Bug 699707 - Security review bug - continuation procedures
Summary: Security review bug - continuation procedures
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Windows 7
: P4 normal
Assignee: Ken Sharp
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-04 15:44 UTC by Ken Sharp
Modified: 2019-05-08 13:47 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ken Sharp 2018-09-04 15:44:08 UTC
See the Twiki, Admin web GhostscriptSecurity

" Yet another attack vector, this was another part of the problem with setcustomcolor.

Various places in the PostScript interpreter C code need to be able to exit back to the PostScript level in order to execute PostScript code (eg tint transform procedures, or settransfer), and then return control back to the C code in a defined way.

To do this we push functions (and other data) onto the execution stack and tell the interpreter to execute what's on the operand stack. On completion, the interpreter consults the execution stack, and calls the relevant C function.

In this case the C code for the sampled data function, on encountering an error, did not 'pop' the C execution context from the exec stack. So once the error handler had completed, the interpreter returned to the exec stack and tried to continue with the sampled function, with predictably fatal consequences.

While working on that I discovered another case in the setcolorspace procedures, and I believe there are others which I'm looking at.

We use these procedures a lot in Ghostscript, we need to desk check them all, looking for this kind of problem. "
Comment 1 Ken Sharp 2018-09-07 15:02:47 UTC
Commit 65a9046ded8e9edd5d33bc812a9e94ae29607a1e contains the changes I identified from a review of the code in the PostScript interpreter.