diff options
author | Simon Bünzli <zeniko@gmail.com> | 2014-01-16 22:04:51 +0100 |
---|---|---|
committer | Simon Bünzli <zeniko@gmail.com> | 2014-01-16 22:09:13 +0100 |
commit | 60dabde18d7fe12b19da8b509bdfee9cc886aafc (patch) | |
tree | da0f1f2ace0fdd9c153e12dcf20075e2674117fa /source/xps/xps-path.c | |
parent | 5106b010ec248bf254effcb3445a16dc7c4b015b (diff) | |
download | mupdf-60dabde18d7fe12b19da8b509bdfee9cc886aafc.tar.xz |
Bug 694957: fix stack buffer overflow in xps_parse_color
xps_parse_color happily reads more than FZ_MAX_COLORS values out of a
ContextColor array which overflows the passed in samples array.
Limiting the number of allowed samples to FZ_MAX_COLORS and make sure
to use that constant for all callers fixes the problem.
Thanks to Jean-Jamil Khalifé for reporting and investigating the issue
and providing a sample exploit file.
Diffstat (limited to 'source/xps/xps-path.c')
-rw-r--r-- | source/xps/xps-path.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c index b97ee17d..ea84a815 100644 --- a/source/xps/xps-path.c +++ b/source/xps/xps-path.c @@ -826,7 +826,7 @@ xps_parse_path(xps_document *doc, const fz_matrix *ctm, char *base_uri, xps_reso fz_stroke_state *stroke = NULL; fz_matrix transform; - float samples[32]; + float samples[FZ_MAX_COLORS]; fz_colorspace *colorspace; fz_path *path = NULL; fz_path *stroke_path = NULL; |