From 89c224b029357002c48660dae98de2d1e560d4e0 Mon Sep 17 00:00:00 2001 From: Ray Johnston Date: Wed, 29 May 2013 11:24:02 -0700 Subject: Fix for too many entries in an image Decode array reported by cust 532. This is an out-of spec file, but as usual, since Adobe handles it, so we do too. Allow too many by setting over_error to 0 when we load the Decode array. This required a change to dict_float_array_param so that it will load the requested number of elements (and return that count) when over_erro == 0. Also clean up the indenting and get rid of the unused decode_size variable. --- gs/psi/idparam.c | 15 +++++++++------ gs/psi/zimage.c | 23 ++++++++++++----------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/gs/psi/idparam.c b/gs/psi/idparam.c index ccf9b6be6..15452dc66 100644 --- a/gs/psi/idparam.c +++ b/gs/psi/idparam.c @@ -225,10 +225,11 @@ dict_ints_param(const gs_memory_t *mem, const ref * pdict, } /* Get a float array from a dictionary. */ -/* Return the element count if OK, <0 if invalid. */ -/* If the parameter is missing, then if defaultvec is NULL, return 0; */ -/* if defaultvec is not NULL, copy it into fvec (maxlen elements) */ -/* and return maxlen. */ +/* If there are more than len elements, return over_error if it is < 0 */ +/* Otherwise, load len elements. If there are less than len elements, and */ +/* under_error < 0, return the error, otherwise return the count of elements */ +/* If the parameter is not in the dict, then if defaultvec is NULL, return 0; */ +/* if defaultvec is not NULL, copy it into fvec (len elements), and return len */ int dict_float_array_check_param(const gs_memory_t *mem, const ref * pdict, const char *kstr, @@ -243,14 +244,16 @@ dict_float_array_check_param(const gs_memory_t *mem, if (defaultvec == NULL) return 0; memcpy(fvec, defaultvec, len * sizeof(float)); - return len; } + if (!r_is_array(pdval)) return_error(e_typecheck); size = r_size(pdval); - if (size > len) + if (over_error < 0 && size > len) return_error(over_error); + + size = min(size, len); /* don't process more than we have room for */ code = process_float_array(mem, pdval, size, fvec); return (code < 0 ? code : size == len || under_error >= 0 ? size : diff --git a/gs/psi/zimage.c b/gs/psi/zimage.c index 95d43d056..918e64025 100644 --- a/gs/psi/zimage.c +++ b/gs/psi/zimage.c @@ -58,7 +58,6 @@ data_image_params(const gs_memory_t *mem, bool has_alpha, bool islab) { int code; - int decode_size; ref *pds; check_type(*op, t_dictionary); @@ -92,23 +91,25 @@ data_image_params(const gs_memory_t *mem, if (islab) { /* Note that it is possible that only the ab range values are there or the lab values. I have seen both cases.... */ - code = decode_size = dict_floats_param(mem, op, "Decode", 4, - &pim->Decode[2], NULL); + code = dict_floats_param(mem, op, "Decode", 4, + &pim->Decode[2], NULL); if (code < 0) { - /* Try for all three */ - code = decode_size = dict_floats_param(mem, op, "Decode", 6, - &pim->Decode[0], NULL); + /* Try for all three pairs. Ignore more than 6 elements */ + code = dict_float_array_check_param(mem, op, "Decode", 6, + &pim->Decode[0], NULL, e_rangecheck, 0); /* over_error = 0 */ } else { /* Set the range on the L */ pim->Decode[0] = 0; pim->Decode[1] = 100.0; } - if (code < 0) return code; + if (code < 0) + return code; } else { - code = decode_size = dict_floats_param(mem, op, "Decode", - num_components * 2, - &pim->Decode[0], NULL); - if (code < 0) return code; + /* more elements than we need is OK */ + code = dict_float_array_check_param(mem, op, "Decode", 2 * num_components, + &pim->Decode[0], NULL, e_rangecheck, 0); /* over_error = 0 */ + if (code < 0) + return code; } pip->pDecode = &pim->Decode[0]; /* Extract and check the data sources. */ -- cgit v1.2.1