From fac7eb144135f3ed8fbb0028ab1f33ce4dcc1985 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 21 Sep 2018 13:02:56 +0100
Subject: [PATCH 1/3] Check all uses of dict_find* to ensure 0 return properly
handled
dict_find and friends have the surprising quirk of returning < 0 for
an error and > 0 for no error. But they can also return 0 which means
'not found' without it being an error.
From bug 699801, if the code assumes the usual case where 0 is a success
then an attempt might be made to use the empty dictionary slot returned
by dict_find*, which can lead to seg faults, and certainly won't have
the expected result.
---
psi/icontext.c | 4 ++--
psi/zcid.c | 6 ++++--
psi/zfapi.c | 33 ++++++++++++++++++---------------
psi/zfcid0.c | 39 +++++++++++++++++++++++++++++----------
psi/zfcid1.c | 14 ++++++++++----
psi/zicc.c | 4 ++++
psi/zpdf_r6.c | 31 +++++++++++++++++++++++--------
psi/ztoken.c | 2 +-
8 files changed, 91 insertions(+), 42 deletions(-)
diff --git a/psi/icontext.c b/psi/icontext.c
index 4db78e0..1fbe486 100644
--- a/psi/icontext.c
+++ b/psi/icontext.c
@@ -162,7 +162,7 @@ context_state_alloc(gs_context_state_t ** ppcst,
uint size;
ref *system_dict = &pcst->dict_stack.system_dict;
- if (dict_find_string(system_dict, "userparams", &puserparams) >= 0)
+ if (dict_find_string(system_dict, "userparams", &puserparams) > 0)
size = dict_length(puserparams);
else
size = 300;
@@ -286,7 +286,7 @@ context_state_store(gs_context_state_t * pcst)
/* We need i_ctx_p for access to the d_stack. */
i_ctx_t *i_ctx_p = pcst;
- if (dict_find_string(systemdict, "userparams", &puserparams) < 0)
+ if (dict_find_string(systemdict, "userparams", &puserparams) <= 0)
return_error(gs_error_Fatal);
pcst->userparams = *puserparams;
}
diff --git a/psi/zcid.c b/psi/zcid.c
index e394877..5c98fc9 100644
--- a/psi/zcid.c
+++ b/psi/zcid.c
@@ -72,11 +72,13 @@ TT_char_code_from_CID_no_subst(const gs_memory_t *mem,
} else
return false; /* Must not happen. */
for (;n--; i++) {
+ int code;
+
if (array_get(mem, DecodingArray, i, &char_code1) < 0 ||
!r_has_type(&char_code1, t_integer))
return false; /* Must not happen. */
- if (dict_find(TT_cmap, &char_code1, &glyph_index) >= 0 &&
- r_has_type(glyph_index, t_integer)) {
+ code = dict_find(TT_cmap, &char_code1, &glyph_index);
+ if (code > 0 && r_has_type(glyph_index, t_integer)) {
*c = glyph_index->value.intval;
found = true;
if (*c != 0)
diff --git a/psi/zfapi.c b/psi/zfapi.c
index 48e1d54..1b687b0 100644
--- a/psi/zfapi.c
+++ b/psi/zfapi.c
@@ -1826,6 +1826,9 @@ FAPI_get_xlatmap(i_ctx_t *i_ctx_p, char **xlatmap)
if ((code = dict_find_string(systemdict, ".xlatmap", &pref)) < 0)
return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
+
if (r_type(pref) != t_string)
return_error(gs_error_typecheck);
*xlatmap = (char *)pref->value.bytes;
@@ -1881,11 +1884,11 @@ ps_get_server_param(gs_fapi_server *I, const byte *subtype,
ref *FAPIconfig, *options, *server_options;
i_ctx_t *i_ctx_p = (i_ctx_t *) I->client_ctx_p;
- if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) >= 0
+ if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) > 0
&& r_has_type(FAPIconfig, t_dictionary)) {
- if (dict_find_string(FAPIconfig, "ServerOptions", &options) >= 0
+ if (dict_find_string(FAPIconfig, "ServerOptions", &options) > 0
&& r_has_type(options, t_dictionary)) {
- if (dict_find_string(options, (char *)subtype, &server_options) >=
+ if (dict_find_string(options, (char *)subtype, &server_options) >
