From 559c95f3bf073eafff9b69219b3e8a12cb6b0d57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Wed, 12 Jul 2017 14:12:46 +0100 Subject: [PATCH] CVE-2017-9865 (fdo#100774) avoid stack buffer overflow in GfxImageColorMap:getGray by passing first arg to getGray of maximum possibly required size and similar in HtmlOutputDev::drawPngImage --- utils/HtmlOutputDev.cc | 5 +++-- utils/ImageOutputDev.cc | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc index 5f5dc9f..f418b3d 100644 --- a/utils/HtmlOutputDev.cc +++ b/utils/HtmlOutputDev.cc @@ -1433,8 +1433,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he int invert_bits = 0xff; if (colorMap) { GfxGray gray; - Guchar zero = 0; - colorMap->getGray(&zero, &gray); + Guchar zero[gfxColorMaxComps]; + memset(zero, 0, sizeof(zero)); + colorMap->getGray(zero, &gray); if (colToByte(gray) == 0) invert_bits = 0x00; } diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc index 069d821..bc34543 100644 --- a/utils/ImageOutputDev.cc +++ b/utils/ImageOutputDev.cc @@ -344,7 +344,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const GfxRGB rgb; GfxCMYK cmyk; GfxGray gray; - Guchar zero = 0; + Guchar zero[gfxColorMaxComps]; int invert_bits; if (writer) { @@ -383,7 +383,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const // the mask we leave the data unchanged. invert_bits = 0xff; if (colorMap) { - colorMap->getGray(&zero, &gray); + memset(zero, 0, sizeof(zero)); + colorMap->getGray(zero, &gray); if (colToByte(gray) == 0) invert_bits = 0x00; } -- 2.9.3