diff options
| author | Robin Watts <Robin.Watts@artifex.com> | 2023-01-10 14:56:02 +0000 |
|---|---|---|
| committer | Robin Watts <Robin.Watts@artifex.com> | 2023-01-10 14:56:02 +0000 |
| commit | de989373224e6364a37270a7721ef9965b54e88c (patch) | |
| tree | 765919d2b3eda24a0d95a2cde34913ebb0185578 /gpdl | |
| parent | e8925e612e9028cb9af91c31a06d76807d87379e (diff) | |
| download | ghostpdl-de989373224e6364a37270a7721ef9965b54e88c.tar.gz | |
Bug 706270: Avoid palette access overrun in gpdl tiff handler.
Diffstat (limited to 'gpdl')
| -rw-r--r-- | gpdl/tifftop.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/gpdl/tifftop.c b/gpdl/tifftop.c index 2ec3138e1..7aa6ce731 100644 --- a/gpdl/tifftop.c +++ b/gpdl/tifftop.c @@ -765,15 +765,20 @@ do_impl_process(pl_interp_implementation_t * impl, stream_cursor_read * pr, int code = gs_error_unknownerror; goto fail_decode; } + if (tiff->bpc > 8) { + code = gs_error_unknownerror; + goto fail_decode; + } if (!TIFFGetField(tiff->handle, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { code = gs_error_unknownerror; goto fail_decode; } - tiff->palette = gs_alloc_bytes(tiff->memory, 3*n, "palette"); + tiff->palette = gs_alloc_bytes(tiff->memory, 3*256, "palette"); if (tiff->palette == NULL) { code = gs_error_unknownerror; goto fail_decode; } + memset(tiff->palette, 0, 3 * 256); if (guess_pal_depth(n, rmap, gmap, bmap) == 8) { for (i=0; i < n; i++) { tiff->palette[3*i+0] = rmap[i]; |