diff options
author | Robin Watts <Robin.Watts@artifex.com> | 2023-03-09 13:04:14 +0000 |
---|---|---|
committer | Robin Watts <Robin.Watts@artifex.com> | 2023-03-09 13:07:58 +0000 |
commit | 7c8a46b827063bea9318f30479eb7d6e519970c3 (patch) | |
tree | cb2558992019028e64dd4a79b33048f5279258c0 /base | |
parent | aed69e8fb4116974ecdf2401ba1df7ac2ef7b996 (diff) | |
download | ghostpdl-7c8a46b827063bea9318f30479eb7d6e519970c3.tar.gz |
Bug 706461: Fix fuzzing detected heap overflow.
Running:
gs "-I%%"
will cause gs_parse_file_name to be called with pname="%%" (no
terminator!) and len == 2. pdelim = pname + 1.
So the test for pdelim[1] == 0 overruns the buffer.
The fix is simply to reverse the order of tests within
the if.
Many thanks to Youngseok Choi for the report.
Diffstat (limited to 'base')
-rw-r--r-- | base/gsfname.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/base/gsfname.c b/base/gsfname.c index 5ae100466..c8447f026 100644 --- a/base/gsfname.c +++ b/base/gsfname.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2023 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -47,7 +47,7 @@ gs_parse_file_name(gs_parsed_file_name_t * pfn, const char *pname, uint len, if (pdelim == NULL) /* %device */ dlen = len; /* gs strings aren't necessarily null terminated */ - else if (pdelim[1] == 0 || pdelim - pname == len - 1) { /* %device% */ + else if (pdelim - pname == len - 1 || pdelim[1] == 0) { /* %device% */ pdelim = NULL; dlen = len; } else { |