Blame SOURCES/ghostscript-cve-2018-19477.patch
|
 |
483aca |
From 606a22e77e7f081781e99e44644cd0119f559e03 Mon Sep 17 00:00:00 2001
|
|
|
483aca |
From: Ken Sharp <ken.sharp@artifex.com>
|
|
|
483aca |
Date: Wed, 14 Nov 2018 09:27:00 +0000
|
|
|
483aca |
Subject: [PATCH] Bug #700168 - add a type check
|
|
|
483aca |
|
|
|
483aca |
Bug #700168 "Type confusion in JBIG2Decode"
|
|
|
483aca |
|
|
|
483aca |
The code was assuming that .jbig2globalctx was a structure allocated
|
|
|
483aca |
by the graphics library, without checking.
|
|
|
483aca |
|
|
|
483aca |
Add a check to see that it is a structure and that its the correct
|
|
|
483aca |
type of structure.
|
|
|
483aca |
---
|
|
|
483aca |
psi/zfjbig2.c | 2 ++
|
|
|
483aca |
1 file changed, 2 insertions(+)
|
|
|
483aca |
|
|
|
483aca |
diff --git a/psi/zfjbig2.c b/psi/zfjbig2.c
|
|
|
483aca |
index a3d13a2..07b470f 100644
|
|
|
483aca |
--- a/psi/zfjbig2.c
|
|
|
483aca |
+++ b/psi/zfjbig2.c
|
|
|
483aca |
@@ -72,6 +72,8 @@ z_jbig2decode(i_ctx_t * i_ctx_p)
|
|
|
483aca |
if (r_has_type(op, t_dictionary)) {
|
|
|
483aca |
check_dict_read(*op);
|
|
|
483aca |
if ( dict_find_string(op, ".jbig2globalctx", &sop) > 0) {
|
|
|
483aca |
+ if (!r_is_struct(sop) || !r_has_stype(sop, imemory, st_jbig2_global_data_t))
|
|
|
483aca |
+ return_error(gs_error_typecheck);
|
|
|
483aca |
gref = r_ptr(sop, s_jbig2_global_data_t);
|
|
|
483aca |
s_jbig2decode_set_global_data((stream_state*)&state, gref);
|
|
|
483aca |
}
|
|
|
483aca |
--
|
|
|
483aca |
2.17.2
|
|
|
483aca |
|