667 lines
27 KiB
Diff
667 lines
27 KiB
Diff
From fac7eb144135f3ed8fbb0028ab1f33ce4dcc1985 Mon Sep 17 00:00:00 2001
|
|
From: Ken Sharp <ken.sharp@artifex.com>
|
|
Date: Fri, 21 Sep 2018 13:02:56 +0100
|
|
Subject: [PATCH 1/3] Check all uses of dict_find* to ensure 0 return properly
|
|
handled
|
|
|
|
dict_find and friends have the surprising quirk of returning < 0 for
|
|
an error and > 0 for no error. But they can also return 0 which means
|
|
'not found' without it being an error.
|
|
|
|
From bug 699801, if the code assumes the usual case where 0 is a success
|
|
then an attempt might be made to use the empty dictionary slot returned
|
|
by dict_find*, which can lead to seg faults, and certainly won't have
|
|
the expected result.
|
|
---
|
|
psi/icontext.c | 4 ++--
|
|
psi/zcid.c | 6 ++++--
|
|
psi/zfapi.c | 33 ++++++++++++++++++---------------
|
|
psi/zfcid0.c | 39 +++++++++++++++++++++++++++++----------
|
|
psi/zfcid1.c | 14 ++++++++++----
|
|
psi/zicc.c | 4 ++++
|
|
psi/zpdf_r6.c | 31 +++++++++++++++++++++++--------
|
|
psi/ztoken.c | 2 +-
|
|
8 files changed, 91 insertions(+), 42 deletions(-)
|
|
|
|
diff --git a/psi/icontext.c b/psi/icontext.c
|
|
index 4db78e0..1fbe486 100644
|
|
--- a/psi/icontext.c
|
|
+++ b/psi/icontext.c
|
|
@@ -162,7 +162,7 @@ context_state_alloc(gs_context_state_t ** ppcst,
|
|
uint size;
|
|
ref *system_dict = &pcst->dict_stack.system_dict;
|
|
|
|
- if (dict_find_string(system_dict, "userparams", &puserparams) >= 0)
|
|
+ if (dict_find_string(system_dict, "userparams", &puserparams) > 0)
|
|
size = dict_length(puserparams);
|
|
else
|
|
size = 300;
|
|
@@ -286,7 +286,7 @@ context_state_store(gs_context_state_t * pcst)
|
|
/* We need i_ctx_p for access to the d_stack. */
|
|
i_ctx_t *i_ctx_p = pcst;
|
|
|
|
- if (dict_find_string(systemdict, "userparams", &puserparams) < 0)
|
|
+ if (dict_find_string(systemdict, "userparams", &puserparams) <= 0)
|
|
return_error(gs_error_Fatal);
|
|
pcst->userparams = *puserparams;
|
|
}
|
|
diff --git a/psi/zcid.c b/psi/zcid.c
|
|
index e394877..5c98fc9 100644
|
|
--- a/psi/zcid.c
|
|
+++ b/psi/zcid.c
|
|
@@ -72,11 +72,13 @@ TT_char_code_from_CID_no_subst(const gs_memory_t *mem,
|
|
} else
|
|
return false; /* Must not happen. */
|
|
for (;n--; i++) {
|
|
+ int code;
|
|
+
|
|
if (array_get(mem, DecodingArray, i, &char_code1) < 0 ||
|
|
!r_has_type(&char_code1, t_integer))
|
|
return false; /* Must not happen. */
|
|
- if (dict_find(TT_cmap, &char_code1, &glyph_index) >= 0 &&
|
|
- r_has_type(glyph_index, t_integer)) {
|
|
+ code = dict_find(TT_cmap, &char_code1, &glyph_index);
|
|
+ if (code > 0 && r_has_type(glyph_index, t_integer)) {
|
|
*c = glyph_index->value.intval;
|
|
found = true;
|
|
if (*c != 0)
|
|
diff --git a/psi/zfapi.c b/psi/zfapi.c
|
|
index 48e1d54..1b687b0 100644
|
|
--- a/psi/zfapi.c
|
|
+++ b/psi/zfapi.c
|
|
@@ -1826,6 +1826,9 @@ FAPI_get_xlatmap(i_ctx_t *i_ctx_p, char **xlatmap)
|
|
|
|
if ((code = dict_find_string(systemdict, ".xlatmap", &pref)) < 0)
|
|
return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+
|
|
if (r_type(pref) != t_string)
|
|
return_error(gs_error_typecheck);
|
|
*xlatmap = (char *)pref->value.bytes;
|
|
@@ -1881,11 +1884,11 @@ ps_get_server_param(gs_fapi_server *I, const byte *subtype,