0 && r_has_type(server_options, t_string)) {
*server_param = (byte *) server_options->value.const_bytes;
*server_param_size = r_size(server_options);
@@ -2070,7 +2073,7 @@ zFAPIrebuildfont(i_ctx_t *i_ctx_p)
pdata = (font_data *) pfont->client_data;
I = pbfont->FAPI;
- if (dict_find_string((op - 1), "SubfontId", &v) >= 0
+ if (dict_find_string((op - 1), "SubfontId", &v) > 0
&& r_has_type(v, t_integer))
subfont = v->value.intval;
else
@@ -2277,8 +2280,8 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
if (pbfont->FontType == ft_CID_TrueType && font_file_path) {
ref *pdr2, *fidr, *dummy;
pdr2 = pfont_dict(gs_rootfont(igs));
- if (dict_find_string(pdr2, "FontInfo", &fidr) &&
- dict_find_string(fidr, "GlyphNames2Unicode", &dummy))
+ if (dict_find_string(pdr2, "FontInfo", &fidr) > 0 &&
+ dict_find_string(fidr, "GlyphNames2Unicode", &dummy) > 0)
{
unsigned char uc[4] = {0};
unsigned int cc = 0;
@@ -2417,13 +2420,13 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
fdict = pfont_dict(gs_rootfont(igs));
code = dict_find_string(fdict, "CMap", &CMapDict);
- if (code >= 0 && r_has_type(CMapDict, t_dictionary)) {
+ if (code > 0 && r_has_type(CMapDict, t_dictionary)) {
code = dict_find_string(CMapDict, "WMode", &WMode);
- if (code >= 0 && r_has_type(WMode, t_integer)) {
+ if (code > 0 && r_has_type(WMode, t_integer)) {
wmode = WMode->value.intval;
}
code = dict_find_string(CMapDict, "CMapName", &CMapName);
- if (code >= 0 && r_has_type(CMapName, t_name)) {
+ if (code > 0 && r_has_type(CMapName, t_name)) {
name_string_ref(imemory, CMapName, &CMapNameStr);
cmapnm = (char *)CMapNameStr.value.bytes;
cmapnmlen = r_size(&CMapNameStr);
@@ -2432,10 +2435,10 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
/* We only have to lookup the char code if we're *not* using an identity ordering
with the exception of Identity-UTF16 which is a different beast altogether */
if (unicode_cp || (cmapnmlen > 0 && !strncmp(cmapnm, utfcmap, cmapnmlen > utfcmaplen ? utfcmaplen : cmapnmlen))
- || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) >= 0
+ || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) > 0
&& r_has_type(CIDSystemInfo, t_dictionary)
&& dict_find_string(CIDSystemInfo, "Ordering",
- &Ordering) >= 0
+ &Ordering) > 0
&& r_has_type(Ordering, t_string)
&& strncmp((const char *)Ordering->value.bytes,
"Identity", 8) != 0)) {
@@ -2463,7 +2466,7 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
ref cc32;
ref *gid;
make_int(&cc32, 32);
- if (dict_find(TT_cmap, &cc32, &gid) >= 0)
+ if (dict_find(TT_cmap, &cc32, &gid) > 0)
c = gid->value.intval;
}
cr->char_codes[0] = c;
@@ -2536,7 +2539,7 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
if (dict_find_string(pdr, "CharStrings", &CharStrings) <= 0
|| !r_has_type(CharStrings, t_dictionary))
return_error(gs_error_invalidfont);
- if ((dict_find(CharStrings, &char_name, &glyph_index) < 0)
+ if ((dict_find(CharStrings, &char_name, &glyph_index) <= 0)
|| r_has_type(glyph_index, t_null)) {
#ifdef DEBUG
ref *pvalue;
@@ -2955,7 +2958,7 @@ zFAPIpassfont(i_ctx_t *i_ctx_p)
if (code < 0)
return code;
- if (dict_find_string(op, "SubfontId", &v) >= 0
+ if (dict_find_string(op, "SubfontId", &v) > 0
&& r_has_type(v, t_integer))
subfont = v->value.intval;
else
@@ -2968,7 +2971,7 @@ zFAPIpassfont(i_ctx_t *i_ctx_p)
/* If the font dictionary contains a FAPIPlugInReq key, the the PS world wants us
* to try to use a specific FAPI plugin, so find it, and try it....
