From fac7eb144135f3ed8fbb0028ab1f33ce4dcc1985 Mon Sep 17 00:00:00 2001

From: Ken Sharp <ken.sharp@artifex.com>

Date: Fri, 21 Sep 2018 13:02:56 +0100

Subject: [PATCH 1/3] Check all uses of dict_find* to ensure 0 return properly

 handled

dict_find and friends have the surprising quirk of returning < 0 for

an error and > 0 for no error. But they can also return 0 which means

'not found' without it being an error.

From bug 699801, if the code assumes the usual case where 0 is a success

then an attempt might be made to use the empty dictionary slot returned

by dict_find*, which can lead to seg faults, and certainly won't have

the expected result.

---

 psi/icontext.c |  4 ++--

 psi/zcid.c     |  6 ++++--

 psi/zfapi.c    | 33 ++++++++++++++++++---------------

 psi/zfcid0.c   | 39 +++++++++++++++++++++++++++++----------

 psi/zfcid1.c   | 14 ++++++++++----

 psi/zicc.c     |  4 ++++

 psi/zpdf_r6.c  | 31 +++++++++++++++++++++++--------

 psi/ztoken.c   |  2 +-

 8 files changed, 91 insertions(+), 42 deletions(-)

diff --git a/psi/icontext.c b/psi/icontext.c

index 4db78e0..1fbe486 100644

--- a/psi/icontext.c

+++ b/psi/icontext.c

@@ -162,7 +162,7 @@ context_state_alloc(gs_context_state_t ** ppcst,

         uint size;

         ref *system_dict = &pcst->dict_stack.system_dict;

-        if (dict_find_string(system_dict, "userparams", &puserparams) >= 0)

+        if (dict_find_string(system_dict, "userparams", &puserparams) > 0)

             size = dict_length(puserparams);

         else

             size = 300;

@@ -286,7 +286,7 @@ context_state_store(gs_context_state_t * pcst)

         /* We need i_ctx_p for access to the d_stack. */

         i_ctx_t *i_ctx_p = pcst;

-        if (dict_find_string(systemdict, "userparams", &puserparams) < 0)

+        if (dict_find_string(systemdict, "userparams", &puserparams) <= 0)

             return_error(gs_error_Fatal);

         pcst->userparams = *puserparams;

     }

diff --git a/psi/zcid.c b/psi/zcid.c

index e394877..5c98fc9 100644

--- a/psi/zcid.c

+++ b/psi/zcid.c

@@ -72,11 +72,13 @@ TT_char_code_from_CID_no_subst(const gs_memory_t *mem,

     } else

         return false; /* Must not happen. */

     for (;n--; i++) {

+        int code;

+

         if (array_get(mem, DecodingArray, i, &char_code1) < 0 ||

             !r_has_type(&char_code1, t_integer))

             return false; /* Must not happen. */

-        if (dict_find(TT_cmap, &char_code1, &glyph_index) >= 0 &&

-                r_has_type(glyph_index, t_integer)) {

+        code = dict_find(TT_cmap, &char_code1, &glyph_index);

+        if (code > 0 && r_has_type(glyph_index, t_integer)) {

             *c = glyph_index->value.intval;

             found = true;

             if (*c != 0)

diff --git a/psi/zfapi.c b/psi/zfapi.c

index 48e1d54..1b687b0 100644

--- a/psi/zfapi.c

+++ b/psi/zfapi.c

@@ -1826,6 +1826,9 @@ FAPI_get_xlatmap(i_ctx_t *i_ctx_p, char **xlatmap)

     if ((code = dict_find_string(systemdict, ".xlatmap", &pref)) < 0)

         return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

+

     if (r_type(pref) != t_string)

         return_error(gs_error_typecheck);

     *xlatmap = (char *)pref->value.bytes;

@@ -1881,11 +1884,11 @@ ps_get_server_param(gs_fapi_server *I, const byte *subtype,

     ref *FAPIconfig, *options, *server_options;

     i_ctx_t *i_ctx_p = (i_ctx_t *) I->client_ctx_p;