|
|
ref *FAPIconfig, *options, *server_options;
|
|
i_ctx_t *i_ctx_p = (i_ctx_t *) I->client_ctx_p;
|
|
|
|
- if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) >= 0
|
|
+ if (dict_find_string(systemdict, ".FAPIconfig", &FAPIconfig) > 0
|
|
&& r_has_type(FAPIconfig, t_dictionary)) {
|
|
- if (dict_find_string(FAPIconfig, "ServerOptions", &options) >= 0
|
|
+ if (dict_find_string(FAPIconfig, "ServerOptions", &options) > 0
|
|
&& r_has_type(options, t_dictionary)) {
|
|
- if (dict_find_string(options, (char *)subtype, &server_options) >=
|
|
+ if (dict_find_string(options, (char *)subtype, &server_options) >
|
|
0 && r_has_type(server_options, t_string)) {
|
|
*server_param = (byte *) server_options->value.const_bytes;
|
|
*server_param_size = r_size(server_options);
|
|
@@ -2070,7 +2073,7 @@ zFAPIrebuildfont(i_ctx_t *i_ctx_p)
|
|
pdata = (font_data *) pfont->client_data;
|
|
I = pbfont->FAPI;
|
|
|
|
- if (dict_find_string((op - 1), "SubfontId", &v) >= 0
|
|
+ if (dict_find_string((op - 1), "SubfontId", &v) > 0
|
|
&& r_has_type(v, t_integer))
|
|
subfont = v->value.intval;
|
|
else
|
|
@@ -2277,8 +2280,8 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
|
|
if (pbfont->FontType == ft_CID_TrueType && font_file_path) {
|
|
ref *pdr2, *fidr, *dummy;
|
|
pdr2 = pfont_dict(gs_rootfont(igs));
|
|
- if (dict_find_string(pdr2, "FontInfo", &fidr) &&
|
|
- dict_find_string(fidr, "GlyphNames2Unicode", &dummy))
|
|
+ if (dict_find_string(pdr2, "FontInfo", &fidr) > 0 &&
|
|
+ dict_find_string(fidr, "GlyphNames2Unicode", &dummy) > 0)
|
|
{
|
|
unsigned char uc[4] = {0};
|
|
unsigned int cc = 0;
|
|
@@ -2417,13 +2420,13 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
|
|
|
|
fdict = pfont_dict(gs_rootfont(igs));
|
|
code = dict_find_string(fdict, "CMap", &CMapDict);
|
|
- if (code >= 0 && r_has_type(CMapDict, t_dictionary)) {
|
|
+ if (code > 0 && r_has_type(CMapDict, t_dictionary)) {
|
|
code = dict_find_string(CMapDict, "WMode", &WMode);
|
|
- if (code >= 0 && r_has_type(WMode, t_integer)) {
|
|
+ if (code > 0 && r_has_type(WMode, t_integer)) {
|
|
wmode = WMode->value.intval;
|
|
}
|
|
code = dict_find_string(CMapDict, "CMapName", &CMapName);
|
|
- if (code >= 0 && r_has_type(CMapName, t_name)) {
|
|
+ if (code > 0 && r_has_type(CMapName, t_name)) {
|
|
name_string_ref(imemory, CMapName, &CMapNameStr);
|
|
cmapnm = (char *)CMapNameStr.value.bytes;
|
|
cmapnmlen = r_size(&CMapNameStr);
|
|
@@ -2432,10 +2435,10 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
|
|
/* We only have to lookup the char code if we're *not* using an identity ordering
|
|
with the exception of Identity-UTF16 which is a different beast altogether */
|
|
if (unicode_cp || (cmapnmlen > 0 && !strncmp(cmapnm, utfcmap, cmapnmlen > utfcmaplen ? utfcmaplen : cmapnmlen))
|
|
- || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) >= 0
|
|
+ || (dict_find_string(pdr, "CIDSystemInfo", &CIDSystemInfo) > 0
|
|
&& r_has_type(CIDSystemInfo, t_dictionary)
|
|
&& dict_find_string(CIDSystemInfo, "Ordering",
|
|
- &Ordering) >= 0
|
|
+ &Ordering) > 0
|
|
&& r_has_type(Ordering, t_string)
|
|
&& strncmp((const char *)Ordering->value.bytes,
|
|
"Identity", 8) != 0)) {
|
|
