Bug 688215

Summary: gs_type2_interpret() can overwrite pointers
Product: Ghostscript Reporter: Alex Cherepanov <alex>
Component: PS InterpreterAssignee: Alex Cherepanov <alex>
Status: RESOLVED INVALID    
Severity: normal    
Priority: P3    
Version: master   
Hardware: PC   
OS: All   
Customer: Word Size: ---

Description Alex Cherepanov 2005-07-17 17:21:10 UTC 
gs_type2_interpret() doesn't check the validity of the input stream.
ce2_hflex operator writes below the bottom of the stack when there's
too few operands. This can be exploited to get the control or crash GS.
Comment 1 Alex Cherepanov 2011-07-29 14:35:27 UTC 
Some of the decisions in gs_type2_interpret() looked suspicious to me, but
I never had a sample file to demonstrate the problem. With the switch to
FreeType renderer this issue is no longer important.