poppler/GfxState.cc | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-)
New commits: commit 0a243dd9d20bc16f4e83af3e2043c0253b4e4625 Author: Albert Astals Cid <aa...@kde.org> Date: Mon Nov 2 22:21:52 2020 +0100 GfxFunctionShading::getColor: Fix buffer overrun in broken documents Issue #979 diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc index ba7763aa..eaf96dba 100644 --- a/poppler/GfxState.cc +++ b/poppler/GfxState.cc @@ -3596,19 +3596,22 @@ GfxShading *GfxFunctionShading::copy() const void GfxFunctionShading::getColor(double x, double y, GfxColor *color) const { double in[2], out[gfxColorMaxComps]; - int i; // NB: there can be one function with n outputs or n functions with // one output each (where n = number of color components) - for (i = 0; i < gfxColorMaxComps; ++i) { - out[i] = 0; + for (double &i : out) { + i = 0; } in[0] = x; in[1] = y; - for (i = 0; i < getNFuncs(); ++i) { - funcs[i]->transform(in, &out[i]); + for (int i = 0; i < getNFuncs(); ++i) { + if (likely(funcs[i]->getInputSize() <= 2)) { + funcs[i]->transform(in, &out[i]); + } else { + error(errSyntaxWarning, -1, "GfxFunctionShading::getColor: function with input size > 2"); + } } - for (i = 0; i < gfxColorMaxComps; ++i) { + for (int i = 0; i < gfxColorMaxComps; ++i) { color->c[i] = dblToCol(out[i]); } } _______________________________________________ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler