Commit db5a4a9ae7b0048f033361744421da8569642f73

Werner Lemberg 2015-09-12T08:32:55

[psaux] Fix potential buffer overflow (#45922). * src/psaux/psobjs.c (ps_parser_skip_PS_token): If a token is enclosed in balanced expressions, ensure that the cursor position doesn't get larger than the current limit.

diff --git a/ChangeLog b/ChangeLog
index 1241306..c185380 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2015-09-11  Werner Lemberg  <wl@gnu.org>
 
+	[psaux] Fix potential buffer overflow (#45922).
+
+	* src/psaux/psobjs.c (ps_parser_skip_PS_token): If a token is
+	enclosed in balanced expressions, ensure that the cursor position
+	doesn't get larger than the current limit.
+
+2015-09-11  Werner Lemberg  <wl@gnu.org>
+
 	[base] Avoid crash while tracing `load_mac_face'.
 
 	Reported in Savannah bug #45919.
diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
index c7cbc67..54eabe2 100644
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -594,6 +594,9 @@
       error = FT_THROW( Invalid_File_Format );
     }
 
+    if ( cur > limit )
+      cur = limit;
+
     parser->error  = error;
     parser->cursor = cur;
   }