From 262c909ac5b8676d1c221584c5a760e5e83fae66 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 4 Sep 2023 17:07:14 +0200
Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504

We didn't check for end of buffer if it looks there is an escaped
character - check for NULL terminator there and if found, return NULL
as return value and in `ptr`, because a lone backslash is not
a valid PostScript character.
---
 ppd/raster-interpret.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ppd/raster-interpret.c b/ppd/raster-interpret.c
index 91f6c0d3..d120d2fc 100644
--- a/ppd/raster-interpret.c
+++ b/ppd/raster-interpret.c
@@ -1270,7 +1270,19 @@ ppd_scan_ps(_ppd_ps_stack_t  *st,	// I  - Stack
 
 	    cur ++;
 
-            if (*cur == 'b')
+	   /*
+	    * Return NULL if we reached NULL terminator, a lone backslash
+            * is not a valid character in PostScript.
+	    */
+
+	    if (!*cur)
+	    {
+	      *ptr = NULL;
+
+	      return (NULL);
+	    }
+
+	    if (*cur == 'b')
 	      *valptr++ = '\b';
 	    else if (*cur == 'f')
 	      *valptr++ = '\f';