[poppler] utils/HtmlOutputDev.cc utils/ImageOutputDev.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Mon Jul 31 12:40:56 UTC 2017 

 utils/HtmlOutputDev.cc  |    6 ++++--
 utils/ImageOutputDev.cc |    6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

New commits:
commit 75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Jul 12 14:12:46 2017 +0100

    CVE-2017-9865 (fdo#100774) avoid stack buffer overflow
    
    in GfxImageColorMap:getGray
    
    by passing first arg to getGray of maximum possibly required size
    
    and similar in HtmlOutputDev::drawPngImage

diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc
index 5f5dc9ff..ac80dc18 100644
--- a/utils/HtmlOutputDev.cc
+++ b/utils/HtmlOutputDev.cc
@@ -39,6 +39,7 @@
 // Copyright (C) 2013 Johannes Brandstätter <jbrandstaetter at gmail.com>
 // Copyright (C) 2014 Fabio D'Urso <fabiodurso at hotmail.it>
 // Copyright (C) 2016 Vincent Le Garrec <legarrec.vincent at gmail.com>
+// Copyright (C) 2017 Caolán McNamara <caolanm at redhat.com>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -1433,8 +1434,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he
     int invert_bits = 0xff;
     if (colorMap) {
       GfxGray gray;
-      Guchar zero = 0;
-      colorMap->getGray(&zero, &gray);
+      Guchar zero[gfxColorMaxComps];
+      memset(zero, 0, sizeof(zero));
+      colorMap->getGray(zero, &gray);
       if (colToByte(gray) == 0)
         invert_bits = 0x00;
     }
diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc
index 069d8210..f6fb35dd 100644
--- a/utils/ImageOutputDev.cc
+++ b/utils/ImageOutputDev.cc
@@ -23,6 +23,7 @@
 // Copyright (C) 2012, 2013, 2017 Adrian Johnson <ajohnson at redneon.com>
 // Copyright (C) 2013 Thomas Fischer <fischer at unix-ag.uni-kl.de>
 // Copyright (C) 2013 Hib Eris <hib at hiberis.nl>
+// Copyright (C) 2017 Caolán McNamara <caolanm at redhat.com>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -344,7 +345,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
   GfxRGB rgb;
   GfxCMYK cmyk;
   GfxGray gray;
-  Guchar zero = 0;
+  Guchar zero[gfxColorMaxComps];
   int invert_bits;
 
   if (writer) {
@@ -383,7 +384,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
   // the mask we leave the data unchanged.
   invert_bits = 0xff;
   if (colorMap) {
-    colorMap->getGray(&zero, &gray);
+    memset(zero, 0, sizeof(zero));
+    colorMap->getGray(zero, &gray);
     if (colToByte(gray) == 0)
       invert_bits = 0x00;
   }

More information about the poppler mailing list