| Summary: | shading_param incomplete type checking | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | Tavis Ormandy <taviso> |
| Component: | Security (public) | Assignee: | Ken Sharp <ken.sharp> |
| Status: | NOTIFIED FIXED | ||
| Severity: | major | CC: | cbuissar, deekej, dr, jsmeix, nancy.durgin, scorneli, till.kamppeter |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | 501,641 | Word Size: | --- |
Verified on HEAD Well the comment is pessimistic. It is possible to check each of the 7 different types of shading function, but it would be a performance bottleneck. Instead we can bundle the .buildshading and .shfill operations together, which does the type checking in the .buildshading function and then passes the (now known good) object to .shfill. Then we can un-define the .shfill operator, so it isn't available for PostScript programs to run any more. Commit bd94e67caa844aa02e09f42f93d202030572a35e There was an oversight in the original commit, a stray comment sign meant that .shfill wasn't being removed from systemdict. Commit e01e77a36cbb2e0277bc3a63852244bec41be0f6 fixes that and is also required to resolve this problem. |
shading_param() in zshade.c says this: /* * Since shadings form a subclass hierarchy, we currently have * no way to check whether a structure is actually a shading. */ Well, that's kind of a problem because .shfill is accessible in -dSAFER mode. Repro: $ gs -q -sDEVICE=ppmraw -dSAFER GS>savedinitialgstate .shfill Segmentation fault