Attachment 132633 Details for Bug 100774 – how about just this simple approach to make zero equal to the largest possibly required size

[patch] how about just this simple approach to make zero equal to the largest possibly required size

0001-CVE-2017-9865-fdo-100774-avoid-stack-buffer-overflow.patch (text/plain), 1.80 KB, created by Caolán McNamara on 2017-07-12 13:22:42 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Caolán McNamara

Created: 2017-07-12 13:22:42 UTC

Size: 1.80 KB

patch

obsolete

>From 559c95f3bf073eafff9b69219b3e8a12cb6b0d57 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
>Date: Wed, 12 Jul 2017 14:12:46 +0100
>Subject: [PATCH] CVE-2017-9865 (fdo#100774) avoid stack buffer overflow
>
>in GfxImageColorMap:getGray
>
>by passing first arg to getGray of maximum possibly required size
>
>and similar in HtmlOutputDev::drawPngImage
>---
> utils/HtmlOutputDev.cc  | 5 +++--
> utils/ImageOutputDev.cc | 5 +++--
> 2 files changed, 6 insertions(+), 4 deletions(-)
>
>diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc
>index 5f5dc9f..f418b3d 100644
>--- a/utils/HtmlOutputDev.cc
>+++ b/utils/HtmlOutputDev.cc
>@@ -1433,8 +1433,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he
>     int invert_bits = 0xff;
>     if (colorMap) {
>       GfxGray gray;
>-      Guchar zero = 0;
>-      colorMap->getGray(&zero, &gray);
>+      Guchar zero[gfxColorMaxComps];
>+      memset(zero, 0, sizeof(zero));
>+      colorMap->getGray(zero, &gray);
>       if (colToByte(gray) == 0)
>         invert_bits = 0x00;
>     }
>diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc
>index 069d821..bc34543 100644
>--- a/utils/ImageOutputDev.cc
>+++ b/utils/ImageOutputDev.cc
>@@ -344,7 +344,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
>   GfxRGB rgb;
>   GfxCMYK cmyk;
>   GfxGray gray;
>-  Guchar zero = 0;
>+  Guchar zero[gfxColorMaxComps];
>   int invert_bits;
> 
>   if (writer) {
>@@ -383,7 +383,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
>   // the mask we leave the data unchanged.
>   invert_bits = 0xff;
>   if (colorMap) {
>-    colorMap->getGray(&zero, &gray);
>+    memset(zero, 0, sizeof(zero));
>+    colorMap->getGray(zero, &gray);
>     if (colToByte(gray) == 0)
>       invert_bits = 0x00;
>   }
>-- 
>2.9.3
>

Actions: View | Splinter Review

Attachments on bug 100774: 131001 | 132633

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.