-    if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) >= 0

+    if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) > 0

         && r_has_type(FAPIconfig, t_dictionary)) {

-        if (dict_find_string(FAPIconfig, "ServerOptions", &options) >= 0

+        if (dict_find_string(FAPIconfig, "ServerOptions", &options) > 0

             && r_has_type(options, t_dictionary)) {

-            if (dict_find_string(options, (char *)subtype, &server_options) >=

+            if (dict_find_string(options, (char *)subtype, &server_options) >

                 0 && r_has_type(server_options, t_string)) {

                 *server_param = (byte *) server_options->value.const_bytes;

                 *server_param_size = r_size(server_options);

@@ -2070,7 +2073,7 @@ zFAPIrebuildfont(i_ctx_t *i_ctx_p)

     pdata = (font_data *) pfont->client_data;

     I = pbfont->FAPI;

-    if (dict_find_string((op - 1), "SubfontId", &v) >= 0

+    if (dict_find_string((op - 1), "SubfontId", &v) > 0

         && r_has_type(v, t_integer))

         subfont = v->value.intval;

     else

@@ -2277,8 +2280,8 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,

         if (pbfont->FontType == ft_CID_TrueType && font_file_path) {

             ref *pdr2, *fidr, *dummy;

             pdr2 = pfont_dict(gs_rootfont(igs));

-            if (dict_find_string(pdr2, "FontInfo", &fidr) &&

-                dict_find_string(fidr, "GlyphNames2Unicode", &dummy))

+            if (dict_find_string(pdr2, "FontInfo", &fidr) > 0 &&

+                dict_find_string(fidr, "GlyphNames2Unicode", &dummy) > 0)

             {

                 unsigned char uc[4] = {0};

                 unsigned int cc = 0;

@@ -2417,13 +2420,13 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,

                 fdict = pfont_dict(gs_rootfont(igs));

                 code = dict_find_string(fdict, "CMap", &CMapDict);

-                if (code >= 0 && r_has_type(CMapDict, t_dictionary)) {

+                if (code > 0 && r_has_type(CMapDict, t_dictionary)) {

                     code = dict_find_string(CMapDict, "WMode", &WMode);

-                    if (code >= 0 && r_has_type(WMode, t_integer)) {

+                    if (code > 0 && r_has_type(WMode, t_integer)) {

                         wmode = WMode->value.intval;

                     }

                     code = dict_find_string(CMapDict, "CMapName", &CMapName);

-                    if (code >= 0 && r_has_type(CMapName, t_name)) {

+                    if (code > 0 && r_has_type(CMapName, t_name)) {

                         name_string_ref(imemory, CMapName, &CMapNameStr);

                         cmapnm = (char *)CMapNameStr.value.bytes;

                         cmapnmlen = r_size(&CMapNameStr);

@@ -2432,10 +2435,10 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,

                 /* We only have to lookup the char code if we're *not* using an identity ordering 

                    with the exception of Identity-UTF16 which is a different beast altogether */

                 if (unicode_cp || (cmapnmlen > 0 && !strncmp(cmapnm, utfcmap, cmapnmlen > utfcmaplen ? utfcmaplen : cmapnmlen))

-                    || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) >= 0

+                    || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) > 0

                     && r_has_type(CIDSystemInfo, t_dictionary)

                     && dict_find_string(CIDSystemInfo, "Ordering",

-                                        &Ordering) >= 0

+                                        &Ordering) > 0

                     && r_has_type(Ordering, t_string)

                     && strncmp((const char *)Ordering->value.bytes,

                                "Identity", 8) != 0)) {

@@ -2463,7 +2466,7 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,

                 ref cc32;

                 ref *gid;

                 make_int(&cc32, 32);

-                if (dict_find(TT_cmap, &cc32, &gid) >= 0)

+                if (dict_find(TT_cmap, &cc32, &gid) > 0)

                     c = gid->value.intval;

             }

             cr->char_codes[0] = c;

@@ -2536,7 +2539,7 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,

         if (dict_find_string(pdr, "CharStrings", &CharStrings) <= 0

             || !r_has_type(CharStrings, t_dictionary))

             return_error(gs_error_invalidfont);

-        if ((dict_find(CharStrings, &char_name, &glyph_index) < 0)

+        if ((dict_find(CharStrings, &char_name, &glyph_index) <= 0)

             || r_has_type(glyph_index, t_null)) {

 #ifdef DEBUG

             ref *pvalue;

@@ -2955,7 +2958,7 @@ zFAPIpassfont(i_ctx_t *i_ctx_p)

     if (code < 0)

         return code;

-    if (dict_find_string(op, "SubfontId", &v) >= 0

+    if (dict_find_string(op, "SubfontId", &v) > 0

         && r_has_type(v, t_integer))

         subfont = v->value.intval;

     else

@@ -2968,7 +2971,7 @@ zFAPIpassfont(i_ctx_t *i_ctx_p)

     /* If the font dictionary contains a FAPIPlugInReq key, the the PS world wants us

      * to try to use a specific FAPI plugin, so find it, and try it....

