From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 10 Mar 2025 08:52:55 +0000 (+0100)
Subject: raster-interpret.c: Verify base for `strtol()`
X-Git-Tag: v2.4.12~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71a88c80f2130aa148eb90d204dc5fc900ceb988;p=thirdparty%2Fcups.git

raster-interpret.c: Verify base for `strtol()`

Input for atoi() can be bad number for argument base in strtol(), causing returning an incorrect pointer address and later segfault.

Break out from function if the base is incorrect.

Fixes #1188
---

diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
index 1b67e01a65..ad4b187f1a 100644
--- a/cups/raster-interpret.c
+++ b/cups/raster-interpret.c
@@ -1046,7 +1046,8 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 			*cur,		/* Current position */
 			*valptr,	/* Pointer into value string */
 			*valend;	/* End of value string */
-  int			parens;		/* Parenthesis nesting level */
+  int			parens,		/* Parenthesis nesting level */
+			base;		/* Numeric base for strtol() */
 
 
   if (!*ptr)
@@ -1307,7 +1308,16 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 	  * Integer with radix...
 	  */
 
-          obj.value.number = strtol(cur + 1, &cur, atoi(start));
+	  base = atoi(start);
+
+	 /*
+	  * Postscript language reference manual dictates numbers from 2 to 36 as base...
+	  */
+
+	  if (base < 2 || base > 36)
+	    return (NULL);
+
+	  obj.value.number = strtol(cur + 1, &cur, base);
 	  break;
 	}
 	else if (strchr(".Ee()<>[]{}/%", *cur) || isspace(*cur & 255))