[poppler] 2 commits - poppler/Gfx.cc poppler/GfxState.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Sun Apr 29 12:54:05 PDT 2012 

 poppler/Gfx.cc      |   10 ++++++----
 poppler/GfxState.cc |   13 ++++++++++---
 2 files changed, 16 insertions(+), 7 deletions(-)

New commits:
commit da8d858c4fc610718a5f14b14dc3a4a11564a73d
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Apr 29 20:28:37 2012 +0200

    Do not access args[-1]
    
    Found in a fuzzed pdf sent by Mateusz "j00ru" Jurczyk and Gynvael Coldwind

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 7c0c88b..827bbed 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -14,7 +14,7 @@
 // under GPL version 2 or later
 //
 // Copyright (C) 2005 Jonathan Blandford <jrb at redhat.com>
-// Copyright (C) 2005-2011 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2005-2012 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2006 Thorkild Stray <thorkild at ifi.uio.no>
 // Copyright (C) 2006 Kristian Høgsberg <krh at redhat.com>
 // Copyright (C) 2006-2011 Carlos Garcia Campos <carlosgc at gnome.org>
@@ -1621,9 +1621,11 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) {
       state->setFillColor(&color);
       out->updateFillColor(state);
     }
-    if (args[numArgs-1].isName() &&
-	(pattern = res->lookupPattern(args[numArgs-1].getName(), this))) {
-      state->setFillPattern(pattern);
+    if (numArgs > 0) {
+      if (args[numArgs-1].isName() &&
+	  (pattern = res->lookupPattern(args[numArgs-1].getName(), this))) {
+        state->setFillPattern(pattern);
+      }
     }
 
   } else {
commit 934b1a7cd502fe5537a350cdfc650989992693f7
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Apr 29 19:59:15 2012 +0200

    Do not access invalid lookup indexes
    
    Found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 2fb61eb..5962fcb 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -2010,9 +2010,16 @@ GfxColor *GfxIndexedColorSpace::mapColorToBase(GfxColor *color,
 
   n = base->getNComps();
   base->getDefaultRanges(low, range, indexHigh);
-  p = &lookup[(int)(colToDbl(color->c[0]) + 0.5) * n];
-  for (i = 0; i < n; ++i) {
-    baseColor->c[i] = dblToCol(low[i] + (p[i] / 255.0) * range[i]);
+  const int idx = (int)(colToDbl(color->c[0]) + 0.5) * n;
+  if (likely(idx + n < (indexHigh + 1) * base->getNComps())) {
+    p = &lookup[idx];
+    for (i = 0; i < n; ++i) {
+      baseColor->c[i] = dblToCol(low[i] + (p[i] / 255.0) * range[i]);
+    }
+  } else {
+    for (i = 0; i < n; ++i) {
+      baseColor->c[i] = 0;
+    }
   }
   return baseColor;
 }

More information about the poppler mailing list