diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2021-02-12 10:34:23 +0000 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2021-02-12 10:44:12 +0000 |
commit | 7861fcad13c497728189feafb41cd57b5b50ea25 (patch) | |
tree | 5d2c3123698fe6693f3a68b4f6570bfd8c865ec1 | |
parent | ea1624205c8e1ca936bd38a6095a0dd1880e7287 (diff) |
oss-fuzz 30715: Check stack limits after function evaluation.
During function result sampling, after the callout to the Postscript
interpreter, make sure there is enough stack space available before pushing
or popping entries.
In thise case, the Postscript procedure for the "function" is totally invalid
(as a function), and leaves the op stack in an unrecoverable state (as far as
function evaluation is concerned). We end up popping more entries off the
stack than are available.
To cope, add in stack limit checking to throw an appropriate error when this
happens.
-rw-r--r-- | psi/zfsample.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/psi/zfsample.c b/psi/zfsample.c index 290809405..652ae02c6 100644 --- a/psi/zfsample.c +++ b/psi/zfsample.c | |||
@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | |||
551 | } else { | 551 | } else { |
552 | if (stack_depth_adjust) { | 552 | if (stack_depth_adjust) { |
553 | stack_depth_adjust -= num_out; | 553 | stack_depth_adjust -= num_out; |
554 | push(O_STACK_PAD - stack_depth_adjust); | 554 | if ((O_STACK_PAD - stack_depth_adjust) < 0) { |
555 | for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | 555 | stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); |
556 | make_null(op - i); | 556 | check_op(stack_depth_adjust); |
557 | pop(stack_depth_adjust); | ||
558 | } | ||
559 | else { | ||
560 | check_ostack(O_STACK_PAD - stack_depth_adjust); | ||
561 | push(O_STACK_PAD - stack_depth_adjust); | ||
562 | for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
563 | make_null(op - i); | ||
564 | } | ||
557 | } | 565 | } |
558 | } | 566 | } |
559 | 567 | ||