@@ -2463,7 +2466,7 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
|
|
ref cc32;
|
|
ref *gid;
|
|
make_int(&cc32, 32);
|
|
- if (dict_find(TT_cmap, &cc32, &gid) >= 0)
|
|
+ if (dict_find(TT_cmap, &cc32, &gid) > 0)
|
|
c = gid->value.intval;
|
|
}
|
|
cr->char_codes[0] = c;
|
|
@@ -2536,7 +2539,7 @@ ps_get_glyphname_or_cid(gs_text_enum_t *penum,
|
|
if (dict_find_string(pdr, "CharStrings", &CharStrings) <= 0
|
|
|| !r_has_type(CharStrings, t_dictionary))
|
|
return_error(gs_error_invalidfont);
|
|
- if ((dict_find(CharStrings, &char_name, &glyph_index) < 0)
|
|
+ if ((dict_find(CharStrings, &char_name, &glyph_index) <= 0)
|
|
|| r_has_type(glyph_index, t_null)) {
|
|
#ifdef DEBUG
|
|
ref *pvalue;
|
|
@@ -2955,7 +2958,7 @@ zFAPIpassfont(i_ctx_t *i_ctx_p)
|
|
if (code < 0)
|
|
return code;
|
|
|
|
- if (dict_find_string(op, "SubfontId", &v) >= 0
|
|
+ if (dict_find_string(op, "SubfontId", &v) > 0
|
|
&& r_has_type(v, t_integer))
|
|
subfont = v->value.intval;
|
|
else
|
|
@@ -2968,7 +2971,7 @@ zFAPIpassfont(i_ctx_t *i_ctx_p)
|
|
/* If the font dictionary contains a FAPIPlugInReq key, the the PS world wants us
|
|
* to try to use a specific FAPI plugin, so find it, and try it....
|
|
*/
|
|
- if (dict_find_string(op, "FAPIPlugInReq", &v) >= 0 && r_type(v) == t_name) {
|
|
+ if (dict_find_string(op, "FAPIPlugInReq", &v) > 0 && r_type(v) == t_name) {
|
|
|
|
name_string_ref(imemory, v, &reqstr);
|
|
|
|
diff --git a/psi/zfcid0.c b/psi/zfcid0.c
|
|
index 2aba09a..ba00b21 100644
|
|
--- a/psi/zfcid0.c
|
|
+++ b/psi/zfcid0.c
|
|
@@ -410,13 +410,25 @@ zbuildfont9(i_ctx_t *i_ctx_p)
|
|
* from a file, GlyphData will be an integer, and DataSource will be
|
|
* a (reusable) stream.
|
|
*/
|
|
- if (code < 0 ||
|
|
- (code = cid_font_data_param(op, &common, &GlyphDirectory)) < 0 ||
|
|
- (code = dict_find_string(op, "FDArray", &prfda)) < 0 ||
|
|
- (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 ||
|
|
- (code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes)) < 0
|
|
- )
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ code = cid_font_data_param(op, &common, &GlyphDirectory);
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ code = dict_find_string(op, "FDArray", &prfda);
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+ code = dict_find_string(op, "CIDFontName", &pCIDFontName);
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+ code = dict_int_param(op, "FDBytes", 0, MAX_FDBytes, -1, &FDBytes);
|
|
+ if (code < 0)
|
|
return code;
|
|
+
|
|
/*
|
|
* Since build_gs_simple_font may resize the dictionary and cause
|
|
* pointers to become invalid, save CIDFontName
|
|
@@ -426,17 +438,24 @@ zbuildfont9(i_ctx_t *i_ctx_p)
|
|
/* Standard CIDFont, require GlyphData and CIDMapOffset. */
|
|
ref *pGlyphData;
|
|
|
|
- if ((code = dict_find_string(op, "GlyphData", &pGlyphData)) < 0 ||
|
|
- (code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1,
|
|
- max_uint, &CIDMapOffset)) < 0)
|
|
+ code = dict_find_string(op, "GlyphData", &pGlyphData);
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+ code = dict_uint_param(op, "CIDMapOffset", 0, max_uint - 1, max_uint, &CIDMapOffset);
|
|
+ if (code < 0)
|
|
return code;
|
|
GlyphData = *pGlyphData;
|
|
