From 12bafbb7ffef77d5b5b948bbe8c49fe9497d9d9d Mon Sep 17 00:00:00 2001 From: Martin Kretzschmar Date: Thu, 20 Feb 2003 14:26:01 +0000 Subject: [PATCH] Applied a patch to fix buffer overflow (CVE: CAN-2002-1384, Redhat: RHSA-2003:037-09, Debian: DSA-222) Reminder by Michael --- pdf/xpdf/GfxState.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pdf/xpdf/GfxState.cc b/pdf/xpdf/GfxState.cc index c0f5ff45..94501a8c 100644 --- a/pdf/xpdf/GfxState.cc +++ b/pdf/xpdf/GfxState.cc @@ -794,9 +794,19 @@ GfxColorSpace *GfxIndexedColorSpace::parse(Array *arr) { obj1.free(); if (!arr->get(2, &obj1)->isInt()) { error(-1, "Bad Indexed color space (hival)"); + delete baseA; goto err2; } indexHighA = obj1.getInt(); + if (indexHighA < 0 || indexHighA > 255) { + // the PDF spec requires indexHigh to be in [0,255] -- allowing + // values larger than 255 creates a security hole: if nComps * + // indexHigh is greater than 2^31, the loop below may overwrite + // past the end of the array + error(-1, "Bad Indexed color space (invalid indexHigh value)"); + delete baseA; + goto err2; + } obj1.free(); cs = new GfxIndexedColorSpace(baseA, indexHighA); arr->get(3, &obj1); -- 2.43.5