From d9c88e1c8892c79b8865a0dabdcc0d3ffd55c195 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Wed, 21 Jun 2017 00:56:38 +0200
Subject: [PATCH] Fix crash in malformed documents

---
 poppler/GfxState.cc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index e6cd329..f61f812 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4034,18 +4034,18 @@ GfxUnivariateShading::~GfxUnivariateShading() {
 
 void GfxUnivariateShading::getColor(double t, GfxColor *color) {
   double out[gfxColorMaxComps];
-  int i, nComps;
+  int i;
+
+  // NB: there can be one function with n outputs or n functions with
+  // one output each (where n = number of color components)
+  const int nComps = nFuncs * funcs[0]->getOutputSize();
 
-  if (unlikely(nFuncs < 1)) {
+  if (unlikely(nFuncs < 1 || nComps > gfxColorMaxComps)) {
     for (int i = 0; i < gfxColorMaxComps; i++)
         color->c[i] = 0;
     return;
   }
 
-  // NB: there can be one function with n outputs or n functions with
-  // one output each (where n = number of color components)
-  nComps = nFuncs * funcs[0]->getOutputSize();
-
   if (cacheSize > 0) {
     double x, ix, *l, *u, *upper;
 
-- 
2.9.3