if (r_has_type(&GlyphData, t_integer)) {
|
|
ref *pds;
|
|
stream *ignore_s;
|
|
|
|
- if ((code = dict_find_string(op, "DataSource", &pds)) < 0)
|
|
+ code = dict_find_string(op, "DataSource", &pds);
|
|
+ if (code < 0)
|
|
return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
check_read_file(i_ctx_p, ignore_s, pds);
|
|
DataSource = *pds;
|
|
} else {
|
|
diff --git a/psi/zfcid1.c b/psi/zfcid1.c
|
|
index ef3ece0..e3643a0 100644
|
|
--- a/psi/zfcid1.c
|
|
+++ b/psi/zfcid1.c
|
|
@@ -347,11 +347,17 @@ zbuildfont11(i_ctx_t *i_ctx_p)
|
|
ref rcidmap, ignore_gdir, file, *pfile, cfnstr, *pCIDFontName, CIDFontName, *t;
|
|
ulong loca_glyph_pos[2][2];
|
|
int code = cid_font_data_param(op, &common, &ignore_gdir);
|
|
+ if (code < 0)
|
|
+ return code;
|
|
|
|
- if (code < 0 ||
|
|
- (code = dict_find_string(op, "CIDFontName", &pCIDFontName)) <= 0 ||
|
|
- (code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount)) < 0
|
|
- )
|
|
+ code = dict_find_string(op, "CIDFontName", &pCIDFontName);
|
|
+ if (code <= 0) {
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+ return code;
|
|
+ }
|
|
+ code = dict_int_param(op, "MetricsCount", 0, 4, 0, &MetricsCount);
|
|
+ if (code < 0)
|
|
return code;
|
|
/*
|
|
* Since build_gs_simple_font may resize the dictionary and cause
|
|
diff --git a/psi/zicc.c b/psi/zicc.c
|
|
index ebf25fe..53bdf34 100644
|
|
--- a/psi/zicc.c
|
|
+++ b/psi/zicc.c
|
|
@@ -261,6 +261,8 @@ zset_outputintent(i_ctx_t * i_ctx_p)
|
|
code = dict_find_string(op, "N", &pnval);
|
|
if (code < 0)
|
|
return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
ncomps = pnval->value.intval;
|
|
|
|
/* verify the DataSource entry. Creat profile from stream */
|
|
@@ -491,6 +493,8 @@ znumicc_components(i_ctx_t * i_ctx_p)
|
|
code = dict_find_string(op, "N", &pnval);
|
|
if (code < 0)
|
|
return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
ncomps = pnval->value.intval;
|
|
/* verify the DataSource entry. Create profile from stream */
|
|
if (dict_find_string(op, "DataSource", &pstrmval) <= 0)
|
|
diff --git a/psi/zpdf_r6.c b/psi/zpdf_r6.c
|
|
index bcd4907..992f316 100644
|
|
--- a/psi/zpdf_r6.c
|
|
+++ b/psi/zpdf_r6.c
|
|
@@ -145,21 +145,36 @@ zcheck_r6_password(i_ctx_t * i_ctx_p)
|
|
return_error(gs_error_typecheck);
|
|
|
|
code = dict_find_string(CryptDict, "O", &Oref);
|
|
- if (code < 0 || !r_has_type(Oref, t_string)) {
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+ if (!r_has_type(Oref, t_string))
|
|
return_error(gs_error_typecheck);
|
|
- }
|
|
+
|
|
code = dict_find_string(CryptDict, "OE", &OEref);
|
|
- if (code < 0 || !r_has_type(OEref, t_string)) {
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+ if (!r_has_type(OEref, t_string))
|
|
return_error(gs_error_typecheck);
|
|
- }
|
|
+
|
|
code = dict_find_string(CryptDict, "U", &Uref);
|
|
- if (code < 0 || !r_has_type(Uref, t_string)) {
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+ if (!r_has_type(Uref, t_string))
|
|
return_error(gs_error_typecheck);
|
|
- }
|
|
+
|
|
code = dict_find_string(CryptDict, "UE", &UEref);
|
|
- if (code < 0 || !r_has_type(UEref, t_string)) {
|
|
+ if (code < 0)
|
|
+ return code;
|
|
+ if (code == 0)
|
|
+ return_error(gs_error_undefined);
|
|
