Bug 706461: Fix fuzzing detected heap overflow.

Running: gs "-I%%" will cause gs_parse_file_name to be called with pname="%%" (no terminator!) and len == 2. pdelim = pname + 1. So the test for pdelim[1] == 0 overruns the buffer. The fix is simply to reverse the order of tests within the if. Many thanks to Youngseok Choi for the report.
author: Robin Watts <Robin.Watts@artifex.com> 2023-03-09 13:04:14 +0000
committer: Robin Watts <Robin.Watts@artifex.com> 2023-03-09 13:07:58 +0000
commit: 7c8a46b827063bea9318f30479eb7d6e519970c3 (patch)
tree: cb2558992019028e64dd4a79b33048f5279258c0 /base
parent: aed69e8fb4116974ecdf2401ba1df7ac2ef7b996 (diff)
download: ghostpdl-7c8a46b827063bea9318f30479eb7d6e519970c3.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/base/gsfname.c b/base/gsfname.c
index 5ae100466..c8447f026 100644
--- a/base/gsfname.c
+++ b/base/gsfname.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2021 Artifex Software, Inc.
+/* Copyright (C) 2001-2023 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -47,7 +47,7 @@ gs_parse_file_name(gs_parsed_file_name_t * pfn, const char *pname, uint len,
     if (pdelim == NULL)		/* %device */
         dlen = len;
     /* gs strings aren't necessarily null terminated */
-    else if (pdelim[1] == 0 || pdelim - pname == len - 1) {	/* %device% */
+    else if (pdelim - pname == len - 1 || pdelim[1] == 0) {	/* %device% */
         pdelim = NULL;
         dlen = len;
     } else {
author	Robin Watts <Robin.Watts@artifex.com>	2023-03-09 13:04:14 +0000
committer	Robin Watts <Robin.Watts@artifex.com>	2023-03-09 13:07:58 +0000
commit	7c8a46b827063bea9318f30479eb7d6e519970c3 (patch)
tree	cb2558992019028e64dd4a79b33048f5279258c0 /base
parent	aed69e8fb4116974ecdf2401ba1df7ac2ef7b996 (diff)
download	ghostpdl-7c8a46b827063bea9318f30479eb7d6e519970c3.tar.gz