diff options
author | Julian Smith <jules@op59.net> | 2019-10-28 14:37:48 +0000 |
---|---|---|
committer | Julian Smith <jules@op59.net> | 2019-10-28 15:37:55 +0000 |
commit | 450da26a76286a8342ec0864b3d113856709f8f6 (patch) | |
tree | 689379d487113dc73173267f3c14001ff2422551 /contrib/lips4 | |
parent | 93cb0c0adbd9bcfefd021d59c472388f67d3300d (diff) | |
download | ghostpdl-450da26a76286a8342ec0864b3d113856709f8f6.tar.gz |
Bug 701785: fixed sanitizer heap-buffer-overflow in lprn_is_black().
In contrib/lips4/gdevlprn.c:lprn_is_black(), it seems that bpl is not
necessarily a multiple of lprn->nBw, so we need to explicitly avoid straying
into the next line's data.
This also avoids accessing beyond our buffer if we are already on the last
line, and so fixes the sanitizer error.
Fixes:
./sanbin/gs -sOutputFile=tmp -sDEVICE=lips2p ../bug-701785.pdf
Diffstat (limited to 'contrib/lips4')
-rw-r--r-- | contrib/lips4/gdevlprn.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/contrib/lips4/gdevlprn.c b/contrib/lips4/gdevlprn.c index df8f862e2..7461e46e4 100644 --- a/contrib/lips4/gdevlprn.c +++ b/contrib/lips4/gdevlprn.c @@ -334,9 +334,16 @@ lprn_is_black(gx_device_printer * pdev, int r, int h, int bx) y0 = (r + h - bh) % maxY; for (y = 0; y < bh; y++) { p = &lprn->ImageBuf[(y0 + y) * bpl + bx * lprn->nBw]; - for (x = 0; x < lprn->nBw; x++) + for (x = 0; x < lprn->nBw; x++) { + /* bpl isn't necessarily a multiple of lprn->nBw, so + we need to explicitly stop after the last byte in this + line to avoid accessing either the next line's data or + going off the end of our buffer completely. This avoids + https://bugs.ghostscript.com/show_bug.cgi?id=701785. */ + if (bx * lprn->nBw + x >= bpl) break; if (p[x] != 0) return 1; + } } return 0; } |