diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2022-08-18 17:14:22 +0100 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2022-08-19 15:06:13 +0100 |
| commit | eba3379360caec1d881d96c5d51ed4282278cd1f (patch) | |
| tree | b5253aa6f030e4d9188f050a133be27a9e3d6ef0 | |
| parent | 71484d8977bf79411dca9ebc6c9c1fcc36723ea7 (diff) | |
| download | ghostpdl-eba3379360caec1d881d96c5d51ed4282278cd1f.tar.gz | |
oss-fuzz 50326: Fix and use bounds check
for Type 1/2 charstring executaion state stack. The bounds checking macro was
incorrect, and wasn't being used in the minimal CharString interpreter used
by pdfwrite and co.
| -rw-r--r-- | base/gxtype1.c | 5 | ||||
| -rw-r--r-- | base/gxtype1.h | 4 |
2 files changed, 6 insertions, 3 deletions
diff --git a/base/gxtype1.c b/base/gxtype1.c index d3af50ece..27c44e1c5 100644 --- a/base/gxtype1.c +++ b/base/gxtype1.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -459,6 +459,7 @@ gs_type1_piece_codes(/*const*/ gs_font_type1 *pfont, /* lgtm[cpp/use-of-goto] */ else { c = fixed2int_var(*csp) + pdata->gsubrNumberBias; } + CS_CHECK_IPSTACK(ipsp + 1, ipstack); code = pdata->procs.subr_data (pfont, c, true, &ipsp[1].cs_data); if (code < 0) @@ -479,6 +480,7 @@ gs_type1_piece_codes(/*const*/ gs_font_type1 *pfont, /* lgtm[cpp/use-of-goto] */ else { c = fixed2int_var(*csp) + pdata->subroutineNumberBias; } + CS_CHECK_IPSTACK(ipsp + 1, ipstack); code = pdata->procs.subr_data (pfont, c, false, &ipsp[1].cs_data); if (code < 0) @@ -498,6 +500,7 @@ c_return: else call_depth--; gs_glyph_data_free(&ipsp->cs_data, "gs_type1_piece_codes"); + CS_CHECK_IPSTACK(ipsp, ipstack); --ipsp; if (ipsp < ipstack) return (gs_note_error(gs_error_invalidfont)); diff --git a/base/gxtype1.h b/base/gxtype1.h index 869113866..0c3823961 100644 --- a/base/gxtype1.h +++ b/base/gxtype1.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -196,7 +196,7 @@ typedef fixed *cs_ptr; #define CS_CHECK_IPSTACK(ips, ipstack)\ BEGIN\ - if (ips > &ipstack[ipstack_size + 1] \ + if (ips > &ipstack[ipstack_size] \ || ips < &ipstack[0])\ return_error(gs_error_invalidfont);\ END |