Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525 https://security-tracker.debian.org/tracker/CVE-2016-6525 Patch copied from upstream source repository: http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c index 7815b3c..6e25efa 100644 --- a/source/pdf/pdf-shade.c +++ b/source/pdf/pdf-shade.c @@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode); if (pdf_array_len(ctx, obj) >= 6) { - n = (pdf_array_len(ctx, obj) - 4) / 2; + n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2); shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0)); shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1)); shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));