diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2018-02-19 15:43:20 +0000 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2018-02-19 15:57:31 +0000 |
| commit | 3f5736cb8a255cdfe00d59896dc39d050d1db00e (patch) | |
| tree | a477e1f4a8d1317e549b5d6d5c301d16a3dc1265 | |
| parent | cc2bfef83b1dca09e016e43238f71ca6c7a622b3 (diff) | |
| download | ghostpdl-3f5736cb8a255cdfe00d59896dc39d050d1db00e.tar.gz | |
Add more bounds checking to type 2 font interpreter
Bug #699042 "stack out of bounds read in gs_type2_interpret, gstype2.c line 701"
The warning is caused by 'csp' being below the cstack bottom bound.
Adding a check for that prevents this warning. While we're here, add
checks to the bounds of 'transient_array' which wasn't being checked
previously.
| -rw-r--r-- | base/gstype2.c | 26 | ||||
| -rw-r--r-- | base/gxtype1.h | 4 |
2 files changed, 27 insertions, 3 deletions
diff --git a/base/gstype2.c b/base/gstype2.c index 23aeed155..9b4a4385f 100644 --- a/base/gstype2.c +++ b/base/gstype2.c @@ -626,6 +626,9 @@ gs_type2_interpret(gs_type1_state * pcis, const gs_glyph_data_t *pgd, float *to; const fixed *from = pcis->transient_array + fixed2int_var(csp[-1]); + if (!CS_CHECK_TRANSIENT_BOUNDS(from, pcis->transient_array)) + return_error(gs_error_invalidfont); + if (ind < countof(Registry)) { to = Registry[ind].values + offs; for (i = 0; i < n; ++i) @@ -669,6 +672,8 @@ gs_type2_interpret(gs_type1_state * pcis, const gs_glyph_data_t *pgd, const float *from; fixed *to = pcis->transient_array + fixed2int_var(csp[-1]); + if (!CS_CHECK_TRANSIENT_BOUNDS(to, pcis->transient_array)) + return_error(gs_error_invalidfont); if (ind < countof(Registry)) { from = Registry[ind].values; for (i = 0; i < n; ++i) @@ -694,11 +699,26 @@ gs_type2_interpret(gs_type1_state * pcis, const gs_glyph_data_t *pgd, case ce2_put: if (!CS_CHECK_CSTACK_BOUNDS(&csp[-1], cstack)) return_error(gs_error_invalidfont); - pcis->transient_array[fixed2int_var(*csp)] = csp[-1]; - csp -= 2; + { + fixed *to = pcis->transient_array + fixed2int_var(*csp); + + if (!CS_CHECK_TRANSIENT_BOUNDS(to, pcis->transient_array)) + return_error(gs_error_invalidfont); + + *to = csp[-1]; + csp -= 2; + } break; case ce2_get: - *csp = pcis->transient_array[fixed2int_var(*csp)]; + if (!CS_CHECK_CSTACK_BOUNDS(csp, cstack)) + return_error(gs_error_invalidfont); + { + fixed *from = pcis->transient_array + fixed2int_var(*csp); + if (!CS_CHECK_TRANSIENT_BOUNDS(from, pcis->transient_array)) + return_error(gs_error_invalidfont); + + *csp = *from; + } break; case ce2_ifelse: if (!CS_CHECK_CSTACK_BOUNDS(&csp[-3], cstack)) diff --git a/base/gxtype1.h b/base/gxtype1.h index b8052dc95..6b27cf459 100644 --- a/base/gxtype1.h +++ b/base/gxtype1.h @@ -179,6 +179,10 @@ typedef fixed *cs_ptr; (csaddr >= &(cs[0]) && \ csaddr < &(cs[ostack_size])) +#define CS_CHECK_TRANSIENT_BOUNDS(csaddr, cs) \ + (csaddr >= &(cs[0]) && \ + csaddr < &(cs[32])) /* size defined in gs_type1_state_s above */ + #define CS_CHECK_PUSH(csp, cstack)\ BEGIN\ if (csp >= &cstack[countof(cstack)-1])\ |