1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
diff -u -b -p -u -r1.3 -r1.3.2.1
--- filters/kword/pdf/xpdf/xpdf/Gfx.cc 25 Jan 2003 23:17:44 -0000 1.3
+++ filters/kword/pdf/xpdf/xpdf/Gfx.cc 22 Dec 2004 12:07:12 -0000 1.3.2.1
@@ -2379,7 +2379,9 @@ void Gfx::doImage(Object *ref, Stream *s
haveMask = gFalse;
dict->lookup("Mask", &maskObj);
if (maskObj.isArray()) {
- for (i = 0; i < maskObj.arrayGetLength(); ++i) {
+ for (i = 0;
+ i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
+ ++i) {
maskObj.arrayGet(i, &obj1);
maskColors[i] = obj1.getInt();
obj1.free();
diff -u -b -p -u -r1.3 -r1.3.2.1
--- filters/kword/pdf/xpdf/xpdf/GfxState.cc 25 Jan 2003 23:17:44 -0000 1.3
+++ filters/kword/pdf/xpdf/xpdf/GfxState.cc 22 Dec 2004 12:07:12 -0000 1.3.2.1
@@ -682,6 +682,11 @@ GfxColorSpace *GfxICCBasedColorSpace::pa
}
nCompsA = obj2.getInt();
obj2.free();
+ if (nCompsA > gfxColorMaxComps) {
+ error(-1, "ICCBased color space with too many (%d > %d) components",
+ nCompsA, gfxColorMaxComps);
+ nCompsA = gfxColorMaxComps;
+ }
if (dict->lookup("Alternate", &obj2)->isNull() ||
!(altA = GfxColorSpace::parse(&obj2))) {
switch (nCompsA) {
@@ -1023,6 +1028,11 @@ GfxColorSpace *GfxDeviceNColorSpace::par
goto err2;
}
nCompsA = obj1.arrayGetLength();
+ if (nCompsA > gfxColorMaxComps) {
+ error(-1, "DeviceN color space with too many (%d > %d) components",
+ nCompsA, gfxColorMaxComps);
+ nCompsA = gfxColorMaxComps;
+ }
for (i = 0; i < nCompsA; ++i) {
if (!obj1.arrayGet(i, &obj2)->isName()) {
error(-1, "Bad DeviceN color space (names)");
|
