Bug #699684 "gs segfaults in refset_null_new when processing malformed file"

It is possible for a specifically malformed Binary Object Sequence to
run out of data to process (and return to refill the buffer) when it
had read *exactly* the maximum number of objects declared in the top
array.

This meant that the 'index' pointing to the next expected array entry
to be filled in actually pointed past the end of the array.

We then called a routine to set the unused entries in the array to null
objects (for GC purposes), using the index. Because it pointed past the
end of the array this led to the count of objects being -1. The code
then counted down the count, until it reached 0, while at the same time
writing null objects past the end of the array.

This commit simply checks the index against the array size and doesn't
attempt to fill it in if its less than that value. Note that the array
index is 0-based, hence < not <=.

1 files changed, 1 insertions, 1 deletions

diff --git a/psi/iscanbin.c b/psi/iscanbin.c
index c11fee05a..b073bda3a 100644
--- a/psi/iscanbin.c
+++ b/psi/iscanbin.c
@@ -258,7 +258,7 @@ scan_bos(i_ctx_t *i_ctx_p, ref *pref, scanner_state *pstate)
         pstate->s_da.base = pstate->s_da.next =
             pstate->s_da.limit = pstate->s_da.buf;
         code = scan_bos_continue(i_ctx_p, pref, pstate);
-        if (code == scan_Refill || code < 0) {
+        if ((code == scan_Refill || code < 0) && pbs->index < r_size(&pbs->bin_array)) {
             /* Clean up array for GC. */
             uint index = pbs->index;