From 7c8a46b827063bea9318f30479eb7d6e519970c3 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 9 Mar 2023 13:04:14 +0000
Subject: Bug 706461: Fix fuzzing detected heap overflow.

Running:

 gs "-I%%"

will cause gs_parse_file_name to be called with pname="%%" (no
terminator!) and len == 2. pdelim = pname + 1.

So the test for pdelim[1] == 0 overruns the buffer.

The fix is simply to reverse the order of tests within
the if.

Many thanks to Youngseok Choi for the report.
---
 base/gsfname.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'base')

diff --git a/base/gsfname.c b/base/gsfname.c
index 5ae100466..c8447f026 100644
--- a/base/gsfname.c
+++ b/base/gsfname.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2021 Artifex Software, Inc.
+/* Copyright (C) 2001-2023 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -47,7 +47,7 @@ gs_parse_file_name(gs_parsed_file_name_t * pfn, const char *pname, uint len,
     if (pdelim == NULL)		/* %device */
         dlen = len;
     /* gs strings aren't necessarily null terminated */
-    else if (pdelim[1] == 0 || pdelim - pname == len - 1) {	/* %device% */
+    else if (pdelim - pname == len - 1 || pdelim[1] == 0) {	/* %device% */
         pdelim = NULL;
         dlen = len;
     } else {
-- 
cgit v1.2.1