Applied a patch to fix buffer overflow (CVE:

CAN-2002-1384, Redhat: RHSA-2003:037-09, Debian: DSA-222) Reminder by Michael
author: Martin Kretzschmar <mkretzschmar@src.gnome.org> 2003-02-20 14:26:01 (GMT)
committer: Martin Kretzschmar <mkretzschmar@src.gnome.org> 2003-02-20 14:26:01 (GMT)
commit: 12bafbb7ffef77d5b5b948bbe8c49fe9497d9d9d (patch)
tree: 1208cf57fbce625f223de59b469581ae11044449 /pdf
parent: 074eb67d6cb4373daf6110acc3f0373f8be925db (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/pdf/xpdf/GfxState.cc b/pdf/xpdf/GfxState.cc
index c0f5ff4..94501a8 100644
--- a/pdf/xpdf/GfxState.cc
+++ b/pdf/xpdf/GfxState.cc
@@ -794,9 +794,19 @@ GfxColorSpace *GfxIndexedColorSpace::parse(Array *arr) {
   obj1.free();
   if (!arr->get(2, &obj1)->isInt()) {
     error(-1, "Bad Indexed color space (hival)");
+    delete baseA;
     goto err2;
   }
   indexHighA = obj1.getInt();
+  if (indexHighA < 0 || indexHighA > 255) {
+    // the PDF spec requires indexHigh to be in [0,255] -- allowing
+    // values larger than 255 creates a security hole: if nComps *
+    // indexHigh is greater than 2^31, the loop below may overwrite
+    // past the end of the array
+    error(-1, "Bad Indexed color space (invalid indexHigh value)");
+    delete baseA;
+    goto err2;
+  }
   obj1.free();
   cs = new GfxIndexedColorSpace(baseA, indexHighA);
   arr->get(3, &obj1);
author	Martin Kretzschmar <mkretzschmar@src.gnome.org>	2003-02-20 14:26:01 (GMT)
committer	Martin Kretzschmar <mkretzschmar@src.gnome.org>	2003-02-20 14:26:01 (GMT)
commit	12bafbb7ffef77d5b5b948bbe8c49fe9497d9d9d (patch)
tree	1208cf57fbce625f223de59b469581ae11044449 /pdf
parent	074eb67d6cb4373daf6110acc3f0373f8be925db (diff)