raster-interpret.c: Verify base for `strtol()`

Input for `atoi()` can be bad number for argument `base` in `strtol()`,
causing returning an incorrect pointer address and later segfault.

Break out from function if the base is incorrect.

Fixes #1188

diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
index 852a4db004bf1aec7b36cf273931c2e35e6c60a4..7cc7b9b73c6b5ba11a0af5d365f0126caf9011a6 100644 (file)
--- a/cups/raster-interpret.c
+++ b/cups/raster-interpret.c
@@ -1041,7 +1041,8 @@ scan_ps(_cups_ps_stack_t *st,             /* I  - Stack */
                        *cur,           /* Current position */
                        *valptr,        /* Pointer into value string */
                        *valend;        /* End of value string */
-  int                  parens;         /* Parenthesis nesting level */
+  int                  parens,         /* Parenthesis nesting level */
+                       base;           /* Numeric base for strtol() */
 
 
   if (!*ptr)
@@ -1302,7 +1303,16 @@ scan_ps(_cups_ps_stack_t *st,            /* I  - Stack */
          * Integer with radix...
          */
 
-          obj.value.number = strtol(cur + 1, &cur, atoi(start));
+         base = atoi(start);
+
+        /*
+         * Postscript language reference manual dictates numbers from 2 to 36 as base...
+         */
+
+         if (base < 2 || base > 36)
+           return (NULL);
+
+         obj.value.number = strtol(cur + 1, &cur, base);
          break;
        }
        else if (strchr(".Ee()<>[]{}/%", *cur) || isspace(*cur & 255))