+ if (!r_has_type(UEref, t_string))
|
|
return_error(gs_error_typecheck);
|
|
- }
|
|
|
|
pop(2);
|
|
op = osp;
|
|
diff --git a/psi/ztoken.c b/psi/ztoken.c
|
|
index 519cd09..9314d97 100644
|
|
--- a/psi/ztoken.c
|
|
+++ b/psi/ztoken.c
|
|
@@ -356,7 +356,7 @@ ztoken_scanner_options(const ref *upref, int old_options)
|
|
int code = dict_find_string(upref, pnso->pname, &ppcproc);
|
|
|
|
/* Update the options only if the parameter has changed. */
|
|
- if (code >= 0) {
|
|
+ if (code > 0) {
|
|
if (r_has_type(ppcproc, t_null))
|
|
options &= ~pnso->option;
|
|
else
|
|
--
|
|
2.17.2
|
|
|
|
|
|
From 434753adbe8be5534bfb9b7d91746023e8073d16 Mon Sep 17 00:00:00 2001
|
|
From: Ken Sharp <ken.sharp@artifex.com>
|
|
Date: Wed, 14 Nov 2018 09:25:13 +0000
|
|
Subject: [PATCH 2/3] Bug #700169 - unchecked type
|
|
|
|
Bug #700169 "Type confusion in setcolorspace"
|
|
|
|
In seticc() we extract "Name" from a dictionary, if it succeeds we then
|
|
use it as a string, without checking the type to see if it is in fact
|
|
a string.
|
|
|
|
Add a check on the type, and add a couple to check that 'N' is an integer
|
|
in a few places too.
|
|
---
|
|
psi/zicc.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/psi/zicc.c b/psi/zicc.c
|
|
index 53bdf34..dbd2562 100644
|
|
--- a/psi/zicc.c
|
|
+++ b/psi/zicc.c
|
|
@@ -76,7 +76,7 @@ int seticc(i_ctx_t * i_ctx_p, int ncomps, ref *ICCdict, float *range_buff)
|
|
want to have this buffer. */
|
|
/* Check if we have the /Name entry. This is used to associate with
|
|
specs that have enumerated types to indicate sRGB sGray etc */
|
|
- if (dict_find_string(ICCdict, "Name", &pnameval) > 0){
|
|
+ if (dict_find_string(ICCdict, "Name", &pnameval) > 0 && r_has_type(pnameval, t_string)){
|
|
uint size = r_size(pnameval);
|
|
char *str = (char *)gs_alloc_bytes(gs_gstate_memory(igs), size+1, "seticc");
|
|
memcpy(str, (const char *)pnameval->value.bytes, size);
|
|
@@ -263,6 +263,8 @@ zset_outputintent(i_ctx_t * i_ctx_p)
|
|
return code;
|
|
if (code == 0)
|
|
return_error(gs_error_undefined);
|
|
+ if (r_type(pnval) != t_integer)
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
ncomps = pnval->value.intval;
|
|
|
|
/* verify the DataSource entry. Creat profile from stream */
|
|
@@ -495,6 +497,8 @@ znumicc_components(i_ctx_t * i_ctx_p)
|
|
return code;
|
|
if (code == 0)
|
|
return_error(gs_error_undefined);
|
|
+ if (r_type(pnval) != t_integer)
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
ncomps = pnval->value.intval;
|
|
/* verify the DataSource entry. Create profile from stream */
|
|
if (dict_find_string(op, "DataSource", &pstrmval) <= 0)
|
|
--
|
|
2.17.2
|
|
|
|
|
|
From 9a1b3ac61761094713f44dedfce56013308a3b1d Mon Sep 17 00:00:00 2001
|
|
From: Ken Sharp <ken.sharp@artifex.com>
|
|
Date: Wed, 14 Nov 2018 09:31:10 +0000
|
|
Subject: [PATCH 3/3] PS interpreter - add some type checking
|
|
|
|
These were 'probably' safe anyway, since they mostly treat the objects
|
|
as integers without checking, which at least can't result in a crash.
|
|
|
|
Nevertheless, we ought to check.
|
|
|
|
The return from comparedictkeys could be wrong if one of the keys had
|
|
a value which was not an array, it could incorrectly decide the two
|
|
were in fact the same.