      */

-    if (dict_find_string(op, "FAPIPlugInReq", &v) >= 0 && r_type(v) == t_name) {

+    if (dict_find_string(op, "FAPIPlugInReq", &v) > 0 && r_type(v) == t_name) {

         name_string_ref(imemory, v, &reqstr);

diff --git a/psi/zfcid0.c b/psi/zfcid0.c

index 2aba09a..ba00b21 100644

--- a/psi/zfcid0.c

+++ b/psi/zfcid0.c

@@ -410,13 +410,25 @@ zbuildfont9(i_ctx_t *i_ctx_p)

      * from a file, GlyphData will be an integer, and DataSource will be

      * a (reusable) stream.

      */

-    if (code < 0 ||

-        (code = cid_font_data_param(op, &common, &GlyphDirectory)) < 0 ||

-        (code = dict_find_string(op, "FDArray", &prfda)) < 0 ||

-        (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 ||

-        (code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes)) < 0

-        )

+    if (code < 0)

+        return code;

+    code = cid_font_data_param(op, &common, &GlyphDirectory);

+    if (code < 0)

+        return code;

+    code = dict_find_string(op, "FDArray", &prfda);

+    if (code < 0)

+        return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

+    code = dict_find_string(op, "CIDFontName", &pCIDFontName);

+    if (code < 0)

+        return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

+    code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes);

+    if (code < 0)

         return code;

+

     /*

      * Since build_gs_simple_font may resize the dictionary and cause

      * pointers to become invalid, save CIDFontName

@@ -426,17 +438,24 @@ zbuildfont9(i_ctx_t *i_ctx_p)

         /* Standard CIDFont, require GlyphData and CIDMapOffset. */

         ref *pGlyphData;

-        if ((code = dict_find_string(op, "GlyphData", &pGlyphData)) < 0 ||

-            (code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1,

-                                    max_uint, &CIDMapOffset)) < 0)

+        code = dict_find_string(op, "GlyphData", &pGlyphData);

+        if (code < 0)

+            return code;

+        if (code == 0)

+            return_error(gs_error_undefined);

+        code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1, max_uint, &CIDMapOffset);

+        if (code < 0)

             return code;

         GlyphData = *pGlyphData;

         if (r_has_type(&GlyphData, t_integer)) {

             ref *pds;

             stream *ignore_s;

-            if ((code = dict_find_string(op, "DataSource", &pds)) < 0)

+            code = dict_find_string(op, "DataSource", &pds);

+            if (code < 0)

                 return code;

+            if (code == 0)

+                return_error(gs_error_undefined);

             check_read_file(i_ctx_p, ignore_s, pds);

             DataSource = *pds;

         } else {

diff --git a/psi/zfcid1.c b/psi/zfcid1.c

index ef3ece0..e3643a0 100644

--- a/psi/zfcid1.c

+++ b/psi/zfcid1.c

@@ -347,11 +347,17 @@ zbuildfont11(i_ctx_t *i_ctx_p)

     ref rcidmap, ignore_gdir, file, *pfile, cfnstr, *pCIDFontName, CIDFontName, *t;

     ulong loca_glyph_pos[2][2];

     int code = cid_font_data_param(op, &common, &ignore_gdir);

+    if (code < 0)

+        return code;

-    if (code < 0 ||

-        (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 ||

-        (code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount)) < 0

-        )

+    code = dict_find_string(op, "CIDFontName", &pCIDFontName);

+    if (code <= 0) {

+        if (code == 0)

+            return_error(gs_error_undefined);

+        return code;

+    }

+    code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount);

+    if (code < 0)

         return code;

