commit 5631718fca3da733c59e4d884c008e781a5c3539 Author: Volker Krause Date: Sun Aug 19 09:44:22 2018 +0200 Fix memory issues in GfxImageColorMap copy ctor - byte_lookup and lookup2 could contain uninitialized memory - lookup2 was not copied at all - lookup could be copied with the wrong size diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc index 956a214b..0f6f8eff 100644 --- a/poppler/GfxState.cc +++ b/poppler/GfxState.cc @@ -5868,24 +5868,30 @@ GfxImageColorMap::GfxImageColorMap(GfxImageColorMap *colorMap) { colorSpace2 = nullptr; for (k = 0; k < gfxColorMaxComps; ++k) { lookup[k] = nullptr; + lookup2[k] = nullptr; } + byte_lookup = nullptr; n = 1 << bits; + for (k = 0; k < nComps; ++k) { + lookup[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); + memcpy(lookup[k], colorMap->lookup[k], n * sizeof(GfxColorComp)); + } if (colorSpace->getMode() == csIndexed) { colorSpace2 = ((GfxIndexedColorSpace *)colorSpace)->getBase(); for (k = 0; k < nComps2; ++k) { - lookup[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); - memcpy(lookup[k], colorMap->lookup[k], n * sizeof(GfxColorComp)); + lookup2[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); + memcpy(lookup2[k], colorMap->lookup2[k], n * sizeof(GfxColorComp)); } } else if (colorSpace->getMode() == csSeparation) { colorSpace2 = ((GfxSeparationColorSpace *)colorSpace)->getAlt(); for (k = 0; k < nComps2; ++k) { - lookup[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); - memcpy(lookup[k], colorMap->lookup[k], n * sizeof(GfxColorComp)); + lookup2[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); + memcpy(lookup2[k], colorMap->lookup2[k], n * sizeof(GfxColorComp)); } } else { for (k = 0; k < nComps; ++k) { - lookup[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); - memcpy(lookup[k], colorMap->lookup[k], n * sizeof(GfxColorComp)); + lookup2[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); + memcpy(lookup2[k], colorMap->lookup2[k], n * sizeof(GfxColorComp)); } } if (colorMap->byte_lookup) {