|
|
---
|
|
psi/zbfont.c | 15 +++++++++------
|
|
psi/zcolor.c | 24 +++++++++++++++++++++++-
|
|
psi/zcrd.c | 4 +++-
|
|
psi/zfjpx.c | 2 ++
|
|
psi/zfont.c | 3 +++
|
|
psi/zfont0.c | 3 +++
|
|
psi/zimage3.c | 2 ++
|
|
psi/ztrans.c | 4 ++++
|
|
8 files changed, 49 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/psi/zbfont.c b/psi/zbfont.c
|
|
index c1d0461..5b830a2 100644
|
|
--- a/psi/zbfont.c
|
|
+++ b/psi/zbfont.c
|
|
@@ -666,6 +666,9 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom
|
|
return_error(gs_error_invalidfont);
|
|
if (dict_find_string(op, "OrigFont", &porigfont) <= 0)
|
|
porigfont = NULL;
|
|
+ if (porigfont != NULL && !r_has_type(porigfont, t_dictionary))
|
|
+ return_error(gs_error_typecheck);
|
|
+
|
|
if (pomat!= NULL) {
|
|
if (porigfont == NULL ||
|
|
dict_find_string(porigfont, "FontMatrix", &pmatrix) <= 0 ||
|
|
@@ -676,8 +679,8 @@ sub_font_params(gs_memory_t *mem, const ref *op, gs_matrix *pmat, gs_matrix *pom
|
|
/* Use the FontInfo/OrigFontName key preferrentially (created by MS PSCRIPT driver) */
|
|
if ((dict_find_string((porigfont != NULL ? porigfont : op), "FontInfo", &pfontinfo) > 0) &&
|
|
r_has_type(pfontinfo, t_dictionary) &&
|
|
- (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0)) {
|
|
- if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) &&
|
|
+ (dict_find_string(pfontinfo, "OrigFontName", &pfontname) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string))) {
|
|
+ if ((dict_find_string(pfontinfo, "OrigFontStyle", &pfontstyle) > 0) && (r_has_type(pfontname, t_name) || r_has_type(pfontname, t_string)) &&
|
|
r_size(pfontstyle) > 0) {
|
|
const byte *tmpStr1 = pfontname->value.const_bytes;
|
|
const byte *tmpStr2 = pfontstyle->value.const_bytes;
|
|
@@ -775,11 +778,11 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,
|
|
avm_space useglob = r_is_local(pencoding) ? avm_local : avm_global;
|
|
|
|
ialloc_set_space(idmemory, useglob);
|
|
-
|
|
+
|
|
count = r_size(pencoding);
|
|
if ((code = ialloc_ref_array(&penc, (r_type_attrs(pencoding) & a_readonly), count, "build_gs_font")) < 0)
|
|
return code;
|
|
-
|
|
+
|
|
while (count--) {
|
|
ref r;
|
|
if (array_get(imemory, pencoding, count, &r) < 0){
|
|
@@ -790,7 +793,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,
|
|
ref_assign(&(penc.value.refs[count]), &r);
|
|
}
|
|
else {
|
|
-
|
|
+
|
|
if ((code = obj_cvs(imemory, &r, (byte *)buf, 32, &size, (const byte **)(&bptr))) < 0) {
|
|
return(code);
|
|
}
|
|
@@ -799,7 +802,7 @@ build_gs_font(i_ctx_t *i_ctx_p, os_ptr op, gs_font ** ppfont, font_type ftype,
|
|
ref_assign(&(penc.value.refs[count]), &r);
|
|
}
|
|
}
|
|
-
|
|
+
|
|
if ((code = dict_put_string(osp, "Encoding", &penc, NULL)) < 0)
|
|
return code;
|
|
ialloc_set_space(idmemory, curglob);
|
|
diff --git a/psi/zcolor.c b/psi/zcolor.c
|
|
index fe81e79..b69b8f5 100644
|
|
--- a/psi/zcolor.c
|
|
+++ b/psi/zcolor.c
|
|
@@ -1877,7 +1877,12 @@ static int comparedictkey(i_ctx_t * i_ctx_p, ref *CIEdict1, ref *CIEdict2, char
|
|
if (r_type(tempref1) == t_null)
|
|
return 1;
|
|
|
|
- return comparearrays(i_ctx_p, tempref1, tempref2);
