| From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001 |
| From: Chris Liddell <chris.liddell@artifex.com> |
| Date: Fri, 16 Jun 2017 08:29:25 +0100 |
| Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR |
| |
| --- |
| base/ttinterp.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- end of original header |
| |
| CVE: CVE-2017-9739 |
| |
| Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| |
| Signed-off-by: Joe Slater <joe.slater@windriver.com> |
| |
| diff --git a/base/ttinterp.c b/base/ttinterp.c |
| index af457e8..adf3f0c 100644 |
| --- a/base/ttinterp.c |
| +++ b/base/ttinterp.c |
| @@ -1794,6 +1794,12 @@ static int nInstrCount=0; |
| |
| static void Ins_JMPR( INS_ARG ) |
| { |
| + if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) ) |
| + { |
| + CUR.error = TT_Err_Invalid_Reference; |
| + return; |
| + } |
| + |
| CUR.IP += (Int)(args[0]); |
| CUR.step_ins = FALSE; |
| |
| -- |
| 1.7.9.5 |
| |