From: Martin Kretzschmar Date: Thu, 20 Feb 2003 14:26:01 +0000 (+0000) Subject: Applied a patch to fix buffer overflow (CVE: X-Git-Tag: XPDF_1_01~5 X-Git-Url: https://www.fi.muni.cz/~kas/git//home/kas/public_html/git/?a=commitdiff_plain;h=12bafbb7ffef77d5b5b948bbe8c49fe9497d9d9d;p=evince.git Applied a patch to fix buffer overflow (CVE: CAN-2002-1384, Redhat: RHSA-2003:037-09, Debian: DSA-222) Reminder by Michael --- diff --git a/pdf/xpdf/GfxState.cc b/pdf/xpdf/GfxState.cc index c0f5ff45..94501a8c 100644 --- a/pdf/xpdf/GfxState.cc +++ b/pdf/xpdf/GfxState.cc @@ -794,9 +794,19 @@ GfxColorSpace *GfxIndexedColorSpace::parse(Array *arr) { obj1.free(); if (!arr->get(2, &obj1)->isInt()) { error(-1, "Bad Indexed color space (hival)"); + delete baseA; goto err2; } indexHighA = obj1.getInt(); + if (indexHighA < 0 || indexHighA > 255) { + // the PDF spec requires indexHigh to be in [0,255] -- allowing + // values larger than 255 creates a security hole: if nComps * + // indexHigh is greater than 2^31, the loop below may overwrite + // past the end of the array + error(-1, "Bad Indexed color space (invalid indexHigh value)"); + delete baseA; + goto err2; + } obj1.free(); cs = new GfxIndexedColorSpace(baseA, indexHighA); arr->get(3, &obj1);