Bug 699655

Summary: missing type checking in setcolor
Product: Ghostscript Reporter: Tavis Ormandy <taviso>
Component: Security (public)Assignee: Chris Liddell (chrisl) <chris.liddell>
Status: NOTIFIED FIXED    
Severity: critical CC: cbuissar, scorneli
Priority: P2    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: 501,641 Word Size: ---

Description Tavis Ormandy 2018-08-21 17:56:47 UTC 
setcolor claims no operand checking is necessary in the comments, because it's hidden behind a pseudo-operator of the same name. That's true, but you can still call it indirectly via setpattern, so type checking is necessary. Repro:

$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /Whatever 16#414141414141 >> setpattern
Segmentation fault
Comment 1 Chris Liddell (chrisl) 2018-08-23 11:41:29 UTC 
Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716