From 3f5736cb8a255cdfe00d59896dc39d050d1db00e Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Mon, 19 Feb 2018 15:43:20 +0000
Subject: Add more bounds checking to type 2 font interpreter

Bug #699042 "stack out of bounds read in gs_type2_interpret, gstype2.c line 701"

The warning is caused by 'csp' being below the cstack bottom bound.
Adding a check for that prevents this warning. While we're here, add
checks to the bounds of 'transient_array' which wasn't being checked
previously.
---
 base/gstype2.c | 26 +++++++++++++++++++++++---
 base/gxtype1.h |  4 ++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/base/gstype2.c b/base/gstype2.c
index 23aeed155..9b4a4385f 100644
--- a/base/gstype2.c
+++ b/base/gstype2.c
@@ -626,6 +626,9 @@ gs_type2_interpret(gs_type1_state * pcis, const gs_glyph_data_t *pgd,
                             float *to;
                             const fixed *from = pcis->transient_array + fixed2int_var(csp[-1]);
 
+                            if (!CS_CHECK_TRANSIENT_BOUNDS(from, pcis->transient_array))
+                                return_error(gs_error_invalidfont);
+
                             if (ind < countof(Registry)) {
                                 to = Registry[ind].values + offs;
                                 for (i = 0; i < n; ++i)
@@ -669,6 +672,8 @@ gs_type2_interpret(gs_type1_state * pcis, const gs_glyph_data_t *pgd,
                             const float *from;
                             fixed *to = pcis->transient_array + fixed2int_var(csp[-1]);
 
+                            if (!CS_CHECK_TRANSIENT_BOUNDS(to, pcis->transient_array))
+                                return_error(gs_error_invalidfont);
                             if (ind < countof(Registry)) {
                                 from = Registry[ind].values;
                                 for (i = 0; i < n; ++i)
@@ -694,11 +699,26 @@ gs_type2_interpret(gs_type1_state * pcis, const gs_glyph_data_t *pgd,
                     case ce2_put:
                         if (!CS_CHECK_CSTACK_BOUNDS(&csp[-1], cstack))
                             return_error(gs_error_invalidfont);
-                        pcis->transient_array[fixed2int_var(*csp)] = csp[-1];
-                        csp -= 2;
+                        {
+                            fixed *to = pcis->transient_array + fixed2int_var(*csp);
+
+                            if (!CS_CHECK_TRANSIENT_BOUNDS(to, pcis->transient_array))
+                                return_error(gs_error_invalidfont);
+
+                            *to = csp[-1];
+                            csp -= 2;
+                        }
                         break;
                     case ce2_get:
-                        *csp = pcis->transient_array[fixed2int_var(*csp)];
+                        if (!CS_CHECK_CSTACK_BOUNDS(csp, cstack))
+                            return_error(gs_error_invalidfont);
+                        {
+                            fixed *from = pcis->transient_array + fixed2int_var(*csp);
+                            if (!CS_CHECK_TRANSIENT_BOUNDS(from, pcis->transient_array))
+                                return_error(gs_error_invalidfont);
+
+                            *csp = *from;
+                        }
                         break;
                     case ce2_ifelse:
                         if (!CS_CHECK_CSTACK_BOUNDS(&csp[-3], cstack))
diff --git a/base/gxtype1.h b/base/gxtype1.h
index b8052dc95..6b27cf459 100644
--- a/base/gxtype1.h
+++ b/base/gxtype1.h
@@ -179,6 +179,10 @@ typedef fixed *cs_ptr;
       (csaddr >= &(cs[0]) && \
         csaddr < &(cs[ostack_size]))
 
+#define CS_CHECK_TRANSIENT_BOUNDS(csaddr, cs) \
+      (csaddr >= &(cs[0]) && \
+        csaddr < &(cs[32]))         /* size defined in gs_type1_state_s above */
+
 #define CS_CHECK_PUSH(csp, cstack)\
   BEGIN\
     if (csp >= &cstack[countof(cstack)-1])\
-- 
cgit v1.2.1