aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/mupdf-CVE-2016-6525.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/mupdf-CVE-2016-6525.patch')
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-6525.patch21
1 files changed, 21 insertions, 0 deletions
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
new file mode 100644
index 0000000000..370af5ade6
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
@@ -0,0 +1,21 @@
+Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
+https://security-tracker.debian.org/tracker/CVE-2016-6525
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
+
+diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
+index 7815b3c..6e25efa 100644
+--- a/source/pdf/pdf-shade.c
++++ b/source/pdf/pdf-shade.c
+@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
+ obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
+ if (pdf_array_len(ctx, obj) >= 6)
+ {
+- n = (pdf_array_len(ctx, obj) - 4) / 2;
++ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
+ shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
+ shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
+ shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
generated by cgit v1.2.3 (git 2.45.0) at 2025-01-14 05:36:22 +0000