From a5993c537ae035b2396da5189fd985006627a478 Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Sat, 1 Sep 2018 11:28:06 +0100 Subject: Bug #699687 "grestore can bypass SAFER" The code in z2grestore (part of the level 2 restore machinery) in ghostpdl/psi/zdevice2.c sets the device's LockSafetyParams to false, and according to the comments there relies on putdeviceparams setting the flag back when the old device is re-instated. However, if we have corrupted any part of the device's content, then its possible to exit putdeviceparams, in one place only, without setting LockSafetyParams. Here we simply add an explicit reset of the value even in the case of an error setting the new device. --- base/gsdparam.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/base/gsdparam.c b/base/gsdparam.c index b06dfb1e5..0a56b7857 100644 --- a/base/gsdparam.c +++ b/base/gsdparam.c @@ -1976,10 +1976,20 @@ label:\ /* We must 'commit', in order to detect unknown parameters, */ /* even if there were errors. */ code = param_commit(plist); - if (ecode < 0) + if (ecode < 0) { + /* restore_page_device (zdevice2.c) will turn off LockSafetyParams, and relies on putparams + * to put it back if we are restoring a device. The locksafe value is picked up above from the + * device we are restoring to, and we *must* make sure it is preserved, even if setting the + * params failed. Otherwise an attacker can use a failed grestore to reset LockSafetyParams. + * See bug #699687. + */ + dev->LockSafetyParams = locksafe; return ecode; - if (code < 0) + } + if (code < 0) { + dev->LockSafetyParams = locksafe; return code; + } /* * Now actually make the changes. Changing resolution, rotation -- cgit v1.2.1