1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 21 Aug 2018 16:42:45 +0100
Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a
boolean
This caused a function call commented as "Can't fail" to fail, and resulted
in memory correuption and a segfault.
CVE: CVE-2018-15910
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
devices/vector/gdevpdfp.c | 2 +-
psi/iparam.c | 7 ++++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
index 522db7a..f2816b9 100644
--- a/devices/vector/gdevpdfp.c
+++ b/devices/vector/gdevpdfp.c
@@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
* LockDistillerParams is read again, and reset if necessary, in
* psdf_put_params.
*/
- ecode = param_read_bool(plist, "LockDistillerParams", &locked);
+ ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked);
if (ecode < 0)
param_signal_error(plist, param_name, ecode);
diff --git a/psi/iparam.c b/psi/iparam.c
index 68c20d4..0279455 100644
--- a/psi/iparam.c
+++ b/psi/iparam.c
@@ -822,10 +822,11 @@ static int
ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code)
{
iparam_list *const iplist = (iparam_list *) plist;
- iparam_loc loc;
+ iparam_loc loc = {0};
- ref_param_read(iplist, pkey, &loc, -1); /* can't fail */
- *loc.presult = code;
+ ref_param_read(iplist, pkey, &loc, -1);
+ if (loc.presult)
+ *loc.presult = code;
switch (ref_param_read_get_policy(plist, pkey)) {
case gs_param_policy_ignore:
return 0;
--
2.8.1
|