[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    KDE_3_2_BRANCH: kdegraphics/kpdf/xpdf
From:       Dirk Mueller <mueller () kde ! org>
Date:       2004-12-22 12:05:08
Message-ID: 20041222120508.C090B1B94D () office ! kde ! org
[Download RAW message or body]

CVS commit by mueller: 

fix xpdf buffer overflow


  M +3 -1      Gfx.cc   1.4.2.1
  M +10 -0     GfxState.cc   1.3.2.1


--- kdegraphics/kpdf/xpdf/Gfx.cc  #1.4:1.4.2.1
@@ -2382,5 +2382,7 @@ void Gfx::doImage(Object *ref, Stream *s
     dict->lookup("Mask", &maskObj);
     if (maskObj.isArray()) {
-      for (i = 0; i < maskObj.arrayGetLength(); ++i) {
+      for (i = 0;
+           i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
+           ++i) {
         maskObj.arrayGet(i, &obj1);
         maskColors[i] = obj1.getInt();

--- kdegraphics/kpdf/xpdf/GfxState.cc  #1.3:1.3.2.1
@@ -709,4 +709,9 @@ GfxColorSpace *GfxICCBasedColorSpace::pa
   nCompsA = obj2.getInt();
   obj2.free();
+  if (nCompsA > gfxColorMaxComps) {
+    error(-1, "ICCBased color space with too many (%d > %d) components",
+          nCompsA, gfxColorMaxComps);
+    nCompsA = gfxColorMaxComps;
+  }
   if (dict->lookup("Alternate", &obj2)->isNull() ||
       !(altA = GfxColorSpace::parse(&obj2))) {
@@ -1048,4 +1053,9 @@ GfxColorSpace *GfxDeviceNColorSpace::par
   }
   nCompsA = obj1.arrayGetLength();
+  if (nCompsA > gfxColorMaxComps) {
+    error(-1, "DeviceN color space with too many (%d > %d) components",
+ ·         nCompsA, gfxColorMaxComps);
+    nCompsA = gfxColorMaxComps;
+  }
   for (i = 0; i < nCompsA; ++i) {
     if (!obj1.arrayGet(i, &obj2)->isName()) {


[prev in list] [next in list] [prev in thread] [next in thread]