Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript 9.52

Fix the 'rsearch' calculation for the 'post' size to give the correct size. Previous calculation would result in a size that was too large, and could underflow to max uint32_t. Also fix 'rsearch' to return the correct 'pre' string with empty string match. A future change may 'undefine' this undocumented, non-standard operator during initialization as we do with the many other non-standard internal PostScript operators and procedures.
ArtifexSoftware · Jul 24, 2020 · 5d49927 · 5d49927
1 parent f77f997
commit 5d49927
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/psi/zstring.c b/psi/zstring.c
@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
     return 0;
 found:
     op->tas.type_attrs = op1->tas.type_attrs;
-    op->value.bytes = ptr;
-    r_set_size(op, size);
+    op->value.bytes = ptr;				/* match */
+    op->tas.rsize = size;				/* match */
     push(2);
-    op[-1] = *op1;
-    r_set_size(op - 1, ptr - op[-1].value.bytes);
-    op1->value.bytes = ptr + size;
-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
+    op[-1] = *op1;					/* pre */
+    op[-3].value.bytes = ptr + size;			/* post */
+    if (forward) {
+        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
+        op[-3].tas.rsize = count;			/* post */
+    } else {
+        op[-1].tas.rsize = count;			/* pre */
+        op[-3].tas.rsize -= count + size;		/* post */
+    }
     make_true(op);
     return 0;
 }