GhostXPS - check a colour has enough data before use.

Bug #705333 "Uninitialized read in xps_parse_color" The code was assuming that if there was too little data for a 4 component colour then it must be a three component colour, but didn't check to see there was enough to satisfy that. Check the data, and if there is insufficient, then ignore the colour (warn in a debug build). We can't return an error as this is a void function.
author: Ken Sharp <ken.sharp@artifex.com> 2022-05-24 13:04:35 +0100
committer: Ken Sharp <ken.sharp@artifex.com> 2022-05-24 13:05:35 +0100
commit: 136824c8ec37160da9b956511305c0f4bc6a3338 (patch)
tree: fdbf57ab60388e854eeb386341ae4e99c8b76653 /xps
parent: b6b0c04a2f0ff1011e37935c4200dce468439ee0 (diff)
download: ghostpdl-136824c8ec37160da9b956511305c0f4bc6a3338.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/xps/xpscolor.c b/xps/xpscolor.c
index 7f39c1b35..a64fcaaca 100644
--- a/xps/xpscolor.c
+++ b/xps/xpscolor.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2021 Artifex Software, Inc.
+/* Copyright (C) 2001-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -93,6 +93,10 @@ xps_parse_color(xps_context_t *ctx, char *base_uri, char *string,
         }
         else
         {
+            if (strlen(string) < 7) {
+                gs_warn1("Colour specification '%s' is invalid (wrong length)", string);
+                return;
+            }
             samples[0] = 255.0;
             samples[1] = (float)(unhex(string[1]) * 16 + unhex(string[2]));
             samples[2] = (float)(unhex(string[3]) * 16 + unhex(string[4]));
author	Ken Sharp <ken.sharp@artifex.com>	2022-05-24 13:04:35 +0100
committer	Ken Sharp <ken.sharp@artifex.com>	2022-05-24 13:05:35 +0100
commit	136824c8ec37160da9b956511305c0f4bc6a3338 (patch)
tree	fdbf57ab60388e854eeb386341ae4e99c8b76653 /xps
parent	b6b0c04a2f0ff1011e37935c4200dce468439ee0 (diff)
download	ghostpdl-136824c8ec37160da9b956511305c0f4bc6a3338.tar.gz