poppler/GfxState.cc | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
New commits:
commit 0a243dd9d20bc16f4e83af3e2043c0253b4e4625
Author: Albert Astals Cid <aacid at kde.org>
Date: Mon Nov 2 22:21:52 2020 +0100
GfxFunctionShading::getColor: Fix buffer overrun in broken documents
Issue #979
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index ba7763aa..eaf96dba 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -3596,19 +3596,22 @@ GfxShading *GfxFunctionShading::copy() const
void GfxFunctionShading::getColor(double x, double y, GfxColor *color) const
{
double in[2], out[gfxColorMaxComps];
- int i;
// NB: there can be one function with n outputs or n functions with
// one output each (where n = number of color components)
- for (i = 0; i < gfxColorMaxComps; ++i) {
- out[i] = 0;
+ for (double &i : out) {
+ i = 0;
}
in[0] = x;
in[1] = y;
- for (i = 0; i < getNFuncs(); ++i) {
- funcs[i]->transform(in, &out[i]);
+ for (int i = 0; i < getNFuncs(); ++i) {
+ if (likely(funcs[i]->getInputSize() <= 2)) {
+ funcs[i]->transform(in, &out[i]);
+ } else {
+ error(errSyntaxWarning, -1, "GfxFunctionShading::getColor: function with input size > 2");
+ }
}
- for (i = 0; i < gfxColorMaxComps; ++i) {
+ for (int i = 0; i < gfxColorMaxComps; ++i) {
color->c[i] = dblToCol(out[i]);
}
}