|
|
+ code = comparearrays(i_ctx_p, tempref1, tempref2);
|
|
+
|
|
+ if (code > 0)
|
|
+ return 1;
|
|
+ else
|
|
+ return 0;
|
|
}
|
|
|
|
static int hasharray(i_ctx_t * i_ctx_p, ref *m1, gs_md5_state_t *md5)
|
|
@@ -5473,6 +5478,9 @@ static int seticcspace(i_ctx_t * i_ctx_p, ref *r, int *stage, int *cont, int CIE
|
|
return code;
|
|
if (code == 0)
|
|
return gs_note_error(gs_error_undefined);
|
|
+ if (r_type(tempref) != t_integer)
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
+
|
|
components = tempref->value.intval;
|
|
if (components > count_of(range)/2)
|
|
return_error(gs_error_rangecheck);
|
|
@@ -5584,6 +5592,10 @@ static int iccompareproc(i_ctx_t *i_ctx_p, ref *space, ref *testspace)
|
|
/* Need to check all the various parts */
|
|
code1 = dict_find_string(&ICCdict1, "N", &tempref1);
|
|
code2 = dict_find_string(&ICCdict2, "N", &tempref2);
|
|
+
|
|
+ if (!r_has_type(tempref1, t_integer) || !r_has_type(tempref2, t_integer))
|
|
+ return 0;
|
|
+
|
|
if (code1 != code2)
|
|
return 0;
|
|
if (tempref1->value.intval != tempref2->value.intval)
|
|
@@ -5737,6 +5749,8 @@ static int iccalternatespace(i_ctx_t * i_ctx_p, ref *space, ref **r, int *CIESub
|
|
return code;
|
|
if (code == 0)
|
|
return gs_note_error(gs_error_undefined);
|
|
+ if (!r_has_type(tempref, t_integer))
|
|
+ return_error(gs_error_typecheck);
|
|
|
|
components = tempref->value.intval;
|
|
|
|
@@ -5775,6 +5789,9 @@ static int icccomponents(i_ctx_t * i_ctx_p, ref *space, int *n)
|
|
return code;
|
|
if (code == 0)
|
|
return gs_note_error(gs_error_undefined);
|
|
+ if (!r_has_type(tempref, t_integer))
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
+
|
|
*n = tempref->value.intval;
|
|
return 0;
|
|
}
|
|
@@ -5791,6 +5808,9 @@ static int iccdomain(i_ctx_t * i_ctx_p, ref *space, float *ptr)
|
|
return code;
|
|
if (code == 0)
|
|
return gs_note_error(gs_error_undefined);
|
|
+ if (!r_has_type(tempref, t_integer))
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
+
|
|
components = tempref->value.intval;
|
|
code = dict_find_string(&ICCdict, "Range", &tempref);
|
|
if (code > 0 && !r_has_type(tempref, t_null)) {
|
|
@@ -5824,6 +5844,8 @@ static int iccrange(i_ctx_t * i_ctx_p, ref *space, float *ptr)
|
|
return code;
|
|
if (code == 0)
|
|
return gs_note_error(gs_error_undefined);
|
|
+ if (!r_has_type(tempref, t_integer))
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
components = tempref->value.intval;
|
|
code = dict_find_string(&ICCdict, "Range", &tempref);
|
|
if (code > 0 && !r_has_type(tempref, t_null)) {
|
|
diff --git a/psi/zcrd.c b/psi/zcrd.c
|
|
index 7993b15..d58160d 100644
|
|
--- a/psi/zcrd.c
|
|
+++ b/psi/zcrd.c
|
|
@@ -231,8 +231,10 @@ zcrd1_params(os_ptr op, gs_cie_render * pcrd,
|
|
return code;
|
|
|
|
if (dict_find_string(op, "RenderTable", &pRT) > 0) {
|
|
- const ref *prte = pRT->value.const_refs;
|
|
+ const ref *prte;
|
|
|
|
+ check_read_type(*pRT, t_array);
|
|
+ prte = pRT->value.const_refs;
|
|
/* Finish unpacking and checking the RenderTable parameter. */
|
|
check_type_only(prte[4], t_integer);
|
|
if (!(prte[4].value.intval == 3 || prte[4].value.intval == 4))
