raster-interpret.c: Fix CVE-2023-4504

We didn't check for end of buffer if it looks there is an escaped
character - check for NULL terminator there and if found, return NULL
as return value and in `ptr`, because a lone backslash is not
a valid PostScript character.

diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
index 6fcf731b573b324a30ae24d7d7acec77f9874eaa..011c8038c568e39e554047ce015500056b44d2b6 100644 (file)
--- a/cups/raster-interpret.c
+++ b/cups/raster-interpret.c
@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,            /* I  - Stack */
 
            cur ++;
 
-            if (*cur == 'b')
+          /*
+           * Return NULL if we reached NULL terminator, a lone backslash
+            * is not a valid character in PostScript.
+           */
+
+           if (!*cur)
+           {
+             *ptr = NULL;
+
+             return (NULL);
+           }
+
+           if (*cur == 'b')
              *valptr++ = '\b';
            else if (*cur == 'f')
              *valptr++ = '\f';