ref: db5a4a9ae7b0048f033361744421da8569642f73
parent: 19b82cfbed2a269b0aae92f6dff3d40c3adccd3d
author: Werner Lemberg <[email protected]>
date: Sat Sep 12 04:32:55 EDT 2015
[psaux] Fix potential buffer overflow (#45922). * src/psaux/psobjs.c (ps_parser_skip_PS_token): If a token is enclosed in balanced expressions, ensure that the cursor position doesn't get larger than the current limit.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
2015-09-11 Werner Lemberg <[email protected]>
+ [psaux] Fix potential buffer overflow (#45922).
+
+ * src/psaux/psobjs.c (ps_parser_skip_PS_token): If a token is
+ enclosed in balanced expressions, ensure that the cursor position
+ doesn't get larger than the current limit.
+
+2015-09-11 Werner Lemberg <[email protected]>
+
[base] Avoid crash while tracing `load_mac_face'.
Reported in Savannah bug #45919.
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -594,6 +594,9 @@
error = FT_THROW( Invalid_File_Format );
}
+ if ( cur > limit )
+ cur = limit;
+
parser->error = error;
parser->cursor = cur;
}