43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
Fix CVE-2016-7506:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506
|
|
http://bugs.ghostscript.com/show_bug.cgi?id=697141
|
|
|
|
Patch copied from upstream source repository:
|
|
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a
|
|
|
|
From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001
|
|
From: Tor Andersson <tor.andersson@artifex.com>
|
|
Date: Wed, 21 Sep 2016 16:02:11 +0200
|
|
Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution.
|
|
|
|
A '$' escape at the end of the string would read past the zero terminator
|
|
when looking for the escaped character.
|
|
---
|
|
jsstring.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/jsstring.c b/jsstring.c
|
|
index 66f6a89..0209a8e 100644
|
|
--- a/thirdparty/mujs/jsstring.c
|
|
+++ b/thirdparty/mujs/jsstring.c
|
|
@@ -421,6 +421,7 @@ loop:
|
|
while (*r) {
|
|
if (*r == '$') {
|
|
switch (*(++r)) {
|
|
+ case 0: --r; /* end of string; back up and fall through */
|
|
case '$': js_putc(J, &sb, '$'); break;
|
|
case '`': js_putm(J, &sb, source, s); break;
|
|
case '\'': js_puts(J, &sb, s + n); break;
|
|
@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J)
|
|
while (*r) {
|
|
if (*r == '$') {
|
|
switch (*(++r)) {
|
|
+ case 0: --r; /* end of string; back up and fall through */
|
|
case '$': js_putc(J, &sb, '$'); break;
|
|
case '&': js_putm(J, &sb, s, s + n); break;
|
|
case '`': js_putm(J, &sb, source, s); break;
|
|
--
|
|
2.10.2
|
|
|