From 12bafbb7ffef77d5b5b948bbe8c49fe9497d9d9d Mon Sep 17 00:00:00 2001
From: Martin Kretzschmar <mkretzschmar@src.gnome.org>
Date: Thu, 20 Feb 2003 14:26:01 +0000
Subject: Applied a patch to fix buffer overflow (CVE:

CAN-2002-1384, Redhat: RHSA-2003:037-09, Debian: DSA-222)
Reminder by Michael
---
diff --git a/pdf/xpdf/GfxState.cc b/pdf/xpdf/GfxState.cc
index c0f5ff4..94501a8 100644
--- a/pdf/xpdf/GfxState.cc
+++ b/pdf/xpdf/GfxState.cc
@@ -794,9 +794,19 @@ GfxColorSpace *GfxIndexedColorSpace::parse(Array *arr) {
   obj1.free();
   if (!arr->get(2, &obj1)->isInt()) {
     error(-1, "Bad Indexed color space (hival)");
+    delete baseA;
     goto err2;
   }
   indexHighA = obj1.getInt();
+  if (indexHighA < 0 || indexHighA > 255) {
+    // the PDF spec requires indexHigh to be in [0,255] -- allowing
+    // values larger than 255 creates a security hole: if nComps *
+    // indexHigh is greater than 2^31, the loop below may overwrite
+    // past the end of the array
+    error(-1, "Bad Indexed color space (invalid indexHigh value)");
+    delete baseA;
+    goto err2;
+  }
   obj1.free();
   cs = new GfxIndexedColorSpace(baseA, indexHighA);
   arr->get(3, &obj1);
--
cgit v0.9.1