From 2d990b065c228802b3913602b4309165e42c08e9 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 1 Oct 2019 10:35:48 +0100
Subject: Fix memory corruption setting a halftone

When setting a new halftone in the graphics state, we try to re-use the data
from the existing device halftone.

The problem is that the device halftone can have higher component indices than
there are components in the new halftone we are creating. In this case, we can
end up writing off the end of the components array for the new halftone
structure.

Simply check that the new halftone has enough components before doing the
duplication.
---
 base/gsht.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'base/gsht.c')

diff --git a/base/gsht.c b/base/gsht.c
index bced3730d..df20e8432 100644
--- a/base/gsht.c
+++ b/base/gsht.c
@@ -985,7 +985,8 @@ gx_gstate_dev_ht_install(
             gx_ht_order *           p_s_order = &p_s_comp->corder;
             int                     comp_num = p_s_comp->comp_number;
 
-            if (comp_num >= 0 && comp_num < GX_DEVICE_COLOR_MAX_COMPONENTS) {
+            if (comp_num >= 0 && comp_num < GX_DEVICE_COLOR_MAX_COMPONENTS &&
+                comp_num < dht.num_comp) {
                 gx_ht_order *   p_d_order = &dht.components[comp_num].corder;
 
                 /* indicate that this order has been filled in */
-- 
cgit v1.2.1