*/
- if (dict_find_string(op, "FAPIPlugInReq", &v) >= 0 && r_type(v) == t_name) {
+ if (dict_find_string(op, "FAPIPlugInReq", &v) > 0 && r_type(v) == t_name) {
name_string_ref(imemory, v, &reqstr);
diff --git a/psi/zfcid0.c b/psi/zfcid0.c
index 2aba09a..ba00b21 100644
--- a/psi/zfcid0.c
+++ b/psi/zfcid0.c
@@ -410,13 +410,25 @@ zbuildfont9(i_ctx_t *i_ctx_p)
* from a file, GlyphData will be an integer, and DataSource will be
* a (reusable) stream.
*/
- if (code < 0 ||
- (code = cid_font_data_param(op, &common, &GlyphDirectory)) < 0 ||
- (code = dict_find_string(op, "FDArray", &prfda)) < 0 ||
- (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 ||
- (code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes)) < 0
- )
+ if (code < 0)
+ return code;
+ code = cid_font_data_param(op, &common, &GlyphDirectory);
+ if (code < 0)
+ return code;
+ code = dict_find_string(op, "FDArray", &prfda);
+ if (code < 0)
+ return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
+ code = dict_find_string(op, "CIDFontName", &pCIDFontName);
+ if (code < 0)
+ return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
+ code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes);
+ if (code < 0)
return code;
+
/*
* Since build_gs_simple_font may resize the dictionary and cause
* pointers to become invalid, save CIDFontName
@@ -426,17 +438,24 @@ zbuildfont9(i_ctx_t *i_ctx_p)
/* Standard CIDFont, require GlyphData and CIDMapOffset. */
ref *pGlyphData;
- if ((code = dict_find_string(op, "GlyphData", &pGlyphData)) < 0 ||
- (code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1,
- max_uint, &CIDMapOffset)) < 0)
+ code = dict_find_string(op, "GlyphData", &pGlyphData);
+ if (code < 0)
+ return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
+ code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1, max_uint, &CIDMapOffset);
+ if (code < 0)
return code;
GlyphData = *pGlyphData;
if (r_has_type(&GlyphData, t_integer)) {
ref *pds;
stream *ignore_s;
- if ((code = dict_find_string(op, "DataSource", &pds)) < 0)
+ code = dict_find_string(op, "DataSource", &pds);
+ if (code < 0)
return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
check_read_file(i_ctx_p, ignore_s, pds);
DataSource = *pds;
} else {
diff --git a/psi/zfcid1.c b/psi/zfcid1.c
index ef3ece0..e3643a0 100644
--- a/psi/zfcid1.c
+++ b/psi/zfcid1.c
@@ -347,11 +347,17 @@ zbuildfont11(i_ctx_t *i_ctx_p)
ref rcidmap, ignore_gdir, file, *pfile, cfnstr, *pCIDFontName, CIDFontName, *t;
ulong loca_glyph_pos[2][2];
int code = cid_font_data_param(op, &common, &ignore_gdir);
+ if (code < 0)
+ return code;
- if (code < 0 ||
- (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 ||
- (code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount)) < 0
- )
+ code = dict_find_string(op, "CIDFontName", &pCIDFontName);
+ if (code <= 0) {
+ if (code == 0)
+ return_error(gs_error_undefined);
+ return code;
+ }
+ code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount);
+ if (code < 0)
return code;
/*
* Since build_gs_simple_font may resize the dictionary and cause
diff --git a/psi/zicc.c b/psi/zicc.c
index ebf25fe..53bdf34 100644
--- a/psi/zicc.c
+++ b/psi/zicc.c
@@ -261,6 +261,8 @@ zset_outputintent(i_ctx_t * i_ctx_p)
code = dict_find_string(op, "N", &pnval);
if (code < 0)
return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
ncomps = pnval->value.intval;
/* verify the DataSource entry. Creat profile from stream */
@@ -491,6 +493,8 @@ znumicc_components(i_ctx_t * i_ctx_p)
code = dict_find_string(op, "N", &pnval);
if (code < 0)
return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
ncomps = pnval->value.intval;
/* verify the DataSource entry. Create profile from stream */
if (dict_find_string(op, "DataSource", &pstrmval) <= 0)
diff --git a/psi/zpdf_r6.c b/psi/zpdf_r6.c
index bcd4907..992f316 100644
--- a/psi/zpdf_r6.c
+++ b/psi/zpdf_r6.c
@@ -145,21 +145,36 @@ zcheck_r6_password(i_ctx_t * i_ctx_p)
return_error(gs_error_typecheck);
code = dict_find_string(CryptDict, "O", &Oref);
- if (code < 0 || !r_has_type(Oref, t_string)) {
+ if (code < 0)
+ return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
+ if (!r_has_type(Oref, t_string))
return_error(gs_error_typecheck);
- }
+
code = dict_find_string(CryptDict, "OE", &OEref);
- if (code < 0 || !r_has_type(OEref, t_string)) {
+ if (code < 0)
+ return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
+ if (!r_has_type(OEref, t_string))
return_error(gs_error_typecheck);
- }
+
code = dict_find_string(CryptDict, "U", &Uref);
- if (code < 0 || !r_has_type(Uref, t_string)) {
+ if (code < 0)
+ return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
+ if (!r_has_type(Uref, t_string))
return_error(gs_error_typecheck);
- }
+
code = dict_find_string(CryptDict, "UE", &UEref);
- if (code < 0 || !r_has_type(UEref, t_string)) {
+ if (code < 0)
+ return code;
+ if (code == 0)
+ return_error(gs_error_undefined);
+ if (!r_has_type(UEref, t_string))
return_error(gs_error_typecheck);
- }
pop(2);
op = osp;
diff --git a/psi/ztoken.c b/psi/ztoken.c
index 519cd09..9314d97 100644
--- a/psi/ztoken.c
+++ b/psi/ztoken.c
@@ -356,7 +356,7 @@ ztoken_scanner_options(const ref *upref, int old_options)
int code = dict_find_string(upref, pnso->pname, &ppcproc);
/* Update the options only if the parameter has changed. */
- if (code >= 0) {
+ if (code > 0) {
if (r_has_type(ppcproc, t_null))
options &= ~pnso->option;
else
--
2.17.2
From 434753adbe8be5534bfb9b7d91746023e8073d16 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 14 Nov 2018 09:25:13 +0000
Subject: [PATCH 2/3] Bug #700169 - unchecked type
Bug #700169 "Type confusion in setcolorspace"
In seticc() we extract "Name" from a dictionary, if it succeeds we then
use it as a string, without checking the type to see if it is in fact
a string.
Add a check on the type, and add a couple to check that 'N' is an integer
in a few places too.
