raster-interpret.c: Verify base for strtol()

Input for atoi() can be bad number for argument base in strtol(), causing returning an incorrect pointer address and later segfault. Break out from function if the base is incorrect. Fixes #1188
OpenPrinting · Mar 10, 2025 · d11164c · d11164c
2 parents 745f21c + 7487b87
commit d11164c
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
@@ -1041,7 +1041,8 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 			*cur,		/* Current position */
 			*valptr,	/* Pointer into value string */
 			*valend;	/* End of value string */
-  int			parens;		/* Parenthesis nesting level */
+  int			parens,		/* Parenthesis nesting level */
+			base;		/* Numeric base for strtol() */
 
 
   if (!*ptr)
@@ -1302,7 +1303,16 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 	  * Integer with radix...
 	  */
 
-          obj.value.number = strtol(cur + 1, &cur, atoi(start));
+	  base = atoi(start);
+
+	 /*
+	  * Postscript language reference manual dictates numbers from 2 to 36 as base...
+	  */
+
+	  if (base < 2 || base > 36)
+	    return (NULL);
+
+	  obj.value.number = strtol(cur + 1, &cur, base);
 	  break;
 	}
 	else if (strchr(".Ee()<>[]{}/%", *cur) || isspace(*cur & 255))