[openembedded-core.git] /

From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 21 Aug 2018 16:42:45 +0100
Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a
 boolean

This caused a function call commented as "Can't fail" to fail, and resulted
in memory correuption and a segfault.

CVE: CVE-2018-15910
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 devices/vector/gdevpdfp.c | 2 +-
 psi/iparam.c              | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
index 522db7a..f2816b9 100644
--- a/devices/vector/gdevpdfp.c
+++ b/devices/vector/gdevpdfp.c
@@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
      * LockDistillerParams is read again, and reset if necessary, in
      * psdf_put_params.
      */
-    ecode = param_read_bool(plist, "LockDistillerParams", &locked);
+    ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked);
     if (ecode < 0)
         param_signal_error(plist, param_name, ecode);
 
diff --git a/psi/iparam.c b/psi/iparam.c
index 68c20d4..0279455 100644
--- a/psi/iparam.c
+++ b/psi/iparam.c
@@ -822,10 +822,11 @@ static int
 ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code)
 {
     iparam_list *const iplist = (iparam_list *) plist;
-    iparam_loc loc;
+    iparam_loc loc = {0};
 
-    ref_param_read(iplist, pkey, &loc, -1);    /* can't fail */
-    *loc.presult = code;
+    ref_param_read(iplist, pkey, &loc, -1);
+    if (loc.presult)
+        *loc.presult = code;
     switch (ref_param_read_get_policy(plist, pkey)) {
         case gs_param_policy_ignore:
             return 0;
-- 
2.8.1