| From 7755e67116e8973ee0e3b22d653df026a84fa01b Mon Sep 17 00:00:00 2001 |
| From: Chris Liddell <chris.liddell@artifex.com> |
| Date: Thu, 15 Jun 2017 08:58:31 +0100 |
| Subject: [PATCH] Bug 698055: bounds check zone pointer in Ins_MDRP |
| |
| --- |
| base/ttinterp.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- end of original header |
| |
| CVE: CVE-2017-9726 |
| |
| Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| |
| Signed-off-by: Joe Slater <joe.slater@windriver.com> |
| diff --git a/base/ttinterp.c b/base/ttinterp.c |
| index e7c9d68..af457e8 100644 |
| --- a/base/ttinterp.c |
| +++ b/base/ttinterp.c |
| @@ -3770,7 +3770,8 @@ static int nInstrCount=0; |
| |
| point = (Int)args[0]; |
| |
| - if ( BOUNDS( args[0], CUR.zp1.n_points ) ) |
| + if ( BOUNDS( args[0], CUR.zp1.n_points ) || |
| + BOUNDS( CUR.GS.rp0, CUR.zp0.n_points) ) |
| { |
| /* Current version of FreeType silently ignores this out of bounds error |
| * and drops the instruction, see bug #691121 |
| -- |
| 1.7.9.5 |
| |