31 lines
1.0 KiB
Diff
31 lines
1.0 KiB
Diff
|
From 920fae688705b3a25a1f8925f3837219a6243565 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
||
|
|
Date: Wed, 20 Nov 2024 11:27:52 +0000
|
||
|
|
Subject: Bug 708131: Fix confusion between bytes and shorts
|
||
|
|
|
||
|
|
We were copying data from a string in multiple of shorts, rather than multiple
|
||
|
|
of bytes, leading to both an read (probably benign, given the memory manager)
|
||
|
|
and write buffer overflow.
|
||
|
|
|
||
|
|
CVE-2025-27835
|
||
|
|
---
|
||
|
|
psi/zbfont.c | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/psi/zbfont.c b/psi/zbfont.c
|
||
|
|
index acffb39ef..5850ab54d 100644
|
||
|
|
--- a/psi/zbfont.c
|
||
|
|
+++ b/psi/zbfont.c
|
||
|
|
@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
|
||
|
|
if (l > length)
|
||
|
|
return l;
|
||
|
|
|
||
|
|
- memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
|
||
|
|
+ memcpy(unicode_return, v->value.const_bytes, l);
|
||
|
|
return l;
|
||
|
|
}
|
||
|
|
if (r_type(v) == t_integer) {
|
||
|
|
--
|
||
|
|
cgit v1.2.3
|
||
|
|
|