| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
- From: Chris Liddell <chris.liddell@artifex.com>
- Date: Fri, 12 Feb 2021 10:34:23 +0000
- Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
- During function result sampling, after the callout to the Postscript
- interpreter, make sure there is enough stack space available before pushing
- or popping entries.
- In thise case, the Postscript procedure for the "function" is totally invalid
- (as a function), and leaves the op stack in an unrecoverable state (as far as
- function evaluation is concerned). We end up popping more entries off the
- stack than are available.
- To cope, add in stack limit checking to throw an appropriate error when this
- happens.
- [Retrieved from:
- https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25]
- Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
- ---
- psi/zfsample.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
- diff --git a/psi/zfsample.c b/psi/zfsample.c
- index 290809405..652ae02c6 100644
- --- a/psi/zfsample.c
- +++ b/psi/zfsample.c
- @@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
- } else {
- if (stack_depth_adjust) {
- stack_depth_adjust -= num_out;
- - push(O_STACK_PAD - stack_depth_adjust);
- - for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
- - make_null(op - i);
- + if ((O_STACK_PAD - stack_depth_adjust) < 0) {
- + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
- + check_op(stack_depth_adjust);
- + pop(stack_depth_adjust);
- + }
- + else {
- + check_ostack(O_STACK_PAD - stack_depth_adjust);
- + push(O_STACK_PAD - stack_depth_adjust);
- + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
- + make_null(op - i);
- + }
- }
- }
-
- --
- 2.25.1
|
