From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Fri, 7 Mar 2025 09:32:26 +0000 (+0100)
Subject: raster-interpret.c: Verify base for `strtol()`
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7487b879ee5440e2b8313ae17d8f400d3488222e;p=thirdparty%2Fcups.git

raster-interpret.c: Verify base for `strtol()`

Input for `atoi()` can be bad number for argument `base` in `strtol()`,
causing returning an incorrect pointer address and later segfault.

Break out from function if the base is incorrect.

Fixes #1188
---

diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
index 852a4db004..7cc7b9b73c 100644
--- a/cups/raster-interpret.c
+++ b/cups/raster-interpret.c
@@ -1041,7 +1041,8 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 			*cur,		/* Current position */
 			*valptr,	/* Pointer into value string */
 			*valend;	/* End of value string */
-  int			parens;		/* Parenthesis nesting level */
+  int			parens,		/* Parenthesis nesting level */
+			base;		/* Numeric base for strtol() */
 
 
   if (!*ptr)
@@ -1302,7 +1303,16 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 	  * Integer with radix...
 	  */
 
-          obj.value.number = strtol(cur + 1, &cur, atoi(start));
+	  base = atoi(start);
+
+	 /*
+	  * Postscript language reference manual dictates numbers from 2 to 36 as base...
+	  */
+
+	  if (base < 2 || base > 36)
+	    return (NULL);
+
+	  obj.value.number = strtol(cur + 1, &cur, base);
 	  break;
 	}
 	else if (strchr(".Ee()<>[]{}/%", *cur) || isspace(*cur & 255))