utils/HtmlOutputDev.cc | 6 ++++-- utils/ImageOutputDev.cc | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-)
New commits: commit 75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9 Author: Caolán McNamara <[email protected]> Date: Wed Jul 12 14:12:46 2017 +0100 CVE-2017-9865 (fdo#100774) avoid stack buffer overflow in GfxImageColorMap:getGray by passing first arg to getGray of maximum possibly required size and similar in HtmlOutputDev::drawPngImage diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc index 5f5dc9ff..ac80dc18 100644 --- a/utils/HtmlOutputDev.cc +++ b/utils/HtmlOutputDev.cc @@ -39,6 +39,7 @@ // Copyright (C) 2013 Johannes Brandstätter <[email protected]> // Copyright (C) 2014 Fabio D'Urso <[email protected]> // Copyright (C) 2016 Vincent Le Garrec <[email protected]> +// Copyright (C) 2017 Caolán McNamara <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -1433,8 +1434,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he int invert_bits = 0xff; if (colorMap) { GfxGray gray; - Guchar zero = 0; - colorMap->getGray(&zero, &gray); + Guchar zero[gfxColorMaxComps]; + memset(zero, 0, sizeof(zero)); + colorMap->getGray(zero, &gray); if (colToByte(gray) == 0) invert_bits = 0x00; } diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc index 069d8210..f6fb35dd 100644 --- a/utils/ImageOutputDev.cc +++ b/utils/ImageOutputDev.cc @@ -23,6 +23,7 @@ // Copyright (C) 2012, 2013, 2017 Adrian Johnson <[email protected]> // Copyright (C) 2013 Thomas Fischer <[email protected]> // Copyright (C) 2013 Hib Eris <[email protected]> +// Copyright (C) 2017 Caolán McNamara <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -344,7 +345,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const GfxRGB rgb; GfxCMYK cmyk; GfxGray gray; - Guchar zero = 0; + Guchar zero[gfxColorMaxComps]; int invert_bits; if (writer) { @@ -383,7 +384,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const // the mask we leave the data unchanged. invert_bits = 0xff; if (colorMap) { - colorMap->getGray(&zero, &gray); + memset(zero, 0, sizeof(zero)); + colorMap->getGray(zero, &gray); if (colToByte(gray) == 0) invert_bits = 0x00; }
_______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