---
psi/zicc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/psi/zicc.c b/psi/zicc.c
index 53bdf34..dbd2562 100644
--- a/psi/zicc.c
+++ b/psi/zicc.c
@@ -76,7 +76,7 @@ int seticc(i_ctx_t * i_ctx_p, int ncomps, ref *ICCdict, float *range_buff)
want to have this buffer. */
/* Check if we have the /Name entry. This is used to associate with
specs that have enumerated types to indicate sRGB sGray etc */
- if (dict_find_string(ICCdict, "Name", &pnameval) > 0){
+ if (dict_find_string(ICCdict, "Name", &pnameval) > 0 && r_has_type(pnameval, t_string)){
uint size = r_size(pnameval);
char *str = (char *)gs_alloc_bytes(gs_gstate_memory(igs), size+1, "seticc");
memcpy(str, (const char *)pnameval->value.bytes, size);
@@ -263,6 +263,8 @@ zset_outputintent(i_ctx_t * i_ctx_p)
return code;
if (code == 0)
return_error(gs_error_undefined);
+ if (r_type(pnval) != t_integer)
+ return gs_note_error(gs_error_typecheck);
ncomps = pnval->value.intval;
/* verify the DataSource entry. Creat profile from stream */
@@ -495,6 +497,8 @@ znumicc_components(i_ctx_t * i_ctx_p)
return code;
if (code == 0)
return_error(gs_error_undefined);
+ if (r_type(pnval) != t_integer)
+ return gs_note_error(gs_error_typecheck);
ncomps = pnval->value.intval;
/* verify the DataSource entry. Create profile from stream */
if (dict_find_string(op, "DataSource", &pstrmval) <= 0)
--
2.17.2
From 9a1b3ac61761094713f44dedfce56013308a3b1d Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 14 Nov 2018 09:31:10 +0000
Subject: [PATCH 3/3] PS interpreter - add some type checking
These were 'probably' safe anyway, since they mostly treat the objects
as integers without checking, which at least can't result in a crash.
Nevertheless, we ought to check.
The return from comparedictkeys could be wrong if one of the keys had
a value which was not an array, it could incorrectly decide the two
were in fact the same.
---
psi/zbfont.c | 15 +++++++++------
psi/zcolor.c | 24 +++++++++++++++++++++++-
psi/zcrd.c | 4 +++-
psi/zfjpx.c | 2 ++
psi/zfont.c | 3 +++
psi/zfont0.c | 3 +++
psi/zimage3.c | 2 ++
psi/ztrans.c | 4 ++++
8 files changed, 49 insertions(+), 8 deletions(-)
diff --git a/psi/zbfont.c b/psi/zbfont.c
index c1d0461..5b830a2 100644
--- a/psi/zbfont.c
+++ b/psi/zbfont.c
@@ -666,6 +666,9 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom
return_error(gs_error_invalidfont);
if (dict_find_string(op, "OrigFont", &porigfont) <= 0)
porigfont = NULL;
+ if (porigfont != NULL && !r_has_type(porigfont, t_dictionary))
+ return_error(gs_error_typecheck);
+
if (pomat!= NULL) {
if (porigfont == NULL ||
dict_find_string(porigfont, "FontMatrix", &pmatrix) <= 0 ||
@@ -676,8 +679,8 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom
/* Use the FontInfo/OrigFontName key preferrentially (created by MS PSCRIPT driver) */
if ((dict_find_string((porigfont != NULL ? porigfont : op), "FontInfo", &pfontinfo) > 0) &&
r_has_type(pfontinfo, t_dictionary) &&
- (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0)) {
- if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) &&
+ (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string))) {
+ if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string)) &&
r_size(pfontstyle) > 0) {
const byte *tmpStr1 = pfontname->value.const_bytes;
const byte *tmpStr2 = pfontstyle->value.const_bytes;
