| Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame] | 1 | From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001 |
| 2 | From: Chris Liddell <chris.liddell@artifex.com> |
| 3 | Date: Thu, 6 Apr 2017 16:44:54 +0100 |
| 4 | Subject: [PATCH] Bug 697548: use the correct param list enumerator |
| 5 | |
| 6 | When we encountered dictionary in a ref_param_list, we were using the enumerator |
| 7 | for the "parent" param_list, rather than the enumerator for the param_list |
| 8 | we just created for the dictionary. That parent was usually the stack |
| 9 | list enumerator, and caused a segfault. |
| 10 | |
| 11 | Using the correct enumerator works better. |
| 12 | |
| 13 | Upstream-Status: Backport |
| 14 | CVE: CVE-2017-5951 |
| 15 | |
| 16 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> |
| 17 | --- |
| 18 | psi/iparam.c | 7 ++++--- |
| 19 | 1 file changed, 4 insertions(+), 3 deletions(-) |
| 20 | |
| 21 | diff --git a/psi/iparam.c b/psi/iparam.c |
| 22 | index 4e63b6d..b2fa85f 100644 |
| 23 | --- a/psi/iparam.c |
| 24 | +++ b/psi/iparam.c |
| 25 | @@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey, |
| 26 | gs_param_enumerator_t enumr; |
| 27 | gs_param_key_t key; |
| 28 | ref_type keytype; |
| 29 | + dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list; |
| 30 | |
| 31 | param_init_enumerator(&enumr); |
| 32 | - if (!(*((iparam_list *) plist)->enumerate) |
| 33 | - ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype) |
| 34 | + if (!(*(dlist->enumerate)) |
| 35 | + ((iparam_list *) dlist, &enumr, &key, &keytype) |
| 36 | && keytype == t_integer) { |
| 37 | - ((dict_param_list *) pvalue->value.d.list)->int_keys = 1; |
| 38 | + dlist->int_keys = 1; |
| 39 | pvalue->type = gs_param_type_dict_int_keys; |
| 40 | } |
| 41 | } |
| 42 | -- |
| 43 | 2.10.2 |
| 44 | |