Commit | Line | Data |
---|---|---|
3bd218e8 MB |
1 | Fix CVE-2020-15900. |
2 | ||
3 | https://cve.circl.lu/cve/CVE-2020-15900 | |
4 | https://artifex.com/security-advisories/CVE-2020-15900 | |
5 | ||
6 | Taken from upstream: | |
7 | https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b | |
8 | ||
9 | diff --git a/psi/zstring.c b/psi/zstring.c | |
10 | --- a/psi/zstring.c | |
11 | +++ b/psi/zstring.c | |
12 | @@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) | |
13 | return 0; | |
14 | found: | |
15 | op->tas.type_attrs = op1->tas.type_attrs; | |
16 | - op->value.bytes = ptr; | |
17 | - r_set_size(op, size); | |
18 | + op->value.bytes = ptr; /* match */ | |
19 | + op->tas.rsize = size; /* match */ | |
20 | push(2); | |
21 | - op[-1] = *op1; | |
22 | - r_set_size(op - 1, ptr - op[-1].value.bytes); | |
23 | - op1->value.bytes = ptr + size; | |
24 | - r_set_size(op1, count + (!forward ? (size - 1) : 0)); | |
25 | + op[-1] = *op1; /* pre */ | |
26 | + op[-3].value.bytes = ptr + size; /* post */ | |
27 | + if (forward) { | |
28 | + op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ | |
29 | + op[-3].tas.rsize = count; /* post */ | |
30 | + } else { | |
31 | + op[-1].tas.rsize = count; /* pre */ | |
32 | + op[-3].tas.rsize -= count + size; /* post */ | |
33 | + } | |
34 | make_true(op); | |
35 | return 0; | |
36 | } |