Bug #699687 "grestore can bypass SAFER"

The code in z2grestore (part of the level 2 restore machinery) in
ghostpdl/psi/zdevice2.c sets the device's LockSafetyParams to false, and
according to the comments there relies on putdeviceparams setting
the flag back when the old device is re-instated.

However, if we have corrupted any part of the device's content, then
its possible to exit putdeviceparams, in one place only, without
setting LockSafetyParams. Here we simply add an explicit reset of the
value even in the case of an error setting the new device.

1 files changed, 12 insertions, 2 deletions

diff --git a/base/gsdparam.c b/base/gsdparam.c
index b06dfb1e5..0a56b7857 100644
--- a/base/gsdparam.c
+++ b/base/gsdparam.c
@@ -1976,10 +1976,20 @@ label:\
     /* We must 'commit', in order to detect unknown parameters, */
     /* even if there were errors. */
     code = param_commit(plist);
-    if (ecode < 0)
+    if (ecode < 0) {
+        /* restore_page_device (zdevice2.c) will turn off LockSafetyParams, and relies on putparams
+         * to put it back if we are restoring a device. The locksafe value is picked up above from the
+         * device we are restoring to, and we *must* make sure it is preserved, even if setting the
+         * params failed. Otherwise an attacker can use a failed grestore to reset LockSafetyParams.
+         * See bug #699687.
+         */
+        dev->LockSafetyParams = locksafe;
         return ecode;
-    if (code < 0)
+    }
+    if (code < 0) {
+        dev->LockSafetyParams = locksafe;
         return code;
+    }
 
     /*
      * Now actually make the changes. Changing resolution, rotation