From b509290189f1f37a76339f7b6921d42f126bfd57 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Mon, 3 Sep 2018 14:17:05 +0100
Subject: [PATCH] Bug 699699 "Crash upon bogus input argument."

The code in arg_next starts by setting *argstr to NULL, the following
do..while loop assumes that *argstr will be filled in, and checks its
first byte. However, if we run out of characters in the argument string
then *argstr remains NULL, and causes a crash.

This can happen if we pass an empty quoted argument ""

In addition, the processing of -o and possibly other switches assumes
that arg_next will return an error if it doesn't find an argument
whereas now it can return a NULL. I believe its possible that it always
could do so.

So check the 'arg' returned from arg_next to make sure its not NULL
before we try to use it.

We should check other places where arg_next is called as well.
---
 base/gsargs.c  | 2 +-
 psi/imainarg.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/base/gsargs.c b/base/gsargs.c
index b81488a..4edc77c 100644
--- a/base/gsargs.c
+++ b/base/gsargs.c
@@ -347,7 +347,7 @@ arg_next(arg_list * pal, const char **argstr, const gs_memory_t *errmem)
             pas->u.file = f;
             continue; /* Loop back to parse the first arg from the file. */
         }
-    } while (**argstr == 0); /* Until we get a non-empty arg */
+    } while (pal->depth >= 0 && *argstr != NULL && **argstr == 0); /* Until we get a non-empty arg */
 
     return 1;
 }
diff --git a/psi/imainarg.c b/psi/imainarg.c
index 869a7aa..76ede0c 100644
--- a/psi/imainarg.c
+++ b/psi/imainarg.c
@@ -693,6 +693,8 @@ run_stdin:
                         return code;
                 } else
                     adef = arg;
+                if (adef == NULL)
+                    return_error(gs_error_invalidfileaccess);
                 if ((code = gs_main_init1(minst)) < 0)
                     return code;
                 ialloc_set_space(idmemory, avm_system);
-- 
2.9.1