diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2022-04-14 11:01:11 +0100 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2022-04-14 11:26:37 +0100 |
| commit | 4fae247b37ae8c1115b6d13ff4e447c54aea9d8b (patch) | |
| tree | a2de15c7df0cdb819a93cf91b3c0f2d7dc653a98 /pdf/ghostpdf.c | |
| parent | 6cf95a4684ca336150bfe6cf1097e5047df508d9 (diff) | |
| download | ghostpdl-4fae247b37ae8c1115b6d13ff4e447c54aea9d8b.tar.gz | |
oss-fuzz 46672: Avoid PS stack extensions from pdfi error
pdfi was using the standard gs_error_stackoverflow error code when the pdfi
operand stack overflowed. Returning that to the Postscript interpreter caused
the interpreter to attempt to extend the Postscript op stack with a new block
with zero requested new elements.
This, in turn, caused the garbage collector to traverse the previous op stack
block, and find no longer valid objects. Leading to trying to mark objects
freed by a restore.
The solution is to add a specific gs_error_pdf_stackoverflow, so we can still
signal the appropriate error, but avoid confusing the Postscript interpreter.
Diffstat (limited to 'pdf/ghostpdf.c')
| -rw-r--r-- | pdf/ghostpdf.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/pdf/ghostpdf.c b/pdf/ghostpdf.c index 6077d1cc1..439170290 100644 --- a/pdf/ghostpdf.c +++ b/pdf/ghostpdf.c @@ -347,6 +347,7 @@ const char *gs_error_strings[] = { "unregistered", "invalidcontext", "invalidid", + "pdf_stackoverflow" }; const char *gs_internal_error_strings[] = { @@ -365,7 +366,7 @@ const char *gs_internal_error_strings[] = { "handled", "circular reference" }; -#define LASTNORMALGSERROR gs_error_invalidid * -1 +#define LASTNORMALGSERROR gs_error_pdf_stackoverflow * -1 #define FIRSTINTERNALERROR gs_error_hit_detected * -1 #define LASTGSERROR gs_error_circular_reference * -1 |