diff options
| author | Henry Stiles <henry.stiles@artifex.com> | 2017-09-28 18:04:20 -0600 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2017-10-03 08:42:11 +0100 |
| commit | 3c2974bcd2e638be13c0ec814342a1a35ca0872b (patch) | |
| tree | f7aec212c3c9d8af863ffa8de302f8249b6fdfd3 | |
| parent | f1d39c92bff2de2d7b270a419a907c935ea626a6 (diff) | |
| download | ghostpdl-3c2974bcd2e638be13c0ec814342a1a35ca0872b.tar.gz | |
Fix buffer overflow regression.
The commit to address 694653 (3749bc274) was incorrect, the
font_data_size variable is not necessarily the size of the buffer.
| -rw-r--r-- | pcl/pcl/pcsfont.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/pcl/pcl/pcsfont.c b/pcl/pcl/pcsfont.c index 320d506e2..7c995806a 100644 --- a/pcl/pcl/pcsfont.c +++ b/pcl/pcl/pcsfont.c @@ -548,8 +548,9 @@ pcl_character_data(pcl_args_t * pargs, pcl_state_t * pcs) return e_Unimplemented; } /* check for buffer overrun */ - if (pcs->soft_font_count + count - 2 > font_data_size) + if (pcs->soft_font_count + count - 2 > gs_object_size(pcs->memory, pcs->soft_font_char_data)) return e_Range; + /* append the new data to the new object */ memcpy(pcs->soft_font_char_data + pcs->soft_font_count, data + 2, count - 2); |