Commit 174650af authored by Albert Astals Cid's avatar Albert Astals Cid

fix xpdf buffer overflow

By Dirk Mueller

svn path=/branches/kpdf_experiments/kdegraphics/kpdf/; revision=372821
parent 16908b2f
......@@ -2150,7 +2150,7 @@ void Gfx::opSetFont(Object args[], int /*numArgs*/) {
if (printCommands) {
printf(" font: tag=%s name='%s' %g\n",
font->getTag()->getCString(),
font->getName() ? font->getName()->getCString() : "\?\?\?",
font->getName() ? font->getName()->getCString() : "???",
args[1].getNum());
fflush(stdout);
}
......@@ -2371,7 +2371,7 @@ void Gfx::doShowText(GString *s) {
state->transform(curX + riseX, curY + riseY, &x, &y);
saveState();
state->setCTM(newCTM[0], newCTM[1], newCTM[2], newCTM[3], x, y);
//~ out->updateCTM(\?\?\?)
//~ out->updateCTM(???)
if (!out->beginType3Char(state, curX + riseX, curY + riseY, tdx, tdy,
code, u, uLen)) {
((Gfx8BitFont *)font)->getCharProc(code, &charProc);
......@@ -2654,7 +2654,9 @@ void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) {
haveMask = gFalse;
dict->lookup("Mask", &maskObj);
if (maskObj.isArray()) {
for (i = 0; i < maskObj.arrayGetLength(); ++i) {
for (i = 0;
i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
++i) {
maskObj.arrayGet(i, &obj1);
maskColors[i] = obj1.getInt();
obj1.free();
......
......@@ -708,6 +708,11 @@ GfxColorSpace *GfxICCBasedColorSpace::parse(Array *arr) {
}
nCompsA = obj2.getInt();
obj2.free();
if (nCompsA > gfxColorMaxComps) {
error(-1, "ICCBased color space with too many (%d > %d) components",
nCompsA, gfxColorMaxComps);
nCompsA = gfxColorMaxComps;
}
if (dict->lookup("Alternate", &obj2)->isNull() ||
!(altA = GfxColorSpace::parse(&obj2))) {
switch (nCompsA) {
......@@ -1054,7 +1059,7 @@ GfxColorSpace *GfxDeviceNColorSpace::parse(Array *arr) {
}
nCompsA = obj1.arrayGetLength();
if (nCompsA > gfxColorMaxComps) {
error(-1, "DeviceN color space with more than %d > %d components",
error(-1, "DeviceN color space with too many (%d > %d) components",
nCompsA, gfxColorMaxComps);
nCompsA = gfxColorMaxComps;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment