| From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001 |
| From: Ray Johnston <ray.johnston@artifex.com> |
| Date: Wed, 22 Jul 2020 09:57:54 -0700 |
| Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript |
| 9.52 |
| |
| Fix the 'rsearch' calculation for the 'post' size to give the correct |
| size. Previous calculation would result in a size that was too large, |
| and could underflow to max uint32_t. Also fix 'rsearch' to return the |
| correct 'pre' string with empty string match. |
| |
| A future change may 'undefine' this undocumented, non-standard operator |
| during initialization as we do with the many other non-standard internal |
| PostScript operators and procedures. |
| --- |
| psi/zstring.c | 17 +++++++++++------ |
| 1 file changed, 11 insertions(+), 6 deletions(-) |
| |
| diff --git a/psi/zstring.c b/psi/zstring.c |
| index 33662dafa..58e1af2b3 100644 |
| --- a/psi/zstring.c |
| +++ b/psi/zstring.c |
| @@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) |
| return 0; |
| found: |
| op->tas.type_attrs = op1->tas.type_attrs; |
| - op->value.bytes = ptr; |
| - r_set_size(op, size); |
| + op->value.bytes = ptr; /* match */ |
| + op->tas.rsize = size; /* match */ |
| push(2); |
| - op[-1] = *op1; |
| - r_set_size(op - 1, ptr - op[-1].value.bytes); |
| - op1->value.bytes = ptr + size; |
| - r_set_size(op1, count + (!forward ? (size - 1) : 0)); |
| + op[-1] = *op1; /* pre */ |
| + op[-3].value.bytes = ptr + size; /* post */ |
| + if (forward) { |
| + op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ |
| + op[-3].tas.rsize = count; /* post */ |
| + } else { |
| + op[-1].tas.rsize = count; /* pre */ |
| + op[-3].tas.rsize -= count + size; /* post */ |
| + } |
| make_true(op); |
| return 0; |
| } |
| -- |
| 2.17.1 |