From c7d14ca6453d4dd2e8b3f433fbea17232231f4fd Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Sun, 19 Aug 2018 13:21:04 +0800 Subject: Bug 699652: Fix postscript value stack underflow for index operator. Thanks to oss-fuzz for reporting. --- source/pdf/pdf-function.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/pdf/pdf-function.c b/source/pdf/pdf-function.c index 84560596..443878da 100644 --- a/source/pdf/pdf-function.c +++ b/source/pdf/pdf-function.c @@ -186,7 +186,7 @@ static inline int ps_overflow(ps_stack *st, int n) static inline int ps_underflow(ps_stack *st, int n) { - return n < 0 || st->sp - n < 0; + return n < 0 || n > st->sp; } static inline int ps_is_type(ps_stack *st, int t) @@ -316,7 +316,7 @@ ps_roll(ps_stack *st, int n, int j) static void ps_index(ps_stack *st, int n) { - if (!ps_overflow(st, 1) && !ps_underflow(st, n)) + if (!ps_overflow(st, 1) && !ps_underflow(st, n + 1)) { st->stack[st->sp] = st->stack[st->sp - n - 1]; st->sp++; -- cgit v1.2.3