Bug 694957: fix stack buffer overflow in xps_parse_color

xps_parse_color happily reads more than FZ_MAX_COLORS values out of a ContextColor array which overflows the passed in samples array. Limiting the number of allowed samples to FZ_MAX_COLORS and make sure to use that constant for all callers fixes the problem. Thanks to Jean-Jamil Khalifé for reporting and investigating the issue and providing a sample exploit file.
author: Simon Bünzli <zeniko@gmail.com> 2014-01-16 22:04:51 +0100
committer: Simon Bünzli <zeniko@gmail.com> 2014-01-16 22:09:13 +0100
commit: 60dabde18d7fe12b19da8b509bdfee9cc886aafc (patch)
tree: da0f1f2ace0fdd9c153e12dcf20075e2674117fa /source/xps/xps-path.c
parent: 5106b010ec248bf254effcb3445a16dc7c4b015b (diff)
download: mupdf-60dabde18d7fe12b19da8b509bdfee9cc886aafc.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c
index b97ee17d..ea84a815 100644
--- a/source/xps/xps-path.c
+++ b/source/xps/xps-path.c
@@ -826,7 +826,7 @@ xps_parse_path(xps_document *doc, const fz_matrix *ctm, char *base_uri, xps_reso
 
 	fz_stroke_state *stroke = NULL;
 	fz_matrix transform;
-	float samples[32];
+	float samples[FZ_MAX_COLORS];
 	fz_colorspace *colorspace;
 	fz_path *path = NULL;
 	fz_path *stroke_path = NULL;
author	Simon Bünzli <zeniko@gmail.com>	2014-01-16 22:04:51 +0100
committer	Simon Bünzli <zeniko@gmail.com>	2014-01-16 22:09:13 +0100
commit	60dabde18d7fe12b19da8b509bdfee9cc886aafc (patch)
tree	da0f1f2ace0fdd9c153e12dcf20075e2674117fa /source/xps/xps-path.c
parent	5106b010ec248bf254effcb3445a16dc7c4b015b (diff)
download	mupdf-60dabde18d7fe12b19da8b509bdfee9cc886aafc.tar.xz