diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2018-11-14 09:31:10 +0000 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2018-11-14 10:03:45 +0000 |
| commit | 9a1b3ac61761094713f44dedfce56013308a3b1d (patch) | |
| tree | f2fb67c659c5e898f98ef11c362d3f430add25f3 /psi | |
| parent | 606a22e77e7f081781e99e44644cd0119f559e03 (diff) | |
| download | ghostpdl-9a1b3ac61761094713f44dedfce56013308a3b1d.tar.gz | |
PS interpreter - add some type checking
These were 'probably' safe anyway, since they mostly treat the objects
as integers without checking, which at least can't result in a crash.
Nevertheless, we ought to check.
The return from comparedictkeys could be wrong if one of the keys had
a value which was not an array, it could incorrectly decide the two
were in fact the same.
Diffstat (limited to 'psi')
| -rw-r--r-- | psi/zbfont.c | 15 | ||||
| -rw-r--r-- | psi/zcolor.c | 24 | ||||
| -rw-r--r-- | psi/zcrd.c | 4 | ||||
| -rw-r--r-- | psi/zfjpx.c | 2 | ||||
| -rw-r--r-- | psi/zfont.c | 3 | ||||
| -rw-r--r-- | psi/zfont0.c | 3 | ||||
| -rw-r--r-- | psi/zimage3.c | 2 | ||||
| -rw-r--r-- | psi/ztrans.c | 4 |
8 files changed, 49 insertions, 8 deletions
diff --git a/psi/zbfont.c b/psi/zbfont.c index c1d046175..5b830a256 100644 --- a/psi/zbfont.c +++ b/psi/zbfont.c @@ -666,6 +666,9 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom return_error(gs_error_invalidfont); if (dict_find_string(op, "OrigFont", &porigfont) <= 0) porigfont = NULL; + if (porigfont != NULL && !r_has_type(porigfont, t_dictionary)) + return_error(gs_error_typecheck); + if (pomat!= NULL) { if (porigfont == NULL || dict_find_string(porigfont, "FontMatrix", &pmatrix) <= 0 || @@ -676,8 +679,8 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom /* Use the FontInfo/OrigFontName key preferrentially (created by MS PSCRIPT driver) */ if ((dict_find_string((porigfont != NULL ? porigfont : op), "FontInfo", &pfontinfo) > 0) && r_has_type(pfontinfo, t_dictionary) && - (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0)) { - if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) && + (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string))) { + if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string)) && r_size(pfontstyle) > 0) { const byte *tmpStr1 = pfontname->value.const_bytes; const byte *tmpStr2 = pfontstyle->value.const_bytes; @@ -775,11 +778,11 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype, avm_space useglob = r_is_local(pencoding) ? avm_local : avm_global; ialloc_set_space(idmemory, useglob); - + count = r_size(pencoding); if ((code = ialloc_ref_array(&penc, (r_type_attrs(pencoding) & a_readonly), count, "build_gs_font")) < 0) return code; - + while (count--) { ref r; if (array_get(imemory, pencoding, count, &r) < 0){ @@ -790,7 +793,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype, ref_assign(&(penc.value.refs[count]), &r); } else { - + if ((code = obj_cvs(imemory, &r, (byte *)buf, 32, &size, (const byte **)(&bptr))) < 0) { return(code); } @@ -799,7 +802,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype, ref_assign(&(penc.value.refs[count]), &r); } } - + if ((code = dict_put_string(osp, "Encoding", &penc, NULL)) < 0) return code; ialloc_set_space(idmemory, curglob); diff --git a/psi/zcolor.c b/psi/zcolor.c index 3b8849ff3..112b61b31 100644 --- a/psi/zcolor.c +++ b/psi/zcolor.c @@ -1879,7 +1879,12 @@ static int comparedictkey(i_ctx_t * i_ctx_p, ref *CIEdict1, ref *CIEdict2, char if (r_type(tempref1) == t_null) return 1; - return comparearrays(i_ctx_p, tempref1, tempref2); + code = comparearrays(i_ctx_p, tempref1, tempref2); + + if (code > 0) + return 1; + else + return 0; } static int hasharray(i_ctx_t * i_ctx_p, ref *m1, gs_md5_state_t *md5) @@ -5475,6 +5480,9 @@ static int seticcspace(i_ctx_t * i_ctx_p, ref *r, int *stage, int *cont, int CIE return code; if (code == 0) return gs_note_error(gs_error_undefined); + if (r_type(tempref) != t_integer) + return gs_note_error(gs_error_typecheck); + components = tempref->value.intval; if (components > count_of(range)/2) return_error(gs_error_rangecheck); @@ -5596,6 +5604,10 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace) /* Need to check all the various parts */ code1 = dict_find_string(&ICCdict1, "N", &tempref1); code2 = dict_find_string(&ICCdict2, "N", &tempref2); + + if (!r_has_type(tempref1, t_integer) || !r_has_type(tempref2, t_integer)) + return 0; + if (code1 != code2) return 0; if (tempref1->value.intval != tempref2->value.intval) @@ -5749,6 +5761,8 @@ static int iccalternatespace(i_ctx_t * i_ctx_p, ref *space, ref **r, int *CIESub return code; if (code == 0) return gs_note_error(gs_error_undefined); + if (!r_has_type(tempref, t_integer)) + return_error(gs_error_typecheck); components = tempref->value.intval; @@ -5787,6 +5801,9 @@ static int icccomponents(i_ctx_t * i_ctx_p, ref *space, int *n) return code; if (code == 0) return gs_note_error(gs_error_undefined); + if (!r_has_type(tempref, t_integer)) + return gs_note_error(gs_error_typecheck); + *n = tempref->value.intval; return 0; } @@ -5803,6 +5820,9 @@ static int iccdomain(i_ctx_t * i_ctx_p, ref *space, float *ptr) return code; if (code == 0) return gs_note_error(gs_error_undefined); + if (!r_has_type(tempref, t_integer)) + return gs_note_error(gs_error_typecheck); + components = tempref->value.intval; code = dict_find_string(&ICCdict, "Range", &tempref); if (code > 0 && !r_has_type(tempref, t_null)) { @@ -5836,6 +5856,8 @@ static int iccrange(i_ctx_t * i_ctx_p, ref *space, float *ptr) return code; if (code == 0) return gs_note_error(gs_error_undefined); + if (!r_has_type(tempref, t_integer)) + return gs_note_error(gs_error_typecheck); components = tempref->value.intval; code = dict_find_string(&ICCdict, "Range", &tempref); if (code > 0 && !r_has_type(tempref, t_null)) { diff --git a/psi/zcrd.c b/psi/zcrd.c index 7993b1544..d58160d89 100644 --- a/psi/zcrd.c +++ b/psi/zcrd.c @@ -231,8 +231,10 @@ zcrd1_params(os_ptr op, gs_cie_render * pcrd, return code; if (dict_find_string(op, "RenderTable", &pRT) > 0) { - const ref *prte = pRT->value.const_refs; + const ref *prte; + check_read_type(*pRT, t_array); + prte = pRT->value.const_refs; /* Finish unpacking and checking the RenderTable parameter. */ check_type_only(prte[4], t_integer); if (!(prte[4].value.intval == 3 || prte[4].value.intval == 4)) diff --git a/psi/zfjpx.c b/psi/zfjpx.c index c622f48dd..db1fae273 100644 --- a/psi/zfjpx.c +++ b/psi/zfjpx.c @@ -115,6 +115,8 @@ z_jpx_decode(i_ctx_t * i_ctx_p) dict_find_string(csdict, "N", &nref) > 0) { if_debug1m('w', imemory, "[w] JPX image has an external %"PRIpsint " channel colorspace\n", nref->value.intval); + if (r_type(nref) != t_integer) + return gs_note_error(gs_error_typecheck); switch (nref->value.intval) { case 1: state.colorspace = gs_jpx_cs_gray; break; diff --git a/psi/zfont.c b/psi/zfont.c index 9c51792e1..f6c5ae113 100644 --- a/psi/zfont.c +++ b/psi/zfont.c @@ -596,6 +596,9 @@ zfont_info(gs_font *font, const gs_point *pscale, int members, info->members |= FONT_INFO_FULL_NAME; if ((members & FONT_INFO_EMBEDDING_RIGHTS) && (dict_find_string(pfontinfo, "FSType", &pvalue) > 0)) { + if (r_type(pvalue) != t_integer) + return gs_note_error(gs_error_typecheck); + info->EmbeddingRights = pvalue->value.intval; info->members |= FONT_INFO_EMBEDDING_RIGHTS; } diff --git a/psi/zfont0.c b/psi/zfont0.c index 4b01c206a..a179d7b7b 100644 --- a/psi/zfont0.c +++ b/psi/zfont0.c @@ -243,6 +243,9 @@ zbuildfont0(i_ctx_t *i_ctx_p) array_get(pfont->memory, &fdepvector, i, &fdep); /* The lookup can't fail, because of the pre-check above. */ dict_find_string(&fdep, "FID", &pfid); + if (!r_has_type(pfid, t_fontID)) + return gs_note_error(gs_error_typecheck); + data.FDepVector[i] = r_ptr(pfid, gs_font); } pfont->data = data; diff --git a/psi/zimage3.c b/psi/zimage3.c index 87a3dce2f..2beda9fe4 100644 --- a/psi/zimage3.c +++ b/psi/zimage3.c @@ -53,6 +53,8 @@ zimage3(i_ctx_t *i_ctx_p) dict_find_string(op, "MaskDict", &pMaskDict) <= 0 ) return_error(gs_error_rangecheck); + check_type(*pDataDict, t_dictionary); + check_type(*pMaskDict, t_dictionary); if ((code = pixel_image_params(i_ctx_p, pDataDict, (gs_pixel_image_t *)&image, &ip_data, 12, false, gs_currentcolorspace(igs))) < 0 || diff --git a/psi/ztrans.c b/psi/ztrans.c index 64defda71..0550a1028 100644 --- a/psi/ztrans.c +++ b/psi/ztrans.c @@ -417,6 +417,7 @@ zimage3x(i_ctx_t *i_ctx_p) gs_image3x_t_init(&image, NULL); if (dict_find_string(op, "DataDict", &pDataDict) <= 0) return_error(gs_error_rangecheck); + check_type(*pDataDict, t_dictionary); if ((code = pixel_image_params(i_ctx_p, pDataDict, (gs_pixel_image_t *)&image, &ip_data, 16, false, gs_currentcolorspace(igs))) < 0 || @@ -453,6 +454,9 @@ image_params *pip_data, const char *dict_name, if (dict_find_string(op, dict_name, &pMaskDict) <= 0) return 1; + if (!r_has_type(pMaskDict, t_dictionary)) + return gs_note_error(gs_error_typecheck); + if ((mcode = code = data_image_params(mem, pMaskDict, &pixm->MaskDict, &ip_mask, false, 1, 16, false, false)) < 0 || (code = dict_int_param(pMaskDict, "ImageType", 1, 1, 0, &ignored)) < 0 || |