699655 – missing type checking in setcolor

Bug 699655 - missing type checking in setcolor

Summary: missing type checking in setcolor

Status:	NOTIFIED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 critical
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-21 17:56 UTC by Tavis Ormandy
Modified:	2019-05-08 13:35 UTC (History)
CC List:	2 users (show)

See Also:
Customer:	501,641
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy 2018-08-21 17:56:47 UTC

setcolor claims no operand checking is necessary in the comments, because it's hidden behind a pseudo-operator of the same name. That's true, but you can still call it indirectly via setpattern, so type checking is necessary. Repro:

$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /Whatever 16#414141414141 >> setpattern
Segmentation fault

Comment 1 Chris Liddell (chrisl) 2018-08-23 11:41:29 UTC

Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716