From db5a4a9ae7b0048f033361744421da8569642f73 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 12 Sep 2015 08:32:55 +0200
Subject: [PATCH] [psaux] Fix potential buffer overflow (#45922).

* src/psaux/psobjs.c (ps_parser_skip_PS_token): If a token is
enclosed in balanced expressions, ensure that the cursor position
doesn't get larger than the current limit.
---
 ChangeLog          | 8 ++++++++
 src/psaux/psobjs.c | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 12413063b..c1853805a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-09-11  Werner Lemberg  <wl@gnu.org>
+
+	[psaux] Fix potential buffer overflow (#45922).
+
+	* src/psaux/psobjs.c (ps_parser_skip_PS_token): If a token is
+	enclosed in balanced expressions, ensure that the cursor position
+	doesn't get larger than the current limit.
+
 2015-09-11  Werner Lemberg  <wl@gnu.org>
 
 	[base] Avoid crash while tracing `load_mac_face'.
diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
index c7cbc67c6..54eabe2b3 100644
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -594,6 +594,9 @@
       error = FT_THROW( Invalid_File_Format );
     }
 
+    if ( cur > limit )
+      cur = limit;
+
     parser->error  = error;
     parser->cursor = cur;
   }