@@ -775,11 +778,11 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,
avm_space useglob = r_is_local(pencoding) ? avm_local : avm_global;
ialloc_set_space(idmemory, useglob);
-
+
count = r_size(pencoding);
if ((code = ialloc_ref_array(&penc, (r_type_attrs(pencoding) & a_readonly), count, "build_gs_font")) < 0)
return code;
-
+
while (count--) {
ref r;
if (array_get(imemory, pencoding, count, &r) < 0){
@@ -790,7 +793,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,
ref_assign(&(penc.value.refs[count]), &r);
}
else {
-
+
if ((code = obj_cvs(imemory, &r, (byte *)buf, 32, &size, (const byte **)(&bptr))) < 0) {
return(code);
}
@@ -799,7 +802,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,
ref_assign(&(penc.value.refs[count]), &r);
}
}
-
+
if ((code = dict_put_string(osp, "Encoding", &penc, NULL)) < 0)
return code;
ialloc_set_space(idmemory, curglob);
diff --git a/psi/zcolor.c b/psi/zcolor.c
index fe81e79..b69b8f5 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -1877,7 +1877,12 @@ static int comparedictkey(i_ctx_t * i_ctx_p, ref *CIEdict1, ref *CIEdict2, char
if (r_type(tempref1) == t_null)
return 1;
- return comparearrays(i_ctx_p, tempref1, tempref2);
+ code = comparearrays(i_ctx_p, tempref1, tempref2);
+
+ if (code > 0)
+ return 1;
+ else
+ return 0;
}
static int hasharray(i_ctx_t * i_ctx_p, ref *m1, gs_md5_state_t *md5)
@@ -5473,6 +5478,9 @@ static int seticcspace(i_ctx_t * i_ctx_p, ref *r, int *stage, int *cont, int CIE
return code;
if (code == 0)
return gs_note_error(gs_error_undefined);
+ if (r_type(tempref) != t_integer)
+ return gs_note_error(gs_error_typecheck);
+
components = tempref->value.intval;
if (components > count_of(range)/2)
return_error(gs_error_rangecheck);
@@ -5584,6 +5592,10 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace)
/* Need to check all the various parts */
code1 = dict_find_string(&ICCdict1, "N", &tempref1);
code2 = dict_find_string(&ICCdict2, "N", &tempref2);
+
+ if (!r_has_type(tempref1, t_integer) || !r_has_type(tempref2, t_integer))
+ return 0;
+
if (code1 != code2)
return 0;
if (tempref1->value.intval != tempref2->value.intval)
@@ -5737,6 +5749,8 @@ static int iccalternatespace(i_ctx_t * i_ctx_p, ref *space, ref **r, int *CIESub
return code;
if (code == 0)
return gs_note_error(gs_error_undefined);
+ if (!r_has_type(tempref, t_integer))
+ return_error(gs_error_typecheck);
components = tempref->value.intval;
@@ -5775,6 +5789,9 @@ static int icccomponents(i_ctx_t * i_ctx_p, ref *space, int *n)
return code;
if (code == 0)
return gs_note_error(gs_error_undefined);
+ if (!r_has_type(tempref, t_integer))
+ return gs_note_error(gs_error_typecheck);
+
*n = tempref->value.intval;
return 0;
}
@@ -5791,6 +5808,9 @@ static int iccdomain(i_ctx_t * i_ctx_p, ref *space, float *ptr)
return code;
if (code == 0)
return gs_note_error(gs_error_undefined);
+ if (!r_has_type(tempref, t_integer))
+ return gs_note_error(gs_error_typecheck);
+
components = tempref->value.intval;
code = dict_find_string(&ICCdict, "Range", &tempref);
if (code > 0 && !r_has_type(tempref, t_null)) {
@@ -5824,6 +5844,8 @@ static int iccrange(i_ctx_t * i_ctx_p, ref *space, float *ptr)
return code;
if (code == 0)
return gs_note_error(gs_error_undefined);
+ if (!r_has_type(tempref, t_integer))
+ return gs_note_error(gs_error_typecheck);
components = tempref->value.intval;
code = dict_find_string(&ICCdict, "Range", &tempref);
