blob: a2f7bfa506905df2cd74bbd122a7c2143455faac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 15 Jun 2017 09:05:20 +0100
Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more
robust
---
base/gxttfb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- end of original header
CVE: CVE-2017-9727
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Joe Slater <joe.slater@windriver.com>
diff --git a/base/gxttfb.c b/base/gxttfb.c
index 0e9a444..e1561af 100644
--- a/base/gxttfb.c
+++ b/base/gxttfb.c
@@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n)
if (!r->error) {
if (r->extra_glyph_index != -1) {
q = r->glyph_data.bits.data + r->pos;
- r->error = (r->glyph_data.bits.size - r->pos < n ?
+ r->error = ((r->pos >= r->glyph_data.bits.size ||
+ r->glyph_data.bits.size - r->pos < n) ?
gs_note_error(gs_error_invalidfont) : 0);
if (r->error == 0)
memcpy(p, q, n);
--
1.7.9.5
|
