diff options
author | Martin Kretzschmar <mkretzschmar@src.gnome.org> | 2003-02-20 14:26:01 (GMT) |
---|---|---|
committer | Martin Kretzschmar <mkretzschmar@src.gnome.org> | 2003-02-20 14:26:01 (GMT) |
commit | 12bafbb7ffef77d5b5b948bbe8c49fe9497d9d9d (patch) | |
tree | 1208cf57fbce625f223de59b469581ae11044449 /pdf | |
parent | 074eb67d6cb4373daf6110acc3f0373f8be925db (diff) |
Applied a patch to fix buffer overflow (CVE:
CAN-2002-1384, Redhat: RHSA-2003:037-09, Debian: DSA-222)
Reminder by Michael
Diffstat (limited to 'pdf')
-rw-r--r-- | pdf/xpdf/GfxState.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/pdf/xpdf/GfxState.cc b/pdf/xpdf/GfxState.cc index c0f5ff4..94501a8 100644 --- a/pdf/xpdf/GfxState.cc +++ b/pdf/xpdf/GfxState.cc @@ -794,9 +794,19 @@ GfxColorSpace *GfxIndexedColorSpace::parse(Array *arr) { obj1.free(); if (!arr->get(2, &obj1)->isInt()) { error(-1, "Bad Indexed color space (hival)"); + delete baseA; goto err2; } indexHighA = obj1.getInt(); + if (indexHighA < 0 || indexHighA > 255) { + // the PDF spec requires indexHigh to be in [0,255] -- allowing + // values larger than 255 creates a security hole: if nComps * + // indexHigh is greater than 2^31, the loop below may overwrite + // past the end of the array + error(-1, "Bad Indexed color space (invalid indexHigh value)"); + delete baseA; + goto err2; + } obj1.free(); cs = new GfxIndexedColorSpace(baseA, indexHighA); arr->get(3, &obj1); |