From 30d5e341367002ca5b853b6b651f63e97ba580d1 Mon Sep 17 00:00:00 2001

From: Chris Liddell <chris.liddell@artifex.com>

Date: Sat, 8 Oct 2016 16:10:27 +0100

Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5

and param types

---

 base/gserrors.h |  1 +

 psi/zht2.c      | 12 ++++++++++--

 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/base/gserrors.h b/base/gserrors.h

index 24b5eb4..c7dbe18 100644

--- a/base/gserrors.h

+++ b/base/gserrors.h

@@ -33,6 +33,7 @@

 #define gs_error_limitcheck (-13)

 #define gs_error_nocurrentpoint (-14)

 #define gs_error_rangecheck (-15)

+#define gs_error_stackunderflow (-17)

 #define gs_error_typecheck (-20)

 #define gs_error_undefined (-21)

 #define gs_error_undefinedfilename (-22)

diff --git a/psi/zht2.c b/psi/zht2.c

index a53b71b..95fef4b 100644

--- a/psi/zht2.c

+++ b/psi/zht2.c

@@ -81,14 +81,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)

     gs_memory_t *mem;

     uint edepth = ref_stack_count(&e_stack);

     int npop = 2;

-    int dict_enum = dict_first(op);

+    int dict_enum;

     ref rvalue[2];

     int cname, colorant_number;

     byte * pname;

     uint name_size;

     int halftonetype, type = 0;

     gs_state *pgs = igs;

-    int space_index = r_space_index(op - 1);

+    int space_index;

+

+    if (ref_stack_count(&o_stack) < 2)

+        return_error(gs_error_stackunderflow);

+    check_type(*op, t_dictionary);

+    check_type(*(op - 1), t_dictionary);

+

+    dict_enum = dict_first(op);

+    space_index = r_space_index(op - 1);

     mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];

-- 

2.7.4