diff options
author | Robin Watts <Robin.Watts@artifex.com> | 2023-03-09 14:28:27 +0000 |
---|---|---|
committer | Robin Watts <Robin.Watts@artifex.com> | 2023-03-09 14:54:42 +0000 |
commit | 83dd76adacff09f09d564aaf8fd3949dd1c08478 (patch) | |
tree | 7a4a60d881455bb0666af901e479752a6e393780 /base | |
parent | a0f1568d64d43ff35260083b39f6f17e925a29ee (diff) | |
download | ghostpdl-83dd76adacff09f09d564aaf8fd3949dd1c08478.tar.gz |
Bug 706462: Fix heap overflow bug in command line dict parsing.
In the command line dictionary parsing, we were assuming
that there would be a close dict marker (">>") in the string
buffer after parsing completes. When that wasn't there
we might overrun the buffer.
Now check for it being there and raise a syntax error if not.
Thanks to Younseok Choi for the bug report.
Diffstat (limited to 'base')
-rw-r--r-- | base/gsparaml.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/base/gsparaml.c b/base/gsparaml.c index 30f8c9ebd..1ef4b9da9 100644 --- a/base/gsparaml.c +++ b/base/gsparaml.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2022 Artifex Software, Inc. +/* Copyright (C) 2001-2023 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -107,7 +107,12 @@ process_dict(gs_memory_t *mem, gs_c_param_list *plist, gs_param_name key, char * dict.size = 0; code = add_tokens(dict.list, NULL, p, &dict.size); - (*p) += 2; + if (code >= 0) { + if ((*p)[0] != '>' || (*p)[1] != '>') + code = gs_error_syntaxerror; + else + (*p) += 2; + } code2 = param_end_write_dict((gs_param_list *)plist, key, &dict); return code < 0 ? code : code2; } @@ -682,6 +687,7 @@ add_tokens(gs_param_list *plist, gs_param_name key, char **pp, uint *dict_count) return code; } + *pp = p; return 0; } |