diff options
author | Julian Smith <jules@op59.net> | 2019-11-05 12:03:23 +0000 |
---|---|---|
committer | Julian Smith <jules@op59.net> | 2019-11-05 12:19:31 +0000 |
commit | b25cad42dc869e8e9d7ea58adae2c8baba0ee25d (patch) | |
tree | 18876f69cbb65c77a25bffbf2050939057a44031 /contrib/lips4 | |
parent | e7118494be4162b8c2c06d8b7d4cb2d7ebb57f61 (diff) | |
download | ghostpdl-b25cad42dc869e8e9d7ea58adae2c8baba0ee25d.tar.gz |
Bug 701830: avoid buffer overflow in lips_rle_encode().
Worst case for lips_rle_encode() is 2*Length+2, so adjust corresponding alloc
to match.
Fixes:
./sanbin/gs -dBATCH -dNOPAUSE -r489 -dFitPage -sOutputFile=tmp -sDEVICE=lips4 ../bug-701830.eps
Diffstat (limited to 'contrib/lips4')
-rw-r--r-- | contrib/lips4/gdevl4r.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/contrib/lips4/gdevl4r.c b/contrib/lips4/gdevl4r.c index 9af084ffa..05f1f8139 100644 --- a/contrib/lips4/gdevl4r.c +++ b/contrib/lips4/gdevl4r.c @@ -645,7 +645,10 @@ lips4type_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int { if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, bpl * 3 / 2 + 1, maxY, "(CompBuf)"))) return_error(gs_error_VMerror); - if (!(lprn->CompBuf2 = gs_malloc(pdev->memory->non_gc_memory, bpl * 3 / 2 + 1, maxY, "(CompBuf2)"))) + + /* This buffer is used by lips_rle_encode(), which can require double + input size plus 2 bytes. */ + if (!(lprn->CompBuf2 = gs_malloc(pdev->memory->non_gc_memory, bpl * 2 + 2, maxY, "(CompBuf2)"))) return_error(gs_error_VMerror); if (lprn->NegativePrint) { |