From 71a88c80f2130aa148eb90d204dc5fc900ceb988 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 10 Mar 2025 09:52:55 +0100
Subject: [PATCH] raster-interpret.c: Verify base for `strtol()`

Input for atoi() can be bad number for argument base in strtol(), causing returning an incorrect pointer address and later segfault.

Break out from function if the base is incorrect.

Fixes #1188
---
 cups/raster-interpret.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
index 1b67e01a65..ad4b187f1a 100644
--- a/cups/raster-interpret.c
+++ b/cups/raster-interpret.c
@@ -1046,7 +1046,8 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 			*cur,		/* Current position */
 			*valptr,	/* Pointer into value string */
 			*valend;	/* End of value string */
-  int			parens;		/* Parenthesis nesting level */
+  int			parens,		/* Parenthesis nesting level */
+			base;		/* Numeric base for strtol() */
 
 
   if (!*ptr)
@@ -1307,7 +1308,16 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 	  * Integer with radix...
 	  */
 
-          obj.value.number = strtol(cur + 1, &cur, atoi(start));
+	  base = atoi(start);
+
+	 /*
+	  * Postscript language reference manual dictates numbers from 2 to 36 as base...
+	  */
+
+	  if (base < 2 || base > 36)
+	    return (NULL);
+
+	  obj.value.number = strtol(cur + 1, &cur, base);
 	  break;
 	}
 	else if (strchr(".Ee()<>[]{}/%", *cur) || isspace(*cur & 255))
-- 
2.47.3