diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2022-05-24 13:04:35 +0100 |
---|---|---|
committer | Ken Sharp <ken.sharp@artifex.com> | 2022-05-24 13:05:35 +0100 |
commit | 136824c8ec37160da9b956511305c0f4bc6a3338 (patch) | |
tree | fdbf57ab60388e854eeb386341ae4e99c8b76653 /xps | |
parent | b6b0c04a2f0ff1011e37935c4200dce468439ee0 (diff) | |
download | ghostpdl-136824c8ec37160da9b956511305c0f4bc6a3338.tar.gz |
GhostXPS - check a colour has enough data before use.
Bug #705333 "Uninitialized read in xps_parse_color"
The code was assuming that if there was too little data for a 4
component colour then it must be a three component colour, but didn't
check to see there was enough to satisfy that.
Check the data, and if there is insufficient, then ignore the colour
(warn in a debug build). We can't return an error as this is a void
function.
Diffstat (limited to 'xps')
-rw-r--r-- | xps/xpscolor.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/xps/xpscolor.c b/xps/xpscolor.c index 7f39c1b35..a64fcaaca 100644 --- a/xps/xpscolor.c +++ b/xps/xpscolor.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -93,6 +93,10 @@ xps_parse_color(xps_context_t *ctx, char *base_uri, char *string, } else { + if (strlen(string) < 7) { + gs_warn1("Colour specification '%s' is invalid (wrong length)", string); + return; + } samples[0] = 255.0; samples[1] = (float)(unhex(string[1]) * 16 + unhex(string[2])); samples[2] = (float)(unhex(string[3]) * 16 + unhex(string[4])); |