Fix possible heap corruption (via upstream bug 696954).

Bump PKGREVISION
author: leot <leot@pkgsrc.org> 2016-08-03 08:50:17 +0000
committer: leot <leot@pkgsrc.org> 2016-08-03 08:50:17 +0000
commit: fbbd78c90bfc6feb954905a3fd8b38469823b115 (patch)
tree: 0b4db5513a017df80515d63961a53e4e23b2eba7 /print/mupdf/patches
parent: c9b35b3b4dc154e5d91cadd9ccf742ecbeb5f24a (diff)
download: pkgsrc-fbbd78c90bfc6feb954905a3fd8b38469823b115.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/print/mupdf/patches/patch-source_pdf_pdf-shade.c b/print/mupdf/patches/patch-source_pdf_pdf-shade.c
new file mode 100644
index 00000000000..15161742fef
--- /dev/null
+++ b/print/mupdf/patches/patch-source_pdf_pdf-shade.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-source_pdf_pdf-shade.c,v 1.1 2016/08/03 08:50:17 leot Exp $
+
+Fix possible heap corruption vulnerability (via upstream bug 696954).
+
+--- source/pdf/pdf-shade.c.orig	2016-04-21 11:14:32.000000000 +0000
++++ source/pdf/pdf-shade.c
+@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pd
+ 	obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
+ 	if (pdf_array_len(ctx, obj) >= 6)
+ 	{
+-		n = (pdf_array_len(ctx, obj) - 4) / 2;
++		n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
+ 		shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
+ 		shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
+ 		shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
author	leot <leot@pkgsrc.org>	2016-08-03 08:50:17 +0000
committer	leot <leot@pkgsrc.org>	2016-08-03 08:50:17 +0000
commit	fbbd78c90bfc6feb954905a3fd8b38469823b115 (patch)
tree	0b4db5513a017df80515d63961a53e4e23b2eba7 /print/mupdf/patches
parent	c9b35b3b4dc154e5d91cadd9ccf742ecbeb5f24a (diff)
download	pkgsrc-fbbd78c90bfc6feb954905a3fd8b38469823b115.tar.gz