diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2022-09-06 13:34:23 +0100 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2022-09-07 08:54:28 +0100 |
commit | 5ceff1f6e6cf17de4eb06729e0bb7bed040dcf55 (patch) | |
tree | 35e2a343cee58b610e244bea441705baad25a91d | |
parent | 0db229797418cc9b0b0df0221bd00125b8fd8daf (diff) | |
download | ghostpdl-5ceff1f6e6cf17de4eb06729e0bb7bed040dcf55.tar.gz |
oss-fuzz 51011: Bounds check CharString opstack for SEAC opcode.
-rw-r--r-- | base/gxtype1.c | 35 |
1 files changed, 20 insertions, 15 deletions
diff --git a/base/gxtype1.c b/base/gxtype1.c index 27c44e1c5..b2b593a4c 100644 --- a/base/gxtype1.c +++ b/base/gxtype1.c @@ -548,21 +548,26 @@ c_return: case ce1_seac: goto do_seac; case ce1_callothersubr: - switch (fixed2int_var(*csp)) { - default: - goto out; - case 3: - if (csp >= &(cstack[1])) - csp -= 2; - goto top; - case 12: - case 13: - case 14: - case 15: - case 16: - case 17: - case 18: - cnext; + if (CS_CHECK_CSTACK_BOUNDS(csp, cstack)) { + switch (fixed2int_var(*csp)) { + default: + goto out; + case 3: + if (csp >= &(cstack[1])) + csp -= 2; + goto top; + case 12: + case 13: + case 14: + case 15: + case 16: + case 17: + case 18: + cnext; + } + } + else { + return_error(gs_error_invalidfont); } } } |