[gs-cvs] rev 8520 - trunk/gs/src
giles at ghostscript.com
giles at ghostscript.com
Fri Feb 8 18:30:31 PST 2008
Author: giles
Date: 2008-02-08 18:30:31 -0800 (Fri, 08 Feb 2008)
New Revision: 8520
Modified:
trunk/gs/src/zicc.c
Log:
Clamp the number components read from the ICC DataSource array to the
number actually allocated to avoid buffer overflow. CESA-2008-001.
Modified: trunk/gs/src/zicc.c
===================================================================
--- trunk/gs/src/zicc.c 2008-02-09 00:55:38 UTC (rev 8519)
+++ trunk/gs/src/zicc.c 2008-02-09 02:30:31 UTC (rev 8520)
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2006 Artifex Software, Inc.
+/* Copyright (C) 2001-2008 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -77,6 +77,9 @@
dict_find_string(op, "N", &pnval);
ncomps = pnval->value.intval;
+ if (2*ncomps > sizeof(range_buff)/sizeof(range_buff[0]))
+ return_error(e_rangecheck);
+
/* verify the DataSource entry */
if (dict_find_string(op, "DataSource", &pstrmval) <= 0)
return_error(e_undefined);
More information about the gs-cvs
mailing list