Bug 706462: Fix heap overflow bug in command line dict parsing.

In the command line dictionary parsing, we were assuming
that there would be a close dict marker (">>") in the string
buffer after parsing completes. When that wasn't there
we might overrun the buffer.

Now check for it being there and raise a syntax error if not.

Thanks to Younseok Choi for the bug report.

1 files changed, 8 insertions, 2 deletions

diff --git a/base/gsparaml.c b/base/gsparaml.c
index 30f8c9ebd..1ef4b9da9 100644
--- a/base/gsparaml.c
+++ b/base/gsparaml.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2022 Artifex Software, Inc.
+/* Copyright (C) 2001-2023 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -107,7 +107,12 @@ process_dict(gs_memory_t *mem, gs_c_param_list *plist, gs_param_name key, char *
 
     dict.size = 0;
     code = add_tokens(dict.list, NULL, p, &dict.size);
-    (*p) += 2;
+    if (code >= 0) {
+        if ((*p)[0] != '>' || (*p)[1] != '>')
+            code = gs_error_syntaxerror;
+        else
+           (*p) += 2;
+    }
     code2 = param_end_write_dict((gs_param_list *)plist, key, &dict);
     return code < 0 ? code : code2;
 }
@@ -682,6 +687,7 @@ add_tokens(gs_param_list *plist, gs_param_name key, char **pp, uint *dict_count)
             return code;
     }
 
+    *pp = p;
     return 0;
 }