From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Tue, 21 Aug 2018 16:42:45 +0100 Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a boolean This caused a function call commented as "Can't fail" to fail, and resulted in memory correuption and a segfault. CVE: CVE-2018-15910 Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] Signed-off-by: Hongxu Jia --- devices/vector/gdevpdfp.c | 2 +- psi/iparam.c | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c index 522db7a..f2816b9 100644 --- a/devices/vector/gdevpdfp.c +++ b/devices/vector/gdevpdfp.c @@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par * LockDistillerParams is read again, and reset if necessary, in * psdf_put_params. */ - ecode = param_read_bool(plist, "LockDistillerParams", &locked); + ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked); if (ecode < 0) param_signal_error(plist, param_name, ecode); diff --git a/psi/iparam.c b/psi/iparam.c index 68c20d4..0279455 100644 --- a/psi/iparam.c +++ b/psi/iparam.c @@ -822,10 +822,11 @@ static int ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code) { iparam_list *const iplist = (iparam_list *) plist; - iparam_loc loc; + iparam_loc loc = {0}; - ref_param_read(iplist, pkey, &loc, -1); /* can't fail */ - *loc.presult = code; + ref_param_read(iplist, pkey, &loc, -1); + if (loc.presult) + *loc.presult = code; switch (ref_param_read_get_policy(plist, pkey)) { case gs_param_policy_ignore: return 0; -- 2.8.1