From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 16 Jun 2017 08:29:25 +0100
Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR

---
 base/ttinterp.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- end of original header

CVE: CVE-2017-9739

Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]

Signed-off-by: Joe Slater <joe.slater@windriver.com>

diff --git a/base/ttinterp.c b/base/ttinterp.c
index af457e8..adf3f0c 100644
--- a/base/ttinterp.c
+++ b/base/ttinterp.c
@@ -1794,6 +1794,12 @@ static int nInstrCount=0;
 
   static void  Ins_JMPR( INS_ARG )
   {
+    if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) )
+    {
+      CUR.error = TT_Err_Invalid_Reference;
+      return;
+    }
+
     CUR.IP      += (Int)(args[0]);
     CUR.step_ins = FALSE;
 
-- 
1.7.9.5