From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 21 Aug 2018 19:36:52 +0000 (+0100)
Subject: Bug 699659: Don't just assume an object is a t_(a)struct

Bug 699659: Don't just assume an object is a t_(a)struct

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0edd3d6c634a577db261615a9dc2719bca7f6e01
---

diff -up a/psi/ztype.c.cve-2018-16511 b/psi/ztype.c
--- a/psi/ztype.c.cve-2018-16511	2018-11-14 09:52:09.491518742 +0100
+++ b/psi/ztype.c	2018-11-14 10:14:02.238279799 +0100
@@ -76,6 +76,7 @@ ztype(i_ctx_t *i_ctx_p)
         /* Must be either a stack underflow or a t_[a]struct. */
         check_op(2);
         {                       /* Get the type name from the structure. */
+            if ((r_has_type(&op[-1], t_struct) || r_has_type(&op[-1], t_astruct)) && op[-1].value.pstruct != 0x00) {
             const char *sname =
                 gs_struct_type_name_string(gs_object_type(imemory,
                                                           op[-1].value.pstruct));
@@ -84,6 +85,8 @@ ztype(i_ctx_t *i_ctx_p)
 
             if (code < 0)
                 return code;
+            } else
+                return_error(gs_error_stackunderflow);
         }
         r_set_attrs(op - 1, a_executable);
     } else {