Fix CVE-2016-7506: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506 http://bugs.ghostscript.com/show_bug.cgi?id=697141 Patch copied from upstream source repository: http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001 From: Tor Andersson Date: Wed, 21 Sep 2016 16:02:11 +0200 Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution. A '$' escape at the end of the string would read past the zero terminator when looking for the escaped character. --- jsstring.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/jsstring.c b/jsstring.c index 66f6a89..0209a8e 100644 --- a/thirdparty/mujs/jsstring.c +++ b/thirdparty/mujs/jsstring.c @@ -421,6 +421,7 @@ loop: while (*r) { if (*r == '$') { switch (*(++r)) { + case 0: --r; /* end of string; back up and fall through */ case '$': js_putc(J, &sb, '$'); break; case '`': js_putm(J, &sb, source, s); break; case '\'': js_puts(J, &sb, s + n); break; @@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J) while (*r) { if (*r == '$') { switch (*(++r)) { + case 0: --r; /* end of string; back up and fall through */ case '$': js_putc(J, &sb, '$'); break; case '&': js_putm(J, &sb, s, s + n); break; case '`': js_putm(J, &sb, source, s); break; -- 2.10.2