From b509290189f1f37a76339f7b6921d42f126bfd57 Mon Sep 17 00:00:00 2001 From: Ken Sharp <ken.sharp@artifex.com> Date: Mon, 3 Sep 2018 14:17:05 +0100 Subject: [PATCH] Bug 699699 "Crash upon bogus input argument." The code in arg_next starts by setting *argstr to NULL, the following do..while loop assumes that *argstr will be filled in, and checks its first byte. However, if we run out of characters in the argument string then *argstr remains NULL, and causes a crash. This can happen if we pass an empty quoted argument "" In addition, the processing of -o and possibly other switches assumes that arg_next will return an error if it doesn't find an argument whereas now it can return a NULL. I believe its possible that it always could do so. So check the 'arg' returned from arg_next to make sure its not NULL before we try to use it. We should check other places where arg_next is called as well. --- base/gsargs.c | 2 +- psi/imainarg.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/base/gsargs.c b/base/gsargs.c index b81488a..4edc77c 100644 --- a/base/gsargs.c +++ b/base/gsargs.c @@ -347,7 +347,7 @@ arg_next(arg_list * pal, const char **argstr, const gs_memory_t *errmem) pas->u.file = f; continue; /* Loop back to parse the first arg from the file. */ } - } while (**argstr == 0); /* Until we get a non-empty arg */ + } while (pal->depth >= 0 && *argstr != NULL && **argstr == 0); /* Until we get a non-empty arg */ return 1; } diff --git a/psi/imainarg.c b/psi/imainarg.c index 869a7aa..76ede0c 100644 --- a/psi/imainarg.c +++ b/psi/imainarg.c @@ -693,6 +693,8 @@ run_stdin: return code; } else adef = arg; + if (adef == NULL) + return_error(gs_error_invalidfileaccess); if ((code = gs_main_init1(minst)) < 0) return code; ialloc_set_space(idmemory, avm_system); -- 2.9.1