35 lines
1.0 KiB
Diff
35 lines
1.0 KiB
Diff
Fix CVE-2016-7564:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564
|
|
http://bugs.ghostscript.com/show_bug.cgi?id=697137
|
|
|
|
Patch copied from upstream source repository:
|
|
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8
|
|
|
|
From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001
|
|
From: Tor Andersson <tor.andersson@artifex.com>
|
|
Date: Tue, 20 Sep 2016 17:19:06 +0200
|
|
Subject: [PATCH] Fix bug 697137: off by one in string length calculation.
|
|
|
|
We were not allocating space for the terminating zero byte.
|
|
---
|
|
jsfunction.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/jsfunction.c b/jsfunction.c
|
|
index 8b5b18e..28f7aa7 100644
|
|
--- a/thirdparty/mujs/jsfunction.c
|
|
+++ b/thirdparty/mujs/jsfunction.c
|
|
@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J)
|
|
n += strlen(F->name);
|
|
for (i = 0; i < F->numparams; ++i)
|
|
n += strlen(F->vartab[i]) + 1;
|
|
- s = js_malloc(J, n);
|
|
+ s = js_malloc(J, n + 1);
|
|
strcpy(s, "function ");
|
|
strcat(s, F->name);
|
|
strcat(s, "(");
|
|
--
|
|
2.10.2
|
|
|