From 4b7929c79941d2835bac62e7a80d14e297db6c12 Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Wed, 18 Jul 2012 22:26:03 +0200 Subject: Clamp number of pdf function inputs/outputs Previously a pdf function having too many inputs or outputs would cause and exception, now they will be handled silently. There are two places pdf functions are used: for shadings and for colorspace tint transforms. In both cases the number of inputs/outputs may never be more than the number of components, i.e. limited to MAXN. Additionally the number of inputs/outputs may never be less than than the number of components, and there is always at least one component. --- pdf/pdf_function.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/pdf/pdf_function.c b/pdf/pdf_function.c index 8290f291..2152ae05 100644 --- a/pdf/pdf_function.c +++ b/pdf/pdf_function.c @@ -1392,7 +1392,7 @@ pdf_load_function(pdf_document *xref, pdf_obj *dict) /* required for all */ obj = pdf_dict_gets(dict, "Domain"); - func->m = pdf_array_len(obj) / 2; + func->m = fz_clampi(pdf_array_len(obj) / 2, 1, MAXN); for (i = 0; i < func->m; i++) { func->domain[i][0] = pdf_to_real(pdf_array_get(obj, i * 2 + 0)); @@ -1404,7 +1404,7 @@ pdf_load_function(pdf_document *xref, pdf_obj *dict) if (pdf_is_array(obj)) { func->has_range = 1; - func->n = pdf_array_len(obj) / 2; + func->n = fz_clampi(pdf_array_len(obj) / 2, 1, MAXN); for (i = 0; i < func->n; i++) { func->range[i][0] = pdf_to_real(pdf_array_get(obj, i * 2 + 0)); @@ -1417,12 +1417,6 @@ pdf_load_function(pdf_document *xref, pdf_obj *dict) func->n = 0; } - if (func->m >= MAXM || func->n >= MAXN) - { - fz_free(ctx, func); - fz_throw(ctx, "assert: /Domain or /Range too big"); - } - fz_try(ctx) { switch(func->type) -- cgit v1.2.3