diff options
| author | Julian Smith <jules@op59.net> | 2019-11-06 11:18:55 +0000 |
|---|---|---|
| committer | Julian Smith <jules@op59.net> | 2019-11-06 12:05:55 +0000 |
| commit | ce2afc4f02617dee51f3322ae8386c4b46047c18 (patch) | |
| tree | 569265f81259bcc8fa6527d395cd4a814cc24e79 /devices/gdevlxm.c | |
| parent | 027c546e0dd11e0526f1780a7f3c2c66acffe209 (diff) | |
| download | ghostpdl-ce2afc4f02617dee51f3322ae8386c4b46047c18.tar.gz | |
Bug 701842: avoid buffer overflow in lxm5700m_print_page().
Fixes:
./sanbin/gs -dBATCH -sOutputFile=tmp -sDEVICE=lxm5700m ../bug-701842.ps
Diffstat (limited to 'devices/gdevlxm.c')
| -rw-r--r-- | devices/gdevlxm.c | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/devices/gdevlxm.c b/devices/gdevlxm.c index ec350eebe..4b0f26e9a 100644 --- a/devices/gdevlxm.c +++ b/devices/gdevlxm.c @@ -296,17 +296,26 @@ quit_ignomiously: /* and a goto into an if statement is pretty ignomious! */ sxBy8 = sx/8; sxMask = 0x80>>(sx%8); - /* loop through all the swipeHeight bits of this column */ - for (i = 0, b=1, y= sxBy8+j1*line_size; i < directorySize; i++,b<<=1) { - sum = false; - for (j=j1,c=c1 /*,y=i*16*line_size+sxBy8*/; j<16; j+=2, y+=2*line_size, c>>=2) { - f = (in[y]&sxMask); - if (f) { - words[i] |= c; - sum |= f; + /* loop through all the swipeHeight bits of this column. + + Note that <sx> looks like it can get out of range, so we + check for this here. This fixes bug 701842. + + [An alternative might be to change above code from 'maxX + = (maxX+3)&-2' to 'maxX = (maxX+1)&-2', but that might be + risky. */ + if (sx < pdev->width) { + for (i = 0, b=1, y= sxBy8+j1*line_size; i < directorySize; i++,b<<=1) { + sum = false; + for (j=j1,c=c1 /*,y=i*16*line_size+sxBy8*/; j<16; j+=2, y+=2*line_size, c>>=2) { + f = (in[y]&sxMask); + if (f) { + words[i] |= c; + sum |= f; + } } + if (!sum) directory |=b; } - if (!sum) directory |=b; } retval+=2; buffer_store(directory>>8); buffer_store(directory&0xff); |