unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob 370af5ade63950b8917026a7fb93e4d978de0808 955 bytes (raw)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

 
Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
https://security-tracker.debian.org/tracker/CVE-2016-6525

Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e

diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
index 7815b3c..6e25efa 100644
--- a/source/pdf/pdf-shade.c
+++ b/source/pdf/pdf-shade.c
@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
 	obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
 	if (pdf_array_len(ctx, obj) >= 6)
 	{
-		n = (pdf_array_len(ctx, obj) - 4) / 2;
+		n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
 		shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
 		shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
 		shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));

debug log:

solving 370af5ade ...
found 370af5ade in https://git.savannah.gnu.org/cgit/guix.git

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).