|
|
diff --git a/psi/zfjpx.c b/psi/zfjpx.c
|
|
index c622f48..db1fae2 100644
|
|
--- a/psi/zfjpx.c
|
|
+++ b/psi/zfjpx.c
|
|
@@ -115,6 +115,8 @@ z_jpx_decode(i_ctx_t * i_ctx_p)
|
|
dict_find_string(csdict, "N", &nref) > 0) {
|
|
if_debug1m('w', imemory, "[w] JPX image has an external %"PRIpsint
|
|
" channel colorspace\n", nref->value.intval);
|
|
+ if (r_type(nref) != t_integer)
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
switch (nref->value.intval) {
|
|
case 1: state.colorspace = gs_jpx_cs_gray;
|
|
break;
|
|
diff --git a/psi/zfont.c b/psi/zfont.c
|
|
index 9c51792..f6c5ae1 100644
|
|
--- a/psi/zfont.c
|
|
+++ b/psi/zfont.c
|
|
@@ -596,6 +596,9 @@ zfont_info(gs_font *font, const gs_point *pscale, int members,
|
|
info->members |= FONT_INFO_FULL_NAME;
|
|
if ((members & FONT_INFO_EMBEDDING_RIGHTS)
|
|
&& (dict_find_string(pfontinfo, "FSType", &pvalue) > 0)) {
|
|
+ if (r_type(pvalue) != t_integer)
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
+
|
|
info->EmbeddingRights = pvalue->value.intval;
|
|
info->members |= FONT_INFO_EMBEDDING_RIGHTS;
|
|
}
|
|
diff --git a/psi/zfont0.c b/psi/zfont0.c
|
|
index 4b01c20..a179d7b 100644
|
|
--- a/psi/zfont0.c
|
|
+++ b/psi/zfont0.c
|
|
@@ -243,6 +243,9 @@ zbuildfont0(i_ctx_t *i_ctx_p)
|
|
array_get(pfont->memory, &fdepvector, i, &fdep);
|
|
/* The lookup can't fail, because of the pre-check above. */
|
|
dict_find_string(&fdep, "FID", &pfid);
|
|
+ if (!r_has_type(pfid, t_fontID))
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
+
|
|
data.FDepVector[i] = r_ptr(pfid, gs_font);
|
|
}
|
|
pfont->data = data;
|
|
diff --git a/psi/zimage3.c b/psi/zimage3.c
|
|
index 87a3dce..2beda9f 100644
|
|
--- a/psi/zimage3.c
|
|
+++ b/psi/zimage3.c
|
|
@@ -53,6 +53,8 @@ zimage3(i_ctx_t *i_ctx_p)
|
|
dict_find_string(op, "MaskDict", &pMaskDict) <= 0
|
|
)
|
|
return_error(gs_error_rangecheck);
|
|
+ check_type(*pDataDict, t_dictionary);
|
|
+ check_type(*pMaskDict, t_dictionary);
|
|
if ((code = pixel_image_params(i_ctx_p, pDataDict,
|
|
(gs_pixel_image_t *)&image, &ip_data,
|
|
12, false, gs_currentcolorspace(igs))) < 0 ||
|
|
diff --git a/psi/ztrans.c b/psi/ztrans.c
|
|
index 64defda..0550a10 100644
|
|
--- a/psi/ztrans.c
|
|
+++ b/psi/ztrans.c
|
|
@@ -417,6 +417,7 @@ zimage3x(i_ctx_t *i_ctx_p)
|
|
gs_image3x_t_init(&image, NULL);
|
|
if (dict_find_string(op, "DataDict", &pDataDict) <= 0)
|
|
return_error(gs_error_rangecheck);
|
|
+ check_type(*pDataDict, t_dictionary);
|
|
if ((code = pixel_image_params(i_ctx_p, pDataDict,
|
|
(gs_pixel_image_t *)&image, &ip_data,
|
|
16, false, gs_currentcolorspace(igs))) < 0 ||
|
|
@@ -453,6 +454,9 @@ image_params *pip_data, const char *dict_name,
|
|
|
|
if (dict_find_string(op, dict_name, &pMaskDict) <= 0)
|
|
return 1;
|
|
+ if (!r_has_type(pMaskDict, t_dictionary))
|
|
+ return gs_note_error(gs_error_typecheck);
|
|
+
|
|
if ((mcode = code = data_image_params(mem, pMaskDict, &pixm->MaskDict,
|
|
&ip_mask, false, 1, 16, false, false)) < 0 ||
|
|
(code = dict_int_param(pMaskDict, "ImageType", 1, 1, 0, &ignored)) < 0 ||
|
|
--
|
|
2.17.2
|
|
|