     /*

      * Since build_gs_simple_font may resize the dictionary and cause

diff --git a/psi/zicc.c b/psi/zicc.c

index ebf25fe..53bdf34 100644

--- a/psi/zicc.c

+++ b/psi/zicc.c

@@ -261,6 +261,8 @@ zset_outputintent(i_ctx_t * i_ctx_p)

     code = dict_find_string(op, "N", &pnval);

     if (code < 0)

         return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

     ncomps = pnval->value.intval;

     /* verify the DataSource entry. Creat profile from stream */

@@ -491,6 +493,8 @@ znumicc_components(i_ctx_t * i_ctx_p)

     code = dict_find_string(op, "N", &pnval);

     if (code < 0)

         return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

     ncomps = pnval->value.intval;

     /* verify the DataSource entry. Create profile from stream */

     if (dict_find_string(op, "DataSource", &pstrmval) <= 0)

diff --git a/psi/zpdf_r6.c b/psi/zpdf_r6.c

index bcd4907..992f316 100644

--- a/psi/zpdf_r6.c

+++ b/psi/zpdf_r6.c

@@ -145,21 +145,36 @@ zcheck_r6_password(i_ctx_t * i_ctx_p)

         return_error(gs_error_typecheck);

     code = dict_find_string(CryptDict, "O", &Oref);

-    if (code < 0 || !r_has_type(Oref, t_string)) {

+    if (code < 0)

+        return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

+    if (!r_has_type(Oref, t_string))

       return_error(gs_error_typecheck);

-    }

+

     code = dict_find_string(CryptDict, "OE", &OEref);

-    if (code < 0 || !r_has_type(OEref, t_string)) {

+    if (code < 0)

+        return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

+    if (!r_has_type(OEref, t_string))

       return_error(gs_error_typecheck);

-    }

+

     code = dict_find_string(CryptDict, "U", &Uref);

-    if (code < 0 || !r_has_type(Uref, t_string)) {

+    if (code < 0)

+        return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

+    if (!r_has_type(Uref, t_string))

       return_error(gs_error_typecheck);

-    }

+

     code = dict_find_string(CryptDict, "UE", &UEref);

-    if (code < 0 || !r_has_type(UEref, t_string)) {

+    if (code < 0)

+        return code;

+    if (code == 0)

+        return_error(gs_error_undefined);

+    if (!r_has_type(UEref, t_string))

       return_error(gs_error_typecheck);

-    }

     pop(2);

     op = osp;

diff --git a/psi/ztoken.c b/psi/ztoken.c

index 519cd09..9314d97 100644

--- a/psi/ztoken.c

+++ b/psi/ztoken.c

@@ -356,7 +356,7 @@ ztoken_scanner_options(const ref *upref, int old_options)

         int code = dict_find_string(upref, pnso->pname, &ppcproc);

         /* Update the options only if the parameter has changed. */

-        if (code >= 0) {

+        if (code > 0) {

             if (r_has_type(ppcproc, t_null))

                 options &= ~pnso->option;

             else

-- 

2.17.2

From 434753adbe8be5534bfb9b7d91746023e8073d16 Mon Sep 17 00:00:00 2001

From: Ken Sharp <ken.sharp@artifex.com>

Date: Wed, 14 Nov 2018 09:25:13 +0000

Subject: [PATCH 2/3] Bug #700169 - unchecked type

Bug #700169 "Type confusion in setcolorspace"

In seticc() we extract "Name" from a dictionary, if it succeeds we then

use it as a string, without checking the type to see if it is in fact

a string.

Add a check on the type, and add a couple to check that 'N' is an integer

in a few places too.

---

 psi/zicc.c | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/psi/zicc.c b/psi/zicc.c

index 53bdf34..dbd2562 100644

--- a/psi/zicc.c

+++ b/psi/zicc.c

@@ -76,7 +76,7 @@ int seticc(i_ctx_t * i_ctx_p, int ncomps, ref *ICCdict, float *range_buff)

         want to have this buffer. */

     /* Check if we have the /Name entry.  This is used to associate with

        specs that have enumerated types to indicate sRGB sGray etc */

-    if (dict_find_string(ICCdict, "Name", &pnameval) > 0){

+    if (dict_find_string(ICCdict, "Name", &pnameval) > 0 && r_has_type(pnameval, t_string)){

         uint size = r_size(pnameval);

         char *str = (char *)gs_alloc_bytes(gs_gstate_memory(igs), size+1, "seticc");

         memcpy(str, (const char *)pnameval->value.bytes, size);

