| From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001 |
| From: Chris Liddell <chris.liddell@artifex.com> |
| Date: Sat, 8 Oct 2016 16:10:27 +0100 |
| Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5 |
| |
| and param types |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-8602 |
| |
| Signed-off-by: Catalin Enache <catalin.enache@windriver.com> |
| --- |
| psi/zht2.c | 12 ++++++++++-- |
| 1 file changed, 10 insertions(+), 2 deletions(-) |
| |
| diff --git a/psi/zht2.c b/psi/zht2.c |
| index fb4a264..dfa27a4 100644 |
| --- a/psi/zht2.c |
| +++ b/psi/zht2.c |
| @@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p) |
| gs_memory_t *mem; |
| uint edepth = ref_stack_count(&e_stack); |
| int npop = 2; |
| - int dict_enum = dict_first(op); |
| + int dict_enum; |
| ref rvalue[2]; |
| int cname, colorant_number; |
| byte * pname; |
| uint name_size; |
| int halftonetype, type = 0; |
| gs_gstate *pgs = igs; |
| - int space_index = r_space_index(op - 1); |
| + int space_index; |
| + |
| + if (ref_stack_count(&o_stack) < 2) |
| + return_error(gs_error_stackunderflow); |
| + check_type(*op, t_dictionary); |
| + check_type(*(op - 1), t_dictionary); |
| + |
| + dict_enum = dict_first(op); |
| + space_index = r_space_index(op - 1); |
| |
| mem = (gs_memory_t *) idmemory->spaces_indexed[space_index]; |
| |
| -- |
| 2.10.2 |
| |