Bug 688215 - gs_type2_interpret() can overwrite pointers
Summary: gs_type2_interpret() can overwrite pointers
Status: RESOLVED INVALID
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: PS Interpreter (show other bugs)
Version: master
Hardware: PC All
: P3 normal
Assignee: Alex Cherepanov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-17 17:21 UTC by Alex Cherepanov
Modified: 2011-07-29 14:35 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Cherepanov 2005-07-17 17:21:10 UTC 
gs_type2_interpret() doesn't check the validity of the input stream.
ce2_hflex operator writes below the bottom of the stack when there's
too few operands. This can be exploited to get the control or crash GS.
Comment 1 Alex Cherepanov 2011-07-29 14:35:27 UTC 
Some of the decisions in gs_type2_interpret() looked suspicious to me, but
I never had a sample file to demonstrate the problem. With the switch to
FreeType renderer this issue is no longer important.