Applied a patch to fix buffer overflow (CVE:

author Martin Kretzschmar <mkretzschmar@src.gnome.org>

Thu, 20 Feb 2003 14:26:01 +0000 (14:26 +0000)

committer Martin Kretzschmar <mkretzschmar@src.gnome.org>

Thu, 20 Feb 2003 14:26:01 +0000 (14:26 +0000)
author Martin Kretzschmar <mkretzschmar@src.gnome.org>
Thu, 20 Feb 2003 14:26:01 +0000 (14:26 +0000)
committer Martin Kretzschmar <mkretzschmar@src.gnome.org>
Thu, 20 Feb 2003 14:26:01 +0000 (14:26 +0000)
diff --git a/pdf/xpdf/GfxState.cc b/pdf/xpdf/GfxState.cc

index c0f5ff454894d2a03b3d76da3e733a598b0924cd..94501a8c9b7b4974fc5ed7b0de10ce0347602d9c 100644 (file)
--- a/pdf/xpdf/GfxState.cc
+++ b/pdf/xpdf/GfxState.cc
@@ -794,9 +794,19 @@ GfxColorSpace *GfxIndexedColorSpace::parse(Array *arr) {
    obj1.free();
    if (!arr->get(2, &obj1)->isInt()) {
      error(-1, "Bad Indexed color space (hival)");
+    delete baseA;
      goto err2;
    }
    indexHighA = obj1.getInt();
+  if (indexHighA < 0 || indexHighA > 255) {
+    // the PDF spec requires indexHigh to be in [0,255] -- allowing
+    // values larger than 255 creates a security hole: if nComps *
+    // indexHigh is greater than 2^31, the loop below may overwrite
+    // past the end of the array
+    error(-1, "Bad Indexed color space (invalid indexHigh value)");
+    delete baseA;
+    goto err2;
+  }
    obj1.free();
    cs = new GfxIndexedColorSpace(baseA, indexHighA);
    arr->get(3, &obj1);
author	Martin Kretzschmar <mkretzschmar@src.gnome.org>
	Thu, 20 Feb 2003 14:26:01 +0000 (14:26 +0000)
committer	Martin Kretzschmar <mkretzschmar@src.gnome.org>
	Thu, 20 Feb 2003 14:26:01 +0000 (14:26 +0000)