Skip to content
Permalink
Browse files Browse the repository at this point in the history
Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript 9.52
Fix the 'rsearch' calculation for the 'post' size to give the correct
size.  Previous calculation would result in a size that was too large,
and could underflow to max uint32_t. Also fix 'rsearch' to return the
correct 'pre' string with empty string match.

A future change may 'undefine' this undocumented, non-standard operator
during initialization as we do with the many other non-standard internal
PostScript operators and procedures.
  • Loading branch information
Ray Johnston committed Jul 24, 2020
1 parent f77f997 commit 5d49927
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions psi/zstring.c
Expand Up @@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
return 0;
found:
op->tas.type_attrs = op1->tas.type_attrs;
op->value.bytes = ptr;
r_set_size(op, size);
op->value.bytes = ptr; /* match */
op->tas.rsize = size; /* match */
push(2);
op[-1] = *op1;
r_set_size(op - 1, ptr - op[-1].value.bytes);
op1->value.bytes = ptr + size;
r_set_size(op1, count + (!forward ? (size - 1) : 0));
op[-1] = *op1; /* pre */
op[-3].value.bytes = ptr + size; /* post */
if (forward) {
op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
op[-3].tas.rsize = count; /* post */
} else {
op[-1].tas.rsize = count; /* pre */
op[-3].tas.rsize -= count + size; /* post */
}
make_true(op);
return 0;
}
Expand Down

0 comments on commit 5d49927

Please sign in to comment.