Blame SOURCES/ghostscript-cve-2016-8602.patch

3a994f
From 30d5e341367002ca5b853b6b651f63e97ba580d1 Mon Sep 17 00:00:00 2001
3a994f
From: Chris Liddell <chris.liddell@artifex.com>
3a994f
Date: Sat, 8 Oct 2016 16:10:27 +0100
3a994f
Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5
3a994f
3a994f
and param types
3a994f
---
3a994f
 base/gserrors.h |  1 +
3a994f
 psi/zht2.c      | 12 ++++++++++--
3a994f
 2 files changed, 11 insertions(+), 2 deletions(-)
3a994f
3a994f
diff --git a/base/gserrors.h b/base/gserrors.h
3a994f
index 24b5eb4..c7dbe18 100644
3a994f
--- a/base/gserrors.h
3a994f
+++ b/base/gserrors.h
3a994f
@@ -33,6 +33,7 @@
3a994f
 #define gs_error_limitcheck (-13)
3a994f
 #define gs_error_nocurrentpoint (-14)
3a994f
 #define gs_error_rangecheck (-15)
3a994f
+#define gs_error_stackunderflow (-17)
3a994f
 #define gs_error_typecheck (-20)
3a994f
 #define gs_error_undefined (-21)
3a994f
 #define gs_error_undefinedfilename (-22)
3a994f
diff --git a/psi/zht2.c b/psi/zht2.c
3a994f
index a53b71b..95fef4b 100644
3a994f
--- a/psi/zht2.c
3a994f
+++ b/psi/zht2.c
3a994f
@@ -81,14 +81,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
3a994f
     gs_memory_t *mem;
3a994f
     uint edepth = ref_stack_count(&e_stack);
3a994f
     int npop = 2;
3a994f
-    int dict_enum = dict_first(op);
3a994f
+    int dict_enum;
3a994f
     ref rvalue[2];
3a994f
     int cname, colorant_number;
3a994f
     byte * pname;
3a994f
     uint name_size;
3a994f
     int halftonetype, type = 0;
3a994f
     gs_state *pgs = igs;
3a994f
-    int space_index = r_space_index(op - 1);
3a994f
+    int space_index;
3a994f
+
3a994f
+    if (ref_stack_count(&o_stack) < 2)
3a994f
+        return_error(gs_error_stackunderflow);
3a994f
+    check_type(*op, t_dictionary);
3a994f
+    check_type(*(op - 1), t_dictionary);
3a994f
+
3a994f
+    dict_enum = dict_first(op);
3a994f
+    space_index = r_space_index(op - 1);
3a994f
 
3a994f
     mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
3a994f
 
3a994f
-- 
3a994f
2.7.4
3a994f