current/SOURCES/ghostscript-9.20-cve-2017-9739.patch

From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 16 Jun 2017 08:29:25 +0100
Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR

---
 base/ttinterp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/base/ttinterp.c b/base/ttinterp.c
index af457e8..adf3f0c 100644
--- a/base/ttinterp.c
+++ b/base/ttinterp.c
@@ -1794,6 +1794,12 @@ static int nInstrCount=0;
 
   static void  Ins_JMPR( INS_ARG )
   {
+    if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) )
+    {
+      CUR.error = TT_Err_Invalid_Reference;
+      return;
+    }
+
     CUR.IP      += (Int)(args[0]);
     CUR.step_ins = FALSE;
 
-- 
2.9.1

1	From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001
2	From: Chris Liddell <chris.liddell@artifex.com>
3	Date: Fri, 16 Jun 2017 08:29:25 +0100
4	Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR
5
6	---
7	base/ttinterp.c \| 6 ++++++
8	1 file changed, 6 insertions(+)
9
10	diff --git a/base/ttinterp.c b/base/ttinterp.c
11	index af457e8..adf3f0c 100644
12	--- a/base/ttinterp.c
13	+++ b/base/ttinterp.c
14	@@ -1794,6 +1794,12 @@ static int nInstrCount=0;
15
16	static void Ins_JMPR( INS_ARG )
17	{
18	+ if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) )
19	+ {
20	+ CUR.error = TT_Err_Invalid_Reference;
21	+ return;
22	+ }
23	+
24	CUR.IP += (Int)(args[0]);
25	CUR.step_ins = FALSE;
26
27	--
28	2.9.1
29