diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2019-03-19 11:25:35 +0000 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2019-03-19 11:31:30 +0000 |
commit | 2e843b2dd9a6ae935c9e00ba127302123cb9121e (patch) | |
tree | d9cce9b6ae47d007ec85a1add39b1c5b05d85724 | |
parent | b66ebe07ae5c1fb4ef94f9051e537d69eb789896 (diff) | |
download | ghostpdl-2e843b2dd9a6ae935c9e00ba127302123cb9121e.tar.gz |
Bug 700815(2): Fix the end-of-data condition.
The end-of-data condition in the charstring interpreter that checks for SEACs
was allowing an extra byte to read off the end of the string.
In addition, we also want to handle the out-of-data condition for a (g)subr
gracefully.
-rw-r--r-- | base/gxtype1.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/base/gxtype1.c b/base/gxtype1.c index 3c833aca0..a383015eb 100644 --- a/base/gxtype1.c +++ b/base/gxtype1.c @@ -389,13 +389,15 @@ gs_type1_piece_codes(/*const*/ gs_font_type1 *pfont, for (;;) { uint c0; - if (cip > end) + if (cip >= end) { /* We used to treat buffer overrun as a simple invalid font, now we assume that - * there is an implicit endcharr. + * there is an implicit endchar/return. * Part of bug #693170 where the fonts are invalid (no endchar on some glyphs). */ + if (call_depth > 0) + goto c_return; goto out; - + } c0 = *cip++; charstring_next(c0, state, c, encrypted); @@ -490,6 +492,7 @@ gs_type1_piece_codes(/*const*/ gs_font_type1 *pfont, end = ipsp->cs_data.bits.data + ipsp->cs_data.bits.size; goto call; case c_return: +c_return: if (call_depth == 0) return (gs_note_error(gs_error_invalidfont)); else |