3d5b8e
From d9c88e1c8892c79b8865a0dabdcc0d3ffd55c195 Mon Sep 17 00:00:00 2001
3d5b8e
From: Albert Astals Cid <aacid@kde.org>
3d5b8e
Date: Wed, 21 Jun 2017 00:56:38 +0200
3d5b8e
Subject: [PATCH] Fix crash in malformed documents
3d5b8e
3d5b8e
---
3d5b8e
 poppler/GfxState.cc | 12 ++++++------
3d5b8e
 1 file changed, 6 insertions(+), 6 deletions(-)
3d5b8e
3d5b8e
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
3d5b8e
index e6cd329..f61f812 100644
3d5b8e
--- a/poppler/GfxState.cc
3d5b8e
+++ b/poppler/GfxState.cc
3d5b8e
@@ -4034,18 +4034,18 @@ GfxUnivariateShading::~GfxUnivariateShading() {
3d5b8e
 
3d5b8e
 void GfxUnivariateShading::getColor(double t, GfxColor *color) {
3d5b8e
   double out[gfxColorMaxComps];
3d5b8e
-  int i, nComps;
3d5b8e
+  int i;
3d5b8e
+
3d5b8e
+  // NB: there can be one function with n outputs or n functions with
3d5b8e
+  // one output each (where n = number of color components)
3d5b8e
+  const int nComps = nFuncs * funcs[0]->getOutputSize();
3d5b8e
 
3d5b8e
-  if (unlikely(nFuncs < 1)) {
3d5b8e
+  if (unlikely(nFuncs < 1 || nComps > gfxColorMaxComps)) {
3d5b8e
     for (int i = 0; i < gfxColorMaxComps; i++)
3d5b8e
         color->c[i] = 0;
3d5b8e
     return;
3d5b8e
   }
3d5b8e
 
3d5b8e
-  // NB: there can be one function with n outputs or n functions with
3d5b8e
-  // one output each (where n = number of color components)
3d5b8e
-  nComps = nFuncs * funcs[0]->getOutputSize();
3d5b8e
-
3d5b8e
   if (cacheSize > 0) {
3d5b8e
     double x, ix, *l, *u, *upper;
3d5b8e
 
3d5b8e
-- 
3d5b8e
2.9.3
3d5b8e