Juergen Daubert
11f86218d2
See - https://www.kb.cert.org/vuls/id/332928 - http://seclists.org/oss-sec/2018/q3/142
34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Thu, 23 Aug 2018 11:20:56 +0000 (+0100)
|
|
Subject: Bug 699668: handle stack overflow during error handling
|
|
X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=b575e1ec
|
|
|
|
Bug 699668: handle stack overflow during error handling
|
|
|
|
When handling a Postscript error, we push the object throwing the error onto
|
|
the operand stack for the error handling procedure to access - we were not
|
|
checking the available stack before doing so, thus causing a crash.
|
|
|
|
Basically, if we get a stack overflow when already handling an error, we're out
|
|
of options, return to the caller with a fatal error.
|
|
---
|
|
|
|
diff --git a/psi/interp.c b/psi/interp.c
|
|
index 8b49556..6150838 100644
|
|
--- a/psi/interp.c
|
|
+++ b/psi/interp.c
|
|
@@ -676,7 +676,12 @@ again:
|
|
/* Push the error object on the operand stack if appropriate. */
|
|
if (!GS_ERROR_IS_INTERRUPT(code)) {
|
|
/* Replace the error object if within an oparray or .errorexec. */
|
|
- *++osp = *perror_object;
|
|
+ osp++;
|
|
+ if (osp >= ostop) {
|
|
+ *pexit_code = gs_error_Fatal;
|
|
+ return_error(gs_error_Fatal);
|
|
+ }
|
|
+ *osp = *perror_object;
|
|
errorexec_find(i_ctx_p, osp);
|
|
}
|
|
goto again;
|