diff options
author | Tor Andersson <tor.andersson@artifex.com> | 2015-11-12 16:27:06 +0100 |
---|---|---|
committer | Tor Andersson <tor.andersson@artifex.com> | 2015-11-12 16:59:03 +0100 |
commit | 9d1c199af467cd1138bf07c6f66a276e26875c99 (patch) | |
tree | 9a8ad6185035655951f53e1df6a7e96cd00f6419 | |
parent | 0fa7177163f46c77f7928c520ddc3f90de4c59dc (diff) | |
download | ghostpdl-9d1c199af467cd1138bf07c6f66a276e26875c99.tar.gz |
xps: Fix buffer overflow in xps_parse_color.
-rw-r--r-- | xps/ghostxps.h | 2 | ||||
-rw-r--r-- | xps/xpsanalyze.c | 6 | ||||
-rw-r--r-- | xps/xpscolor.c | 8 | ||||
-rw-r--r-- | xps/xpsglyphs.c | 2 | ||||
-rw-r--r-- | xps/xpspath.c | 2 |
5 files changed, 14 insertions, 6 deletions
diff --git a/xps/ghostxps.h b/xps/ghostxps.h index d9d007ffd..1f38b505c 100644 --- a/xps/ghostxps.h +++ b/xps/ghostxps.h @@ -279,6 +279,8 @@ void xps_debug_path(xps_context_t *ctx); * Colorspaces and colors. */ +#define XPS_MAX_COLORS 32 + gs_color_space *xps_read_icc_colorspace(xps_context_t *ctx, char *base_uri, char *profile); void xps_parse_color(xps_context_t *ctx, char *base_uri, char *hexstring, gs_color_space **csp, float *samples); void xps_set_color(xps_context_t *ctx, gs_color_space *colorspace, float *samples); diff --git a/xps/xpsanalyze.c b/xps/xpsanalyze.c index a57bada4f..e9d6794ab 100644 --- a/xps/xpsanalyze.c +++ b/xps/xpsanalyze.c @@ -60,7 +60,7 @@ xps_gradient_stops_have_transparency(xps_context_t *ctx, char *base_uri, xps_ite xps_item_t *node; gs_color_space *colorspace; char *color_att; - float samples[32]; + float samples[XPS_MAX_COLORS]; for (node = xps_down(root); node; node = xps_next(node)) { @@ -123,7 +123,7 @@ xps_brush_has_transparency(xps_context_t *ctx, char *base_uri, xps_item_t *root) xps_item_t *node; gs_color_space *colorspace; - float samples[32]; + float samples[XPS_MAX_COLORS]; if (!strcmp(xps_tag(root), "SolidColorBrush")) { @@ -279,7 +279,7 @@ xps_element_has_transparency(xps_context_t *ctx, char *base_uri, xps_item_t *nod char *fill_att; gs_color_space *colorspace; - float samples[32]; + float samples[XPS_MAX_COLORS]; stroke_att = xps_att(node, "Stroke"); if (stroke_att) diff --git a/xps/xpscolor.c b/xps/xpscolor.c index 996043ad1..02196d374 100644 --- a/xps/xpscolor.c +++ b/xps/xpscolor.c @@ -133,7 +133,13 @@ xps_parse_color(xps_context_t *ctx, char *base_uri, char *string, *p++ = 0; n = count_commas(p) + 1; + if (n > XPS_MAX_COLORS) + { + gs_warn("too many color components; ignoring extras"); + n = XPS_MAX_COLORS; + } i = 0; + /* TODO: check for buffer overflow! */ while (i < n) { samples[i++] = atof(p); @@ -228,7 +234,7 @@ xps_parse_solid_color_brush(xps_context_t *ctx, char *base_uri, xps_resource_t * char *opacity_att; char *color_att; gs_color_space *colorspace; - float samples[32]; + float samples[XPS_MAX_COLORS]; color_att = xps_att(node, "Color"); opacity_att = xps_att(node, "Opacity"); diff --git a/xps/xpsglyphs.c b/xps/xpsglyphs.c index 8847e3ee2..33a0a215c 100644 --- a/xps/xpsglyphs.c +++ b/xps/xpsglyphs.c @@ -641,7 +641,7 @@ xps_parse_glyphs(xps_context_t *ctx, if (fill_att) { - float samples[32]; + float samples[XPS_MAX_COLORS]; gs_color_space *colorspace; xps_parse_color(ctx, base_uri, fill_att, &colorspace, samples); diff --git a/xps/xpspath.c b/xps/xpspath.c index 0cb22e272..943633c8a 100644 --- a/xps/xpspath.c +++ b/xps/xpspath.c @@ -890,7 +890,7 @@ xps_parse_path(xps_context_t *ctx, char *base_uri, xps_resource_t *dict, xps_ite gs_line_join linejoin; float linewidth; float miterlimit; - float samples[32]; + float samples[XPS_MAX_COLORS]; gs_color_space *colorspace; bool opacity_pushed = false; |