@@ -263,6 +263,8 @@ zset_outputintent(i_ctx_t * i_ctx_p)

         return code;

     if (code == 0)

         return_error(gs_error_undefined);

+    if (r_type(pnval) != t_integer)

+        return gs_note_error(gs_error_typecheck);

     ncomps = pnval->value.intval;

     /* verify the DataSource entry. Creat profile from stream */

@@ -495,6 +497,8 @@ znumicc_components(i_ctx_t * i_ctx_p)

         return code;

     if (code == 0)

         return_error(gs_error_undefined);

+    if (r_type(pnval) != t_integer)

+        return gs_note_error(gs_error_typecheck);

     ncomps = pnval->value.intval;

     /* verify the DataSource entry. Create profile from stream */

     if (dict_find_string(op, "DataSource", &pstrmval) <= 0)

-- 

2.17.2

From 9a1b3ac61761094713f44dedfce56013308a3b1d Mon Sep 17 00:00:00 2001

From: Ken Sharp <ken.sharp@artifex.com>

Date: Wed, 14 Nov 2018 09:31:10 +0000

Subject: [PATCH 3/3] PS interpreter - add some type checking

These were 'probably' safe anyway, since they mostly treat the objects

as integers without checking, which at least can't result in a crash.

Nevertheless, we ought to check.

The return from comparedictkeys could be wrong if one of the keys had

a value which was not an array, it could incorrectly decide the two

were in fact the same.

---

 psi/zbfont.c  | 15 +++++++++------

 psi/zcolor.c  | 24 +++++++++++++++++++++++-

 psi/zcrd.c    |  4 +++-

 psi/zfjpx.c   |  2 ++

 psi/zfont.c   |  3 +++

 psi/zfont0.c  |  3 +++

 psi/zimage3.c |  2 ++

 psi/ztrans.c  |  4 ++++

 8 files changed, 49 insertions(+), 8 deletions(-)

diff --git a/psi/zbfont.c b/psi/zbfont.c

index c1d0461..5b830a2 100644

--- a/psi/zbfont.c

+++ b/psi/zbfont.c

@@ -666,6 +666,9 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom

         return_error(gs_error_invalidfont);

     if (dict_find_string(op, "OrigFont", &porigfont) <= 0)

         porigfont = NULL;

+    if (porigfont != NULL && !r_has_type(porigfont, t_dictionary))

+        return_error(gs_error_typecheck);

+

     if (pomat!= NULL) {

         if (porigfont == NULL ||

             dict_find_string(porigfont, "FontMatrix", &pmatrix) <= 0 ||

@@ -676,8 +679,8 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom

     /* Use the FontInfo/OrigFontName key preferrentially (created by MS PSCRIPT driver) */

     if ((dict_find_string((porigfont != NULL ? porigfont : op), "FontInfo", &pfontinfo) > 0) &&

         r_has_type(pfontinfo, t_dictionary) &&

-        (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0)) {

-        if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) &&

+        (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string))) {

+        if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string)) &&

                 r_size(pfontstyle) > 0) {

             const byte *tmpStr1 = pfontname->value.const_bytes;

             const byte *tmpStr2 = pfontstyle->value.const_bytes;

@@ -775,11 +778,11 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,

             avm_space useglob = r_is_local(pencoding) ? avm_local : avm_global;

             ialloc_set_space(idmemory, useglob);

-            

+

             count = r_size(pencoding);

             if ((code = ialloc_ref_array(&penc, (r_type_attrs(pencoding) & a_readonly), count, "build_gs_font")) < 0)

                  return code;

-            

+

             while (count--) {

                ref r;

                if (array_get(imemory, pencoding, count, &r) < 0){

@@ -790,7 +793,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,

                    ref_assign(&(penc.value.refs[count]), &r);

                }

                else {

-               

+

                    if ((code = obj_cvs(imemory, &r, (byte *)buf, 32, &size, (const byte **)(&bptr))) < 0) {

                        return(code);

                    }

@@ -799,7 +802,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,

                    ref_assign(&(penc.value.refs[count]), &r);

