Bug 694957: fix stack buffer overflow in xps_parse_color

xps_parse_color happily reads more than FZ_MAX_COLORS values out of a
ContextColor array which overflows the passed in samples array.
Limiting the number of allowed samples to FZ_MAX_COLORS and make sure
to use that constant for all callers fixes the problem.

Thanks to Jean-Jamil Khalifé for reporting and investigating the issue
and providing a sample exploit file.

4 files changed, 17 insertions, 11 deletions

diff --git a/source/xps/xps-common.c b/source/xps/xps-common.c
index b780f428..32a30baa 100644
--- a/source/xps/xps-common.c
+++ b/source/xps/xps-common.c
@@ -89,7 +89,7 @@ xps_begin_opacity(xps_document *doc, const fz_matrix *ctm, const fz_rect *area,
 		if (scb_color_att)
 		{
 			fz_colorspace *colorspace;
-			float samples[32];
+			float samples[FZ_MAX_COLORS];
 			xps_parse_color(doc, base_uri, scb_color_att, &colorspace, samples);
 			opacity = opacity * samples[0];
 		}
@@ -208,12 +208,13 @@ void
 xps_parse_color(xps_document *doc, char *base_uri, char *string,
 		fz_colorspace **csp, float *samples)
 {
+	fz_context *ctx = doc->ctx;
 	char *p;
 	int i, n;
 	char buf[1024];
 	char *profile;
 
-	*csp = fz_device_rgb(doc->ctx);
+	*csp = fz_device_rgb(ctx);
 
 	samples[0] = 1;
 	samples[1] = 0;
@@ -259,7 +260,7 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string,
 		profile = strchr(buf, ' ');
 		if (!profile)
 		{
-			fz_warn(doc->ctx, "cannot find icc profile uri in '%s'", string);
+			fz_warn(ctx, "cannot find icc profile uri in '%s'", string);
 			return;
 		}
 
@@ -267,12 +268,17 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string,
 		p = strchr(profile, ' ');
 		if (!p)
 		{
-			fz_warn(doc->ctx, "cannot find component values in '%s'", profile);
+			fz_warn(ctx, "cannot find component values in '%s'", profile);
 			return;
 		}
 
 		*p++ = 0;
 		n = count_commas(p) + 1;
+		if (n > FZ_MAX_COLORS)
+		{
+			fz_warn(ctx, "ignoring %d color components (max %d allowed)", n - FZ_MAX_COLORS, FZ_MAX_COLORS);
+			n = FZ_MAX_COLORS;
+		}
 		i = 0;
 		while (i < n)
 		{
@@ -292,10 +298,10 @@ xps_parse_color(xps_document *doc, char *base_uri, char *string,
 		/* TODO: load ICC profile */
 		switch (n)
 		{
-		case 2: *csp = fz_device_gray(doc->ctx); break;
-		case 4: *csp = fz_device_rgb(doc->ctx); break;
-		case 5: *csp = fz_device_cmyk(doc->ctx); break;
-		default: *csp = fz_device_gray(doc->ctx); break;
+		case 2: *csp = fz_device_gray(ctx); break;
+		case 4: *csp = fz_device_rgb(ctx); break;
+		case 5: *csp = fz_device_cmyk(ctx); break;
+		default: *csp = fz_device_gray(ctx); break;
 		}
 	}
 }
diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
index b26e18dc..e621257e 100644
--- a/source/xps/xps-glyphs.c
+++ b/source/xps/xps-glyphs.c
@@ -590,7 +590,7 @@ xps_parse_glyphs(xps_document *doc, const fz_matrix *ctm,
 
 	if (fill_att)
 	{
-		float samples[32];
+		float samples[FZ_MAX_COLORS];
 		fz_colorspace *colorspace;
 
 		xps_parse_color(doc, base_uri, fill_att, &colorspace, samples);
diff --git a/source/xps/xps-gradient.c b/source/xps/xps-gradient.c
index 7d03f89d..76188e91 100644
--- a/source/xps/xps-gradient.c
+++ b/source/xps/xps-gradient.c
@@ -39,7 +39,7 @@ xps_parse_gradient_stops(xps_document *doc, char *base_uri, fz_xml *node,
 	struct stop *stops, int maxcount)
 {
 	fz_colorspace *colorspace;
-	float sample[8];
+	float sample[FZ_MAX_COLORS];
 	float rgb[3];
 	int before, after;
 	int count;
diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c
index b97ee17d..ea84a815 100644
--- a/source/xps/xps-path.c
+++ b/source/xps/xps-path.c
@@ -826,7 +826,7 @@ xps_parse_path(xps_document *doc, const fz_matrix *ctm, char *base_uri, xps_reso
 
 	fz_stroke_state *stroke = NULL;
 	fz_matrix transform;
-	float samples[32];
+	float samples[FZ_MAX_COLORS];
 	fz_colorspace *colorspace;
 	fz_path *path = NULL;
 	fz_path *stroke_path = NULL;