1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
|
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 12 Jun 2017 13:08:40 +0100
Subject: Bug 698024: bounds check zone pointer in Ins_MIRP()
Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c7c55972758a93350882c32147801a3485b010fe
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9611
Bug-Debian: https://bugs.debian.org/869917
Bug: https://bugs.ghostscript.com/show_bug.cgi?id=698024
---
base/ttinterp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/base/ttinterp.c b/base/ttinterp.c
index e56aec68d..f6a6d95fe 100644
--- a/base/ttinterp.c
+++ b/base/ttinterp.c
@@ -3858,7 +3858,8 @@ static int nInstrCount=0;
/* XXX: UNDOCUMENTED! cvt[-1] = 0 always */
if ( BOUNDS( args[0], CUR.zp1.n_points ) ||
- BOUNDS( args[1]+1, CUR.cvtSize+1 ) )
+ BOUNDS( args[1]+1, CUR.cvtSize+1 ) ||
+ BOUNDS(CUR.GS.rp0, CUR.zp0.n_points) )
{
CUR.error = TT_Err_Invalid_Reference;
return;
--
2.14.2
|