Patrick Williams | 2a25492 | 2023-08-11 09:48:11 -0500 | [diff] [blame] | 1 | From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 |
| 2 | From: Chris Liddell <chris.liddell@artifex.com> |
| 3 | Date: Mon, 17 Jul 2023 14:06:37 +0100 |
| 4 | Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from |
| 5 | devices/gdevpcx.c |
| 6 | |
| 7 | Bounds check the buffer, before dereferencing the pointer. |
| 8 | |
| 9 | CVE: CVE-2023-38559 |
| 10 | Upstream-Status: Backport |
| 11 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 12 | --- |
| 13 | base/gdevdevn.c | 2 +- |
| 14 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 15 | |
| 16 | diff --git a/base/gdevdevn.c b/base/gdevdevn.c |
| 17 | index 7b14d9c71..6351fb77a 100644 |
| 18 | --- a/base/gdevdevn.c |
| 19 | +++ b/base/gdevdevn.c |
| 20 | @@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file |
| 21 | byte data = *from; |
| 22 | |
| 23 | from += step; |
| 24 | - if (data != *from || from == end) { |
| 25 | + if (from >= end || data != *from) { |
| 26 | if (data >= 0xc0) |
| 27 | gp_fputc(0xc1, file); |
| 28 | } else { |
| 29 | -- |
| 30 | 2.34.1 |
| 31 | |