diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2023-04-26 12:00:44 +0100 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2023-04-26 12:00:44 +0100 |
| commit | 2df04707b7ef7c63c56afb03afe2fe4e21929f6e (patch) | |
| tree | ce915533489171dd8df7d5afe9e4c0829f0ae4b9 | |
| parent | 3780f5d7c4e2f4a84d54b47d9555060301985e5f (diff) | |
| download | ghostpdl-2df04707b7ef7c63c56afb03afe2fe4e21929f6e.tar.gz | |
Graphics library - check DeviceN params before use
OSS-fuzz #58341
The problem is that a Pattern PaintProc uses another Pattern; the
initial Pattern dictionary does not use transparency, and does not
declare the use of the child pattern, that is used by name and found in
the /Page /Resources dictionary. The child Pattern uses transparency.
There's basically no way for us to tell that the initial pattern should
push the pdf14 device, so we don't. Later on when we do push the device
for the child pattern we try to copy the DeviceN parameters, but the
device we are pointing at is the pattern accumulator, which doesn't
store the DeviceN parameters and can't return them, so it returns NULL.
We then try to dereference the NULL pointer.
Obviously this is only a problem when trying to use a DeviceN device,
in this case the psdcmyk device.
To fix this 'properly' we would either need to push the pdf14 device for
every pattern or have the pattern accumulator copy, store and return the
DeviceN parameters when requested.
For now I've chosen just to avoid the crash because this isn't really
my field and I'm wary about making extensive changes. If anyone ever
comes up with a real PDF file where this causes problems we'll address
it then.
Note that the PDF file is already contravening the spec which says that
the /Resources dictionary is *required* for Patterns (at least if the
Pattern uses any named resources).
| -rw-r--r-- | base/gdevdevn.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/base/gdevdevn.c b/base/gdevdevn.c index 315a01ec5..1cdc909db 100644 --- a/base/gdevdevn.c +++ b/base/gdevdevn.c @@ -704,6 +704,9 @@ devn_copy_params(gx_device * psrcdev, gx_device * pdesdev) /* Get pointers to the parameters */ src_devn_params = dev_proc(psrcdev, ret_devn_params)(psrcdev); des_devn_params = dev_proc(pdesdev, ret_devn_params)(pdesdev); + if (src_devn_params == NULL || des_devn_params == NULL) + return gs_note_error(gs_error_undefined); + /* First the easy items */ des_devn_params->bitspercomponent = src_devn_params->bitspercomponent; des_devn_params->max_separations = src_devn_params->max_separations; |