From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Sat, 8 Oct 2016 16:10:27 +0100
Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5

and param types

Upstream-Status: Backport
CVE: CVE-2016-8602

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
 psi/zht2.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/psi/zht2.c b/psi/zht2.c
index fb4a264..dfa27a4 100644
--- a/psi/zht2.c
+++ b/psi/zht2.c
@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
     gs_memory_t *mem;
     uint edepth = ref_stack_count(&e_stack);
     int npop = 2;
-    int dict_enum = dict_first(op);
+    int dict_enum;
     ref rvalue[2];
     int cname, colorant_number;
     byte * pname;
     uint name_size;
     int halftonetype, type = 0;
     gs_gstate *pgs = igs;
-    int space_index = r_space_index(op - 1);
+    int space_index;
+
+    if (ref_stack_count(&o_stack) < 2)
+        return_error(gs_error_stackunderflow);
+    check_type(*op, t_dictionary);
+    check_type(*(op - 1), t_dictionary);
+
+    dict_enum = dict_first(op);
+    space_index = r_space_index(op - 1);
 
     mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
 
-- 
2.10.2