diff options
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch new file mode 100644 index 0000000000..722bab4ddb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 12 Feb 2021 10:34:23 +0000 | ||
4 | Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. | ||
5 | |||
6 | During function result sampling, after the callout to the Postscript | ||
7 | interpreter, make sure there is enough stack space available before pushing | ||
8 | or popping entries. | ||
9 | |||
10 | In thise case, the Postscript procedure for the "function" is totally invalid | ||
11 | (as a function), and leaves the op stack in an unrecoverable state (as far as | ||
12 | function evaluation is concerned). We end up popping more entries off the | ||
13 | stack than are available. | ||
14 | |||
15 | To cope, add in stack limit checking to throw an appropriate error when this | ||
16 | happens. | ||
17 | |||
18 | Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25] | ||
19 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
20 | --- | ||
21 | psi/zfsample.c | 14 +++++++++++--- | ||
22 | 1 file changed, 11 insertions(+), 3 deletions(-) | ||
23 | |||
24 | diff --git a/psi/zfsample.c b/psi/zfsample.c | ||
25 | index 290809405..652ae02c6 100644 | ||
26 | --- a/psi/zfsample.c | ||
27 | +++ b/psi/zfsample.c | ||
28 | @@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
29 | } else { | ||
30 | if (stack_depth_adjust) { | ||
31 | stack_depth_adjust -= num_out; | ||
32 | - push(O_STACK_PAD - stack_depth_adjust); | ||
33 | - for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
34 | - make_null(op - i); | ||
35 | + if ((O_STACK_PAD - stack_depth_adjust) < 0) { | ||
36 | + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); | ||
37 | + check_op(stack_depth_adjust); | ||
38 | + pop(stack_depth_adjust); | ||
39 | + } | ||
40 | + else { | ||
41 | + check_ostack(O_STACK_PAD - stack_depth_adjust); | ||
42 | + push(O_STACK_PAD - stack_depth_adjust); | ||
43 | + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
44 | + make_null(op - i); | ||
45 | + } | ||
46 | } | ||
47 | } | ||
48 | |||
49 | -- | ||
50 | 2.25.1 | ||
51 | |||