From 60dabde18d7fe12b19da8b509bdfee9cc886aafc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BCnzli?= Date: Thu, 16 Jan 2014 22:04:51 +0100 Subject: Bug 694957: fix stack buffer overflow in xps_parse_color MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit xps_parse_color happily reads more than FZ_MAX_COLORS values out of a ContextColor array which overflows the passed in samples array. Limiting the number of allowed samples to FZ_MAX_COLORS and make sure to use that constant for all callers fixes the problem. Thanks to Jean-Jamil Khalifé for reporting and investigating the issue and providing a sample exploit file. --- source/xps/xps-path.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source/xps/xps-path.c') diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c index b97ee17d..ea84a815 100644 --- a/source/xps/xps-path.c +++ b/source/xps/xps-path.c @@ -826,7 +826,7 @@ xps_parse_path(xps_document *doc, const fz_matrix *ctm, char *base_uri, xps_reso fz_stroke_state *stroke = NULL; fz_matrix transform; - float samples[32]; + float samples[FZ_MAX_COLORS]; fz_colorspace *colorspace; fz_path *path = NULL; fz_path *stroke_path = NULL; -- cgit v1.2.3