Skip to content

Commit 5d49927

Browse files
author
Ray Johnston
committed
Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript 9.52
Fix the 'rsearch' calculation for the 'post' size to give the correct size. Previous calculation would result in a size that was too large, and could underflow to max uint32_t. Also fix 'rsearch' to return the correct 'pre' string with empty string match. A future change may 'undefine' this undocumented, non-standard operator during initialization as we do with the many other non-standard internal PostScript operators and procedures.
1 parent f77f997 commit 5d49927

File tree

1 file changed

+11
-6
lines changed

1 file changed

+11
-6
lines changed

Diff for: psi/zstring.c

+11-6
Original file line numberDiff line numberDiff line change
@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
142142
return 0;
143143
found:
144144
op->tas.type_attrs = op1->tas.type_attrs;
145-
op->value.bytes = ptr;
146-
r_set_size(op, size);
145+
op->value.bytes = ptr; /* match */
146+
op->tas.rsize = size; /* match */
147147
push(2);
148-
op[-1] = *op1;
149-
r_set_size(op - 1, ptr - op[-1].value.bytes);
150-
op1->value.bytes = ptr + size;
151-
r_set_size(op1, count + (!forward ? (size - 1) : 0));
148+
op[-1] = *op1; /* pre */
149+
op[-3].value.bytes = ptr + size; /* post */
150+
if (forward) {
151+
op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
152+
op[-3].tas.rsize = count; /* post */
153+
} else {
154+
op[-1].tas.rsize = count; /* pre */
155+
op[-3].tas.rsize -= count + size; /* post */
156+
}
152157
make_true(op);
153158
return 0;
154159
}

0 commit comments

Comments
 (0)