[librsvg] bgo#630732 - Fix out-of-bounds read in feComponentTransfer with tableValues
- From: Federico Mena Quintero <federico src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [librsvg] bgo#630732 - Fix out-of-bounds read in feComponentTransfer with tableValues
- Date: Wed, 21 Oct 2015 22:24:29 +0000 (UTC)
commit 0b2b1424caeb3fa928689d9ed956edddb0e3e7ec
Author: Federico Mena Quintero <federico gnome org>
Date: Wed Oct 21 17:21:02 2015 -0500
bgo#630732 - Fix out-of-bounds read in feComponentTransfer with tableValues
https://bugzilla.gnome.org/show_bug.cgi?id=630732
rsvg-filter.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)
---
diff --git a/rsvg-filter.c b/rsvg-filter.c
index 7fb193a..b4eedec 100644
--- a/rsvg-filter.c
+++ b/rsvg-filter.c
@@ -2550,14 +2550,17 @@ table_component_transfer_func (gint C, RsvgNodeComponentTransferFunc * user_data
{
guint k;
gint vk, vk1, distancefromlast;
+ guint num_values;
if (!user_data->nbTableValues)
return C;
- k = (C * (user_data->nbTableValues - 1)) / 255;
+ num_values = user_data->nbTableValues;
- vk = user_data->tableValues[k];
- vk1 = user_data->tableValues[k + 1];
+ k = (C * (num_values - 1)) / 255;
+
+ vk = user_data->tableValues[CLAMP (k, 0, num_values - 1)];
+ vk1 = user_data->tableValues[CLAMP (k + 1, 0, num_values - 1)];
distancefromlast = (C * (user_data->nbTableValues - 1)) - k * 255;
@@ -2574,7 +2577,7 @@ discrete_component_transfer_func (gint C, RsvgNodeComponentTransferFunc * user_d
k = (C * user_data->nbTableValues) / 255;
- return user_data->tableValues[k];
+ return user_data->tableValues[CLAMP (k, 0, user_data->nbTableValues)];
}
static gint
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
