[gs-bugs] [Bug 692917] New: Buffer overrun
bugzilla-daemon at ghostscript.com
bugzilla-daemon at ghostscript.com
Tue Mar 13 15:23:47 UTC 2012
http://bugs.ghostscript.com/show_bug.cgi?id=692917
Summary: Buffer overrun
Product: MuPDF
Version: unspecified
Platform: PC
OS/Version: All
Status: NEW
Severity: normal
Priority: P4
Component: fitz
AssignedTo: tor.andersson at artifex.com
ReportedBy: marcos.woehrmann at artifex.com
QAContact: gs-bugs at ghostscript.com
The customer reports:
I believe I have found a potential buffer overrun error. If a PDF has more
than 32 elements in the dashes array, dash_len will be greater than 32, causing
the loop to index past the 32 elements allocated in the stroke state type. For
dash arrays less than 32 the loop does extra work but fz_array_get somewhat
safely returns 0 when requesting an out-of-range index.
else if (!strcmp(s, "D"))
{
if (fz_is_array(val) && fz_array_len(val) == 2)
{
fz_obj *dashes = fz_array_get(val, 0);
gstate->stroke_state.dash_len = MAX(fz_array_len(dashes),
32);
for (k = 0; k < gstate->stroke_state.dash_len; k++)
gstate->stroke_state.dash_list[k] =
fz_to_real(fz_array_get(dashes, k));
gstate->stroke_state.dash_phase =
fz_to_real(fz_array_get(val, 1));
}
else
return fz_throw("malformed /D");
}
I believe the fix should be:
gstate->stroke_state.dash_len = MIN(fz_array_len(dashes),
32);
I should also mention that dash_len is also assigned in
pdf_interpret.c::pdf_run_d() by the following:
gstate->stroke_state.dash_len = MIN(fz_array_len(array),
nelem(gstate->stroke_state.dash_list));
So instead of hard coding “32” below, a better fix would be:
gstate->stroke_state.dash_len = MIN(fz_array_len(dashes),
nelem(gstate->stroke_state.dash_list));
--
Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the gs-bugs
mailing list