40 lines
1.5 KiB
Diff
40 lines
1.5 KiB
Diff
From 87688cd48fb52c305e159b785bd184232426a766 Mon Sep 17 00:00:00 2001
|
|
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Thu, 9 Apr 2020 09:40:05 +0100
|
|
Subject: [PATCH] Bug 702322: fix uninitalized data reads
|
|
|
|
gs_scan_token() keeps a local copy of the scanner state, and copies from and to
|
|
the scanner state that is passed into it. There are several code paths that
|
|
can leave some important entries in the structure uninitalized when we copy the
|
|
local copy to the parameter.
|
|
|
|
This just ensures those specific entries are always set to *something* sane.
|
|
---
|
|
psi/iscan.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/psi/iscan.c b/psi/iscan.c
|
|
index 9b7151a..32d910f 100644
|
|
--- a/psi/iscan.c
|
|
+++ b/psi/iscan.c
|
|
@@ -535,6 +535,16 @@ gs_scan_token(i_ctx_t *i_ctx_p, ref * pref, scanner_state * pstate)
|
|
return_error(gs_error_Fatal);
|
|
}
|
|
}
|
|
+ else {
|
|
+ /* We *may* use these in the event of returning to this function after
|
|
+ * a interruption, but not every code path below sets them. Set them
|
|
+ * to sane values here for safety. We can write the contents of sstate
|
|
+ * (back) to pstate before returning.
|
|
+ */
|
|
+ sstate.s_da.base = sstate.s_da.next = &(sstate.s_da.buf[0]);
|
|
+ sstate.s_da.limit = sstate.s_da.next;
|
|
+ sstate.s_da.is_dynamic = false;
|
|
+ }
|
|
/* Fetch any state variables that are relevant even if */
|
|
/* sstate.s_scan_type == scanning_none. */
|
|
sstate.s_pstack = pstate->s_pstack;
|
|
--
|
|
1.8.3.1
|
|
|