699660 – shading_param incomplete type checking

Bug 699660 - shading_param incomplete type checking

Summary: shading_param incomplete type checking

Status:	NOTIFIED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 major
Assignee:	Ken Sharp

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-21 18:39 UTC by Tavis Ormandy
Modified:	2019-05-08 13:27 UTC (History)
CC List:	7 users (show)

See Also:
Customer:	501,641
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy 2018-08-21 18:39:08 UTC

shading_param() in zshade.c says this:

        /*
         * Since shadings form a subclass hierarchy, we currently have
         * no way to check whether a structure is actually a shading.
         */


Well, that's kind of a problem because .shfill is accessible in -dSAFER mode.

Repro:

$ gs -q -sDEVICE=ppmraw -dSAFER 
GS>savedinitialgstate .shfill
Segmentation fault

Comment 1 Nancy Durgin 2018-08-22 22:46:28 UTC

Verified on HEAD

Comment 2 Ken Sharp 2018-08-23 13:26:08 UTC

Well the comment is pessimistic. It is possible to check each of the 7 different types of shading function, but it would be a performance bottleneck.

Instead we can bundle the .buildshading and .shfill operations together, which does the type checking in the .buildshading function and then passes the (now known good) object to .shfill.

Then we can un-define the .shfill operator, so it isn't available for PostScript programs to run any more.

Commit 	bd94e67caa844aa02e09f42f93d202030572a35e

Comment 3 Ken Sharp 2018-08-24 13:17:38 UTC

There was an oversight in the original commit, a stray comment sign meant that .shfill wasn't being removed from systemdict.

Commit 	e01e77a36cbb2e0277bc3a63852244bec41be0f6 fixes that and is also required to resolve this problem.