blob: 3e6c65699d6f47948ce706d7bb0d41974277cba2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
From 7755e67116e8973ee0e3b22d653df026a84fa01b Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 15 Jun 2017 08:58:31 +0100
Subject: [PATCH] Bug 698055: bounds check zone pointer in Ins_MDRP
---
base/ttinterp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- end of original header
CVE: CVE-2017-9726
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Joe Slater <joe.slater@windriver.com>
diff --git a/base/ttinterp.c b/base/ttinterp.c
index e7c9d68..af457e8 100644
--- a/base/ttinterp.c
+++ b/base/ttinterp.c
@@ -3770,7 +3770,8 @@ static int nInstrCount=0;
point = (Int)args[0];
- if ( BOUNDS( args[0], CUR.zp1.n_points ) )
+ if ( BOUNDS( args[0], CUR.zp1.n_points ) ||
+ BOUNDS( CUR.GS.rp0, CUR.zp0.n_points) )
{
/* Current version of FreeType silently ignores this out of bounds error
* and drops the instruction, see bug #691121
--
1.7.9.5
|
