From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001

From: Chris Liddell <chris.liddell@artifex.com>

Date: Thu, 27 Apr 2017 13:03:33 +0100

Subject: [PATCH 1/2] Bug 697799: have .eqproc check its parameters

The Ghostscript custom operator .eqproc was not check the number or type of

the parameters it was given.

---

 psi/zmisc3.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/psi/zmisc3.c b/psi/zmisc3.c

index 54b3042..37293ff 100644

--- a/psi/zmisc3.c

+++ b/psi/zmisc3.c

@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)

     ref2_t stack[MAX_DEPTH + 1];

     ref2_t *top = stack;

+    if (ref_stack_count(&o_stack) < 2)

+        return_error(gs_error_stackunderflow);

+    if (!r_is_array(op - 1) || !r_is_array(op)) {

+        return_error(gs_error_typecheck);

+    }

+

     make_array(&stack[0].proc1, 0, 1, op - 1);

     make_array(&stack[0].proc2, 0, 1, op);

     for (;;) {

-- 

2.9.3

From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001

From: Chris Liddell <chris.liddell@artifex.com>

Date: Thu, 27 Apr 2017 13:21:31 +0100

Subject: [PATCH 2/2] Bug 697799: have .rsdparams check its parameters

The Ghostscript internal operator .rsdparams wasn't checking the number or

type of the operands it was being passed. Do so.

---

 psi/zfrsd.c | 22 +++++++++++++++-------

 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/psi/zfrsd.c b/psi/zfrsd.c

index 191107d..950588d 100644

--- a/psi/zfrsd.c

+++ b/psi/zfrsd.c

@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)

     ref *pFilter;

     ref *pDecodeParms;

     int Intent = 0;

-    bool AsyncRead;

+    bool AsyncRead = false;

     ref empty_array, filter1_array, parms1_array;

     uint i;

-    int code;

+    int code = 0;

+

+    if (ref_stack_count(&o_stack) < 1)

+        return_error(gs_error_stackunderflow);

+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {

+        return_error(gs_error_typecheck);

+    }

     make_empty_array(&empty_array, a_readonly);

-    if (dict_find_string(op, "Filter", &pFilter) > 0) {

+    if (r_has_type(op, t_dictionary)

+        && dict_find_string(op, "Filter", &pFilter) > 0) {

         if (!r_is_array(pFilter)) {

             if (!r_has_type(pFilter, t_name))

                 return_error(gs_error_typecheck);

@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)

                 return_error(gs_error_typecheck);

         }

     }

-    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);

+    if (r_has_type(op, t_dictionary))

+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);

     if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */

         return code;

-    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0

-        )

-        return code;

+    if (r_has_type(op, t_dictionary))

+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)

+            return code;

     push(1);

     op[-1] = *pFilter;

     if (pDecodeParms)

-- 

2.9.3