diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2022-08-30 09:31:10 +0100 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2022-09-02 15:59:07 +0100 |
commit | df4c63dc7001243ba469277001f98ac8cc82e184 (patch) | |
tree | 7319ec3fa73618a2706411407a31b8f9950b22bc | |
parent | 23cf50e0edf8012166677c61342bfae2fe3abff8 (diff) | |
download | ghostpdl-df4c63dc7001243ba469277001f98ac8cc82e184.tar.gz |
GhostPDF - Only get the required number of Range values for a ColorSpace
Bug #705828 "stack-overflow in /targets/ghostscript/foo/./pdf/pdf_colour.c:2236 pdfi_create_colorspace_by_array"
The code was reading all the entries in a Range array into a stack
array. But we hadn't validated the maximum number in the array so we
could overrun. Limit the copy to the maximum number required by the
'N' value (which is validated).
-rw-r--r-- | pdf/pdf_colour.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pdf/pdf_colour.c b/pdf/pdf_colour.c index 241166c29..0fad43a62 100644 --- a/pdf/pdf_colour.c +++ b/pdf/pdf_colour.c @@ -1069,7 +1069,7 @@ static int pdfi_create_iccbased(pdf_context *ctx, pdf_array *color_array, int in int i; if (pdfi_array_size(a) >= N * 2) { - for (i = 0; i < pdfi_array_size(a);i++) { + for (i = 0; i < N * 2;i++) { code = pdfi_array_get_number(ctx, a, i, &dbl); if (code < 0) { known = false; |