Bug 699660 - shading_param incomplete type checking
Summary: shading_param incomplete type checking
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 major
Assignee: Ken Sharp
Depends on:
Reported: 2018-08-21 18:39 UTC by Tavis Ormandy
Modified: 2019-05-08 13:27 UTC (History)
7 users (show)

See Also:
Customer: 501,641
Word Size: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2018-08-21 18:39:08 UTC
shading_param() in zshade.c says this:

         * Since shadings form a subclass hierarchy, we currently have
         * no way to check whether a structure is actually a shading.

Well, that's kind of a problem because .shfill is accessible in -dSAFER mode.


$ gs -q -sDEVICE=ppmraw -dSAFER 
GS>savedinitialgstate .shfill
Segmentation fault
Comment 1 Nancy Durgin 2018-08-22 22:46:28 UTC
Verified on HEAD
Comment 2 Ken Sharp 2018-08-23 13:26:08 UTC
Well the comment is pessimistic. It is possible to check each of the 7 different types of shading function, but it would be a performance bottleneck.

Instead we can bundle the .buildshading and .shfill operations together, which does the type checking in the .buildshading function and then passes the (now known good) object to .shfill.

Then we can un-define the .shfill operator, so it isn't available for PostScript programs to run any more.

Commit 	bd94e67caa844aa02e09f42f93d202030572a35e
Comment 3 Ken Sharp 2018-08-24 13:17:38 UTC
There was an oversight in the original commit, a stray comment sign meant that .shfill wasn't being removed from systemdict.

Commit 	e01e77a36cbb2e0277bc3a63852244bec41be0f6 fixes that and is also required to resolve this problem.