Bug 694957: fix stack buffer overflow in xps_parse_color

xps_parse_color happily reads more than FZ_MAX_COLORS values out of a ContextColor array which overflows the passed in samples array. Limiting the number of allowed samples to FZ_MAX_COLORS and make sure to use that constant for all callers fixes the problem. Thanks to Jean-Jamil Khalifé for reporting and investigating the issue and providing a sample exploit file.
author: Simon Bünzli <zeniko@gmail.com> 2014-01-16 22:04:51 +0100
committer: Simon Bünzli <zeniko@gmail.com> 2014-01-16 22:09:13 +0100
commit: 60dabde18d7fe12b19da8b509bdfee9cc886aafc (patch)
tree: da0f1f2ace0fdd9c153e12dcf20075e2674117fa /source/xps/xps-gradient.c
parent: 5106b010ec248bf254effcb3445a16dc7c4b015b (diff)
download: mupdf-60dabde18d7fe12b19da8b509bdfee9cc886aafc.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/source/xps/xps-gradient.c b/source/xps/xps-gradient.c
index 7d03f89d..76188e91 100644
--- a/source/xps/xps-gradient.c
+++ b/source/xps/xps-gradient.c
@@ -39,7 +39,7 @@ xps_parse_gradient_stops(xps_document *doc, char *base_uri, fz_xml *node,
 	struct stop *stops, int maxcount)
 {
 	fz_colorspace *colorspace;
-	float sample[8];
+	float sample[FZ_MAX_COLORS];
 	float rgb[3];
 	int before, after;
 	int count;
author	Simon Bünzli <zeniko@gmail.com>	2014-01-16 22:04:51 +0100
committer	Simon Bünzli <zeniko@gmail.com>	2014-01-16 22:09:13 +0100
commit	60dabde18d7fe12b19da8b509bdfee9cc886aafc (patch)
tree	da0f1f2ace0fdd9c153e12dcf20075e2674117fa /source/xps/xps-gradient.c
parent	5106b010ec248bf254effcb3445a16dc7c4b015b (diff)
download	mupdf-60dabde18d7fe12b19da8b509bdfee9cc886aafc.tar.xz