                }

             }

-            

+

             if ((code = dict_put_string(osp, "Encoding", &penc, NULL)) < 0)

                return code;

             ialloc_set_space(idmemory, curglob);

diff --git a/psi/zcolor.c b/psi/zcolor.c

index fe81e79..b69b8f5 100644

--- a/psi/zcolor.c

+++ b/psi/zcolor.c

@@ -1877,7 +1877,12 @@ static int comparedictkey(i_ctx_t * i_ctx_p, ref *CIEdict1, ref *CIEdict2, char

     if (r_type(tempref1) == t_null)

         return 1;

-    return comparearrays(i_ctx_p, tempref1, tempref2);

+    code = comparearrays(i_ctx_p, tempref1, tempref2);

+

+    if (code > 0)

+        return 1;

+    else

+        return 0;

 }

 static int hasharray(i_ctx_t * i_ctx_p, ref *m1, gs_md5_state_t *md5)

@@ -5473,6 +5478,9 @@ static int seticcspace(i_ctx_t * i_ctx_p, ref *r, int *stage, int *cont, int CIE

                     return code;

                 if (code == 0)

                     return gs_note_error(gs_error_undefined);

+                if (r_type(tempref) != t_integer)

+                    return gs_note_error(gs_error_typecheck);

+

                 components = tempref->value.intval;

                 if (components > count_of(range)/2)

                     return_error(gs_error_rangecheck);

@@ -5584,6 +5592,10 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace)

     /* Need to check all the various parts */

     code1 = dict_find_string(&ICCdict1, "N", &tempref1);

     code2 = dict_find_string(&ICCdict2, "N", &tempref2);

+

+    if (!r_has_type(tempref1, t_integer) || !r_has_type(tempref2, t_integer))

+        return 0;

+

     if (code1 != code2)

         return 0;

     if (tempref1->value.intval != tempref2->value.intval)

@@ -5737,6 +5749,8 @@ static int iccalternatespace(i_ctx_t * i_ctx_p, ref *space, ref **r, int *CIESub

         return code;

     if (code == 0)

         return gs_note_error(gs_error_undefined);

+    if (!r_has_type(tempref, t_integer))

+        return_error(gs_error_typecheck);

     components = tempref->value.intval;

@@ -5775,6 +5789,9 @@ static int icccomponents(i_ctx_t * i_ctx_p, ref *space, int *n)

         return code;

     if (code == 0)

         return gs_note_error(gs_error_undefined);

+    if (!r_has_type(tempref, t_integer))

+        return gs_note_error(gs_error_typecheck);

+

     *n = tempref->value.intval;

     return 0;

 }

@@ -5791,6 +5808,9 @@ static int iccdomain(i_ctx_t * i_ctx_p, ref *space, float *ptr)

         return code;

     if (code == 0)

         return gs_note_error(gs_error_undefined);

+    if (!r_has_type(tempref, t_integer))

+        return gs_note_error(gs_error_typecheck);

+

     components = tempref->value.intval;

     code = dict_find_string(&ICCdict, "Range", &tempref);

     if (code > 0 && !r_has_type(tempref, t_null)) {

@@ -5824,6 +5844,8 @@ static int iccrange(i_ctx_t * i_ctx_p, ref *space, float *ptr)

         return code;

     if (code == 0)

         return gs_note_error(gs_error_undefined);

+    if (!r_has_type(tempref, t_integer))

+        return gs_note_error(gs_error_typecheck);

     components = tempref->value.intval;

     code = dict_find_string(&ICCdict, "Range", &tempref);

     if (code > 0 && !r_has_type(tempref, t_null)) {

diff --git a/psi/zcrd.c b/psi/zcrd.c

index 7993b15..d58160d 100644

--- a/psi/zcrd.c

+++ b/psi/zcrd.c

@@ -231,8 +231,10 @@ zcrd1_params(os_ptr op, gs_cie_render * pcrd,

         return code;

     if (dict_find_string(op, "RenderTable", &pRT) > 0) {

-        const ref *prte = pRT->value.const_refs;

+        const ref *prte;

+        check_read_type(*pRT, t_array);

+        prte = pRT->value.const_refs;

