58 lines
1.8 KiB
Diff
58 lines
1.8 KiB
Diff
From 559c95f3bf073eafff9b69219b3e8a12cb6b0d57 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
|
|
Date: Wed, 12 Jul 2017 14:12:46 +0100
|
|
Subject: [PATCH] CVE-2017-9865 (fdo#100774) avoid stack buffer overflow
|
|
|
|
in GfxImageColorMap:getGray
|
|
|
|
by passing first arg to getGray of maximum possibly required size
|
|
|
|
and similar in HtmlOutputDev::drawPngImage
|
|
---
|
|
utils/HtmlOutputDev.cc | 5 +++--
|
|
utils/ImageOutputDev.cc | 5 +++--
|
|
2 files changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc
|
|
index 5f5dc9f..f418b3d 100644
|
|
--- a/utils/HtmlOutputDev.cc
|
|
+++ b/utils/HtmlOutputDev.cc
|
|
@@ -1433,8 +1433,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he
|
|
int invert_bits = 0xff;
|
|
if (colorMap) {
|
|
GfxGray gray;
|
|
- Guchar zero = 0;
|
|
- colorMap->getGray(&zero, &gray);
|
|
+ Guchar zero[gfxColorMaxComps];
|
|
+ memset(zero, 0, sizeof(zero));
|
|
+ colorMap->getGray(zero, &gray);
|
|
if (colToByte(gray) == 0)
|
|
invert_bits = 0x00;
|
|
}
|
|
diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc
|
|
index 069d821..bc34543 100644
|
|
--- a/utils/ImageOutputDev.cc
|
|
+++ b/utils/ImageOutputDev.cc
|
|
@@ -344,7 +344,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
|
|
GfxRGB rgb;
|
|
GfxCMYK cmyk;
|
|
GfxGray gray;
|
|
- Guchar zero = 0;
|
|
+ Guchar zero[gfxColorMaxComps];
|
|
int invert_bits;
|
|
|
|
if (writer) {
|
|
@@ -383,7 +383,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
|
|
// the mask we leave the data unchanged.
|
|
invert_bits = 0xff;
|
|
if (colorMap) {
|
|
- colorMap->getGray(&zero, &gray);
|
|
+ memset(zero, 0, sizeof(zero));
|
|
+ colorMap->getGray(zero, &gray);
|
|
if (colToByte(gray) == 0)
|
|
invert_bits = 0x00;
|
|
}
|
|
--
|
|
2.9.3
|
|
|