ end + % Define additional user and system parameters. + /HalftoneMode 0 .definepsuserparam + /MaxSuperScreen 1016 .definepsuserparam +-pssystemparams begin % read-only, so use .forcedef +- /MaxDisplayAndSourceList 160000 .forcedef +-end ++% read-only, so use .forceput ++pssystemparams /MaxDisplayAndSourceList 160000 .forceput + + % Define the IdiomSet resource category. + { /IdiomSet } { +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps +index d1f9f92..a8f301f 100644 +--- a/Resource/Init/gs_res.ps ++++ b/Resource/Init/gs_res.ps +@@ -41,10 +41,10 @@ + % However, Ed Taft of Adobe says their interpreters don't implement this + % either, so we aren't going to worry about it for a while. + +-currentglobal //false setglobal systemdict begin +- /localinstancedict 5 dict +- .forcedef % localinstancedict is local, systemdict is global +-end //true setglobal ++currentglobal //false setglobal ++ systemdict /localinstancedict 5 dict ++ .forceput % localinstancedict is local, systemdict is global ++//true setglobal + /.emptydict 0 dict readonly def + setglobal + +@@ -149,7 +149,7 @@ + dup [ exch 0 -1 ] exch + .Instances 4 2 roll put + % Make the Category dictionary read-only. We will have to +- % use .forceput / .forcedef later to replace the dummy, ++ % use .forceput / .forceput later to replace the dummy, + % empty .Instances dictionary with the real one later. + readonly + }{ +@@ -304,7 +304,8 @@ + dup () ne { + .file_name_directory_separator concatstrings + } if +- 2 index exch //false .file_name_combine not { ++ 2 index exch //false ++ .file_name_combine not { + (Error: .default_resource_dir returned ) print exch print ( that can't combine with ) print = + /.default_resource_dir cvx /configurationerror signalerror + } if +@@ -317,14 +318,14 @@ + pssystemparams begin + .default_resource_dir + /FontResourceDir (Font) .resource_dir_name +- readonly .forcedef % pssys'params is r-o ++ readonly currentdict 3 1 roll .forceput % pssys'params is r-o + /GenericResourceDir () .resource_dir_name +- readonly .forcedef % pssys'params is r-o ++ readonly currentdict 3 1 roll .forceput % pssys'params is r-o + pop % .default_resource_dir + /GenericResourcePathSep +- .file_name_separator readonly .forcedef % pssys'params is r-o +- (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forcedef % pssys'params is r-o +- (%diskGenericResourceDir) cvn (/Resource/) readonly .forcedef % pssys'params is r-o ++ .file_name_separator readonly currentdict 3 1 roll .forceput % pssys'params is r-o ++ currentdict (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forceput % pssys'params is r-o ++ currentdict (%diskGenericResourceDir) cvn (/Resource/) readonly .forceput % pssys'params is r-o + end + end + +@@ -422,8 +423,8 @@ + .Instances dup //.emptydict eq { + pop 3 dict + % As noted above, Category dictionaries are read-only, +- % so we have to use .forcedef here. +- /.Instances 1 index .forcedef % Category dict is read-only ++ % so we have to use .forceput here. ++ currentdict /.Instances 2 index .forceput % Category dict is read-only + } executeonly if + } + { .LocalInstances dup //.emptydict eq +@@ -441,7 +442,7 @@ + { /defineresource cvx /typecheck signaloperror + } + ifelse +-} .bind executeonly .makeoperator % executeonly to prevent access to .forcedef ++} .bind executeonly .makeoperator % executeonly to prevent access to .forceput + /UndefineResource + { { dup 2 index .knownget + { dup 1 get 1 ge +diff --git a/Resource/Init/gs_statd.ps b/Resource/Init/gs_statd.ps +index 4dea296..bc2d46e 100644 +--- a/Resource/Init/gs_statd.ps ++++ b/Resource/Init/gs_statd.ps +@@ -21,10 +21,10 @@ systemdict begin + % We make statusdict a little larger for Level 2 stuff. + % Note that it must be allocated in local VM. + .currentglobal //false .setglobal +- /statusdict 91 dict .forcedef % statusdict is local, sys'dict global ++ currentdict /statusdict 91 dict .forceput % statusdict is local, sys'dict global + % To support the Level 2 job control features, + % serverdict must also be in local VM. +- /serverdict 10 dict .forcedef % serverdict is local, sys'dict global ++ currentdict /serverdict 10 dict .forceput % serverdict is local, sys'dict global + .setglobal + end + |