         /* Finish unpacking and checking the RenderTable parameter. */

         check_type_only(prte[4], t_integer);

         if (!(prte[4].value.intval == 3 || prte[4].value.intval == 4))

diff --git a/psi/zfjpx.c b/psi/zfjpx.c

index c622f48..db1fae2 100644

--- a/psi/zfjpx.c

+++ b/psi/zfjpx.c

@@ -115,6 +115,8 @@ z_jpx_decode(i_ctx_t * i_ctx_p)

                                 dict_find_string(csdict, "N", &nref) > 0) {

                           if_debug1m('w', imemory, "[w] JPX image has an external %"PRIpsint

                                      " channel colorspace\n", nref->value.intval);

+                          if (r_type(nref) != t_integer)

+                              return gs_note_error(gs_error_typecheck);

                           switch (nref->value.intval) {

                             case 1: state.colorspace = gs_jpx_cs_gray;

                                 break;

diff --git a/psi/zfont.c b/psi/zfont.c

index 9c51792..f6c5ae1 100644

--- a/psi/zfont.c

+++ b/psi/zfont.c

@@ -596,6 +596,9 @@ zfont_info(gs_font *font, const gs_point *pscale, int members,

         info->members |= FONT_INFO_FULL_NAME;

     if ((members & FONT_INFO_EMBEDDING_RIGHTS)

         && (dict_find_string(pfontinfo, "FSType", &pvalue) > 0)) {

+        if (r_type(pvalue) != t_integer)

+            return gs_note_error(gs_error_typecheck);

+

         info->EmbeddingRights = pvalue->value.intval;

         info->members |= FONT_INFO_EMBEDDING_RIGHTS;

     }

diff --git a/psi/zfont0.c b/psi/zfont0.c

index 4b01c20..a179d7b 100644

--- a/psi/zfont0.c

+++ b/psi/zfont0.c

@@ -243,6 +243,9 @@ zbuildfont0(i_ctx_t *i_ctx_p)

         array_get(pfont->memory, &fdepvector, i, &fdep);

         /* The lookup can't fail, because of the pre-check above. */

         dict_find_string(&fdep, "FID", &pfid);

+        if (!r_has_type(pfid, t_fontID))

+            return gs_note_error(gs_error_typecheck);

+

         data.FDepVector[i] = r_ptr(pfid, gs_font);

     }

     pfont->data = data;

diff --git a/psi/zimage3.c b/psi/zimage3.c

index 87a3dce..2beda9f 100644

--- a/psi/zimage3.c

+++ b/psi/zimage3.c

@@ -53,6 +53,8 @@ zimage3(i_ctx_t *i_ctx_p)

         dict_find_string(op, "MaskDict", &pMaskDict) <= 0

         )

         return_error(gs_error_rangecheck);

+    check_type(*pDataDict, t_dictionary);

+    check_type(*pMaskDict, t_dictionary);

     if ((code = pixel_image_params(i_ctx_p, pDataDict,

                         (gs_pixel_image_t *)&image, &ip_data,

                         12, false, gs_currentcolorspace(igs))) < 0 ||

diff --git a/psi/ztrans.c b/psi/ztrans.c

index 64defda..0550a10 100644

--- a/psi/ztrans.c

+++ b/psi/ztrans.c

@@ -417,6 +417,7 @@ zimage3x(i_ctx_t *i_ctx_p)

     gs_image3x_t_init(&image, NULL);

     if (dict_find_string(op, "DataDict", &pDataDict) <= 0)

         return_error(gs_error_rangecheck);

+    check_type(*pDataDict, t_dictionary);

     if ((code = pixel_image_params(i_ctx_p, pDataDict,

                    (gs_pixel_image_t *)&image, &ip_data,

                    16, false, gs_currentcolorspace(igs))) < 0 ||

@@ -453,6 +454,9 @@ image_params *pip_data, const char *dict_name,

     if (dict_find_string(op, dict_name, &pMaskDict) <= 0)

         return 1;

+    if (!r_has_type(pMaskDict, t_dictionary))

+        return gs_note_error(gs_error_typecheck);

+

     if ((mcode = code = data_image_params(mem, pMaskDict, &pixm->MaskDict,

                                           &ip_mask, false, 1, 16, false, false)) < 0 ||

         (code = dict_int_param(pMaskDict, "ImageType", 1, 1, 0, &ignored)) < 0 ||

-- 

2.17.2