35 lines
980 B
Diff
35 lines
980 B
Diff
From c7c55972758a93350882c32147801a3485b010fe Mon Sep 17 00:00:00 2001
|
|
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Mon, 12 Jun 2017 13:08:40 +0100
|
|
Subject: [PATCH] Bug 698024: bounds check zone pointer in Ins_MIRP()
|
|
|
|
---
|
|
base/ttinterp.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
--- end of original header
|
|
|
|
CVE: CVE-2017-9611
|
|
|
|
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
|
|
|
|
Signed-off-by: Joe Slater <joe.slater@windriver.com>
|
|
|
|
diff --git a/base/ttinterp.c b/base/ttinterp.c
|
|
index e56aec6..f6a6d95 100644
|
|
--- a/base/ttinterp.c
|
|
+++ b/base/ttinterp.c
|
|
@@ -3858,7 +3858,8 @@ static int nInstrCount=0;
|
|
/* XXX: UNDOCUMENTED! cvt[-1] = 0 always */
|
|
|
|
if ( BOUNDS( args[0], CUR.zp1.n_points ) ||
|
|
- BOUNDS( args[1]+1, CUR.cvtSize+1 ) )
|
|
+ BOUNDS( args[1]+1, CUR.cvtSize+1 ) ||
|
|
+ BOUNDS(CUR.GS.rp0, CUR.zp0.n_points) )
|
|
{
|
|
CUR.error = TT_Err_Invalid_Reference;
|
|
return;
|
|
--
|
|
1.7.9.5
|
|
|