From 559c95f3bf073eafff9b69219b3e8a12cb6b0d57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Wed, 12 Jul 2017 14:12:46 +0100
Subject: [PATCH] CVE-2017-9865 (fdo#100774) avoid stack buffer overflow

in GfxImageColorMap:getGray

by passing first arg to getGray of maximum possibly required size

and similar in HtmlOutputDev::drawPngImage
---
 utils/HtmlOutputDev.cc  | 5 +++--
 utils/ImageOutputDev.cc | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc
index 5f5dc9f..f418b3d 100644
--- a/utils/HtmlOutputDev.cc
+++ b/utils/HtmlOutputDev.cc
@@ -1433,8 +1433,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he
     int invert_bits = 0xff;
     if (colorMap) {
       GfxGray gray;
-      Guchar zero = 0;
-      colorMap->getGray(&zero, &gray);
+      Guchar zero[gfxColorMaxComps];
+      memset(zero, 0, sizeof(zero));
+      colorMap->getGray(zero, &gray);
       if (colToByte(gray) == 0)
         invert_bits = 0x00;
     }
diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc
index 069d821..bc34543 100644
--- a/utils/ImageOutputDev.cc
+++ b/utils/ImageOutputDev.cc
@@ -344,7 +344,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
   GfxRGB rgb;
   GfxCMYK cmyk;
   GfxGray gray;
-  Guchar zero = 0;
+  Guchar zero[gfxColorMaxComps];
   int invert_bits;
 
   if (writer) {
@@ -383,7 +383,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
   // the mask we leave the data unchanged.
   invert_bits = 0xff;
   if (colorMap) {
-    colorMap->getGray(&zero, &gray);
+    memset(zero, 0, sizeof(zero));
+    colorMap->getGray(zero, &gray);
     if (colToByte(gray) == 0)
       invert_bits = 0x00;
   }
-- 
2.9.3