1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
|
Description: CVE-2016-8602: check for sufficient params in .sethalftone5 and param types
Origin: backport, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78
Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697203
Bug-Debian: https://bugs.debian.org/840451
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-10-11
---
psi/zht2.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/psi/zht2.c
+++ b/psi/zht2.c
@@ -81,14 +81,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
gs_memory_t *mem;
uint edepth = ref_stack_count(&e_stack);
int npop = 2;
- int dict_enum = dict_first(op);
+ int dict_enum;
ref rvalue[2];
int cname, colorant_number;
byte * pname;
uint name_size;
int halftonetype, type = 0;
gs_state *pgs = igs;
- int space_index = r_space_index(op - 1);
+ int space_index;
+
+ if (ref_stack_count(&o_stack) < 2)
+ return_error(e_stackunderflow);
+ check_type(*op, t_dictionary);
+ check_type(*(op - 1), t_dictionary);
+
+ dict_enum = dict_first(op);
+ space_index = r_space_index(op - 1);
mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
|