diff options
author | Caolán McNamara <caolanm@redhat.com> | 2017-07-12 14:12:46 +0100 |
---|---|---|
committer | Albert Astals Cid <aacid@kde.org> | 2017-07-31 14:37:14 +0200 |
commit | 75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9 (patch) | |
tree | 40a4d162ecb75b335233d3533a21ec8ad59b84f3 | |
parent | 5d0c23a9f6cdc3fd216335124788958f46932158 (diff) |
CVE-2017-9865 (fdo#100774) avoid stack buffer overflow
in GfxImageColorMap:getGray
by passing first arg to getGray of maximum possibly required size
and similar in HtmlOutputDev::drawPngImage
-rw-r--r-- | utils/HtmlOutputDev.cc | 6 | ||||
-rw-r--r-- | utils/ImageOutputDev.cc | 6 |
2 files changed, 8 insertions, 4 deletions
diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc index 5f5dc9ff..ac80dc18 100644 --- a/utils/HtmlOutputDev.cc +++ b/utils/HtmlOutputDev.cc @@ -39,6 +39,7 @@ // Copyright (C) 2013 Johannes Brandstätter <jbrandstaetter@gmail.com> // Copyright (C) 2014 Fabio D'Urso <fabiodurso@hotmail.it> // Copyright (C) 2016 Vincent Le Garrec <legarrec.vincent@gmail.com> +// Copyright (C) 2017 Caolán McNamara <caolanm@redhat.com> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -1433,8 +1434,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he int invert_bits = 0xff; if (colorMap) { GfxGray gray; - Guchar zero = 0; - colorMap->getGray(&zero, &gray); + Guchar zero[gfxColorMaxComps]; + memset(zero, 0, sizeof(zero)); + colorMap->getGray(zero, &gray); if (colToByte(gray) == 0) invert_bits = 0x00; } diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc index 069d8210..f6fb35dd 100644 --- a/utils/ImageOutputDev.cc +++ b/utils/ImageOutputDev.cc @@ -23,6 +23,7 @@ // Copyright (C) 2012, 2013, 2017 Adrian Johnson <ajohnson@redneon.com> // Copyright (C) 2013 Thomas Fischer <fischer@unix-ag.uni-kl.de> // Copyright (C) 2013 Hib Eris <hib@hiberis.nl> +// Copyright (C) 2017 Caolán McNamara <caolanm@redhat.com> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -344,7 +345,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const GfxRGB rgb; GfxCMYK cmyk; GfxGray gray; - Guchar zero = 0; + Guchar zero[gfxColorMaxComps]; int invert_bits; if (writer) { @@ -383,7 +384,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const // the mask we leave the data unchanged. invert_bits = 0xff; if (colorMap) { - colorMap->getGray(&zero, &gray); + memset(zero, 0, sizeof(zero)); + colorMap->getGray(zero, &gray); if (colToByte(gray) == 0) invert_bits = 0x00; } |