Fix CVE-2016-7564: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564 http://bugs.ghostscript.com/show_bug.cgi?id=697137 Patch copied from upstream source repository: http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8 From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001 From: Tor Andersson Date: Tue, 20 Sep 2016 17:19:06 +0200 Subject: [PATCH] Fix bug 697137: off by one in string length calculation. We were not allocating space for the terminating zero byte. --- jsfunction.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jsfunction.c b/jsfunction.c index 8b5b18e..28f7aa7 100644 --- a/thirdparty/mujs/jsfunction.c +++ b/thirdparty/mujs/jsfunction.c @@ -61,7 +61,7 @@ static void Fp_toString(js_State *J) n += strlen(F->name); for (i = 0; i < F->numparams; ++i) n += strlen(F->vartab[i]) + 1; - s = js_malloc(J, n); + s = js_malloc(J, n + 1); strcpy(s, "function "); strcat(s, F->name); strcat(s, "("); -- 2.10.2