forked from brl/citadel
36 lines
937 B
Diff
36 lines
937 B
Diff
From 98f6da60b9d463c617e631fc254cf6d66f2e8e3c Mon Sep 17 00:00:00 2001
|
|
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Mon, 12 Jun 2017 13:15:17 +0100
|
|
Subject: [PATCH] Bug 698026: bounds check zone pointers in Ins_IP()
|
|
|
|
---
|
|
base/ttinterp.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
--- end of original header
|
|
|
|
CVE: CVE-2017-9612
|
|
|
|
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
|
|
|
|
Signed-off-by: Joe Slater <joe.slater@windriver.com>
|
|
|
|
diff --git a/base/ttinterp.c b/base/ttinterp.c
|
|
index f6a6d95..e7c9d68 100644
|
|
--- a/base/ttinterp.c
|
|
+++ b/base/ttinterp.c
|
|
@@ -4129,7 +4129,9 @@ static int nInstrCount=0;
|
|
Int point;
|
|
(void)args;
|
|
|
|
- if ( CUR.top < CUR.GS.loop )
|
|
+ if ( CUR.top < CUR.GS.loop ||
|
|
+ BOUNDS(CUR.GS.rp1, CUR.zp0.n_points) ||
|
|
+ BOUNDS(CUR.GS.rp2, CUR.zp1.n_points))
|
|
{
|
|
CUR.error = TT_Err_Invalid_Reference;
|
|
return;
|
|
--
|
|
1.7.9.5
|
|
|