summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2017-07-12 14:12:46 +0100
committerAlbert Astals Cid <aacid@kde.org>2017-07-31 14:37:14 +0200
commit75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9 (patch)
tree40a4d162ecb75b335233d3533a21ec8ad59b84f3
parent5d0c23a9f6cdc3fd216335124788958f46932158 (diff)
CVE-2017-9865 (fdo#100774) avoid stack buffer overflow
in GfxImageColorMap:getGray by passing first arg to getGray of maximum possibly required size and similar in HtmlOutputDev::drawPngImage
-rw-r--r--utils/HtmlOutputDev.cc6
-rw-r--r--utils/ImageOutputDev.cc6
2 files changed, 8 insertions, 4 deletions
diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc
index 5f5dc9ff..ac80dc18 100644
--- a/utils/HtmlOutputDev.cc
+++ b/utils/HtmlOutputDev.cc
@@ -39,6 +39,7 @@
// Copyright (C) 2013 Johannes Brandstätter <jbrandstaetter@gmail.com>
// Copyright (C) 2014 Fabio D'Urso <fabiodurso@hotmail.it>
// Copyright (C) 2016 Vincent Le Garrec <legarrec.vincent@gmail.com>
+// Copyright (C) 2017 Caolán McNamara <caolanm@redhat.com>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -1433,8 +1434,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he
int invert_bits = 0xff;
if (colorMap) {
GfxGray gray;
- Guchar zero = 0;
- colorMap->getGray(&zero, &gray);
+ Guchar zero[gfxColorMaxComps];
+ memset(zero, 0, sizeof(zero));
+ colorMap->getGray(zero, &gray);
if (colToByte(gray) == 0)
invert_bits = 0x00;
}
diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc
index 069d8210..f6fb35dd 100644
--- a/utils/ImageOutputDev.cc
+++ b/utils/ImageOutputDev.cc
@@ -23,6 +23,7 @@
// Copyright (C) 2012, 2013, 2017 Adrian Johnson <ajohnson@redneon.com>
// Copyright (C) 2013 Thomas Fischer <fischer@unix-ag.uni-kl.de>
// Copyright (C) 2013 Hib Eris <hib@hiberis.nl>
+// Copyright (C) 2017 Caolán McNamara <caolanm@redhat.com>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -344,7 +345,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
GfxRGB rgb;
GfxCMYK cmyk;
GfxGray gray;
- Guchar zero = 0;
+ Guchar zero[gfxColorMaxComps];
int invert_bits;
if (writer) {
@@ -383,7 +384,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
// the mask we leave the data unchanged.
invert_bits = 0xff;
if (colorMap) {
- colorMap->getGray(&zero, &gray);
+ memset(zero, 0, sizeof(zero));
+ colorMap->getGray(zero, &gray);
if (colToByte(gray) == 0)
invert_bits = 0x00;
}