if (code > 0 && !r_has_type(tempref, t_null)) {
diff --git a/psi/zcrd.c b/psi/zcrd.c
index 7993b15..d58160d 100644
--- a/psi/zcrd.c
+++ b/psi/zcrd.c
@@ -231,8 +231,10 @@ zcrd1_params(os_ptr op, gs_cie_render * pcrd,
return code;
if (dict_find_string(op, "RenderTable", &pRT) > 0) {
- const ref *prte = pRT->value.const_refs;
+ const ref *prte;
+ check_read_type(*pRT, t_array);
+ prte = pRT->value.const_refs;
/* Finish unpacking and checking the RenderTable parameter. */
check_type_only(prte[4], t_integer);
if (!(prte[4].value.intval == 3 || prte[4].value.intval == 4))
diff --git a/psi/zfjpx.c b/psi/zfjpx.c
index c622f48..db1fae2 100644
--- a/psi/zfjpx.c
+++ b/psi/zfjpx.c
@@ -115,6 +115,8 @@ z_jpx_decode(i_ctx_t * i_ctx_p)
dict_find_string(csdict, "N", &nref) > 0) {
if_debug1m('w', imemory, "[w] JPX image has an external %"PRIpsint
" channel colorspace\n", nref->value.intval);
+ if (r_type(nref) != t_integer)
+ return gs_note_error(gs_error_typecheck);
switch (nref->value.intval) {
case 1: state.colorspace = gs_jpx_cs_gray;
break;
diff --git a/psi/zfont.c b/psi/zfont.c
index 9c51792..f6c5ae1 100644
--- a/psi/zfont.c
+++ b/psi/zfont.c
@@ -596,6 +596,9 @@ zfont_info(gs_font *font, const gs_point *pscale, int members,
info->members |= FONT_INFO_FULL_NAME;
if ((members & FONT_INFO_EMBEDDING_RIGHTS)
&& (dict_find_string(pfontinfo, "FSType", &pvalue) > 0)) {
+ if (r_type(pvalue) != t_integer)
+ return gs_note_error(gs_error_typecheck);
+
info->EmbeddingRights = pvalue->value.intval;
info->members |= FONT_INFO_EMBEDDING_RIGHTS;
}
diff --git a/psi/zfont0.c b/psi/zfont0.c
index 4b01c20..a179d7b 100644
--- a/psi/zfont0.c
+++ b/psi/zfont0.c
@@ -243,6 +243,9 @@ zbuildfont0(i_ctx_t *i_ctx_p)
array_get(pfont->memory, &fdepvector, i, &fdep);
/* The lookup can't fail, because of the pre-check above. */
dict_find_string(&fdep, "FID", &pfid);
+ if (!r_has_type(pfid, t_fontID))
+ return gs_note_error(gs_error_typecheck);
+
data.FDepVector[i] = r_ptr(pfid, gs_font);
}
pfont->data = data;
diff --git a/psi/zimage3.c b/psi/zimage3.c
index 87a3dce..2beda9f 100644
--- a/psi/zimage3.c
+++ b/psi/zimage3.c
@@ -53,6 +53,8 @@ zimage3(i_ctx_t *i_ctx_p)
dict_find_string(op, "MaskDict", &pMaskDict) <= 0
)
return_error(gs_error_rangecheck);
+ check_type(*pDataDict, t_dictionary);
+ check_type(*pMaskDict, t_dictionary);
if ((code = pixel_image_params(i_ctx_p, pDataDict,
(gs_pixel_image_t *)&image, &ip_data,
12, false, gs_currentcolorspace(igs))) < 0 ||
diff --git a/psi/ztrans.c b/psi/ztrans.c
index 64defda..0550a10 100644
--- a/psi/ztrans.c
+++ b/psi/ztrans.c
@@ -417,6 +417,7 @@ zimage3x(i_ctx_t *i_ctx_p)
gs_image3x_t_init(&image, NULL);
if (dict_find_string(op, "DataDict", &pDataDict) <= 0)
return_error(gs_error_rangecheck);
+ check_type(*pDataDict, t_dictionary);
if ((code = pixel_image_params(i_ctx_p, pDataDict,
(gs_pixel_image_t *)&image, &ip_data,
16, false, gs_currentcolorspace(igs))) < 0 ||
@@ -453,6 +454,9 @@ image_params *pip_data, const char *dict_name,
if (dict_find_string(op, dict_name, &pMaskDict) <= 0)
return 1;
+ if (!r_has_type(pMaskDict, t_dictionary))
+ return gs_note_error(gs_error_typecheck);
+
if ((mcode = code = data_image_params(mem, pMaskDict, &pixm->MaskDict,
&ip_mask, false, 1, 16, false, false)) < 0 ||
(code = dict_int_param(pMaskDict, "ImageType", 1, 1, 0, &ignored)) < 0 ||
--
2.17.2