874becfd01
CVE-2017-8291 - Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017. For more details, see https://bugzilla.suse.com/show_bug.cgi?id=1036453 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
34 lines
974 B
Diff
34 lines
974 B
Diff
From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
|
|
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Thu, 27 Apr 2017 13:03:33 +0100
|
|
Subject: [PATCH] Bug 697799: have .eqproc check its parameters
|
|
|
|
The Ghostscript custom operator .eqproc was not check the number or type of
|
|
the parameters it was given.
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
psi/zmisc3.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/psi/zmisc3.c b/psi/zmisc3.c
|
|
index 54b304246..37293ff4b 100644
|
|
--- a/psi/zmisc3.c
|
|
+++ b/psi/zmisc3.c
|
|
@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
|
|
ref2_t stack[MAX_DEPTH + 1];
|
|
ref2_t *top = stack;
|
|
|
|
+ if (ref_stack_count(&o_stack) < 2)
|
|
+ return_error(gs_error_stackunderflow);
|
|
+ if (!r_is_array(op - 1) || !r_is_array(op)) {
|
|
+ return_error(gs_error_typecheck);
|
|
+ }
|
|
+
|
|
make_array(&stack[0].proc1, 0, 1, op - 1);
|
|
make_array(&stack[0].proc2, 0, 1, op);
|
|
for (;;) {
|
|
--
|
|
2.11.0
|
|
|