In addition to the issue in the 20041021-1 advisory there is another CAN-2004-1125. diff -u -5 -d -p -r1.4 Gfx.cc --- Gfx.cc 28 Sep 2003 12:17:12 -0000 1.4 +++ Gfx.cc 22 Dec 2004 12:04:01 -0000 @@ -2379,11 +2379,13 @@ void Gfx::doImage(Object *ref, Stream *s =20 // get the mask haveMask =3D gFalse; dict->lookup("Mask", &maskObj); if (maskObj.isArray()) { - for (i =3D 0; i < maskObj.arrayGetLength(); ++i) { + for (i =3D 0; + i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps; + ++i) { maskObj.arrayGet(i, &obj1); maskColors[i] =3D obj1.getInt(); obj1.free(); } haveMask =3D gTrue; Index: GfxState.cc RCS file: /home/kde/kdegraphics/kpdf/xpdf/GfxState.cc,v retrieving revision 1.3 diff -u -5 -d -p -r1.3 GfxState.cc --- GfxState.cc 20 Aug 2003 21:25:12 -0000 1.3 +++ GfxState.cc 22 Dec 2004 12:04:02 -0000 @@ -706,10 +706,15 @@ GfxColorSpace *GfxICCBasedColorSpace::pa obj1.free(); return NULL; } nCompsA =3D obj2.getInt(); obj2.free(); + if (nCompsA > gfxColorMaxComps) { + error(-1, "ICCBased color space with too many (%d > %d) components", + nCompsA, gfxColorMaxComps); + nCompsA =3D gfxColorMaxComps; + } if (dict->lookup("Alternate", &obj2)->isNull() || !(altA =3D GfxColorSpace::parse(&obj2))) { switch (nCompsA) { case 1: altA =3D new GfxDeviceGrayColorSpace(); @@ -1045,10 +1050,15 @@ GfxColorSpace *GfxDeviceNColorSpace::par if (!arr->get(1, &obj1)->isArray()) { error(-1, "Bad DeviceN color space (names)"); goto err2; } nCompsA =3D obj1.arrayGetLength(); + if (nCompsA > gfxColorMaxComps) { + error(-1, "DeviceN color space with too many (%d > %d) components", +=B7 nCompsA, gfxColorMaxComps); + nCompsA =3D gfxColorMaxComps; + } for (i =3D 0; i < nCompsA; ++i) { if (!obj1.arrayGet(i, &obj2)->isName()) { error(-1, "Bad DeviceN color space (names)"); obj2.free(); goto err2;
Two new issues in kpdf. Upstream announcement should come soon. Please be ready to bump.
this is the patch for xpdf 2.0.0 stuff kpdf includes version 3 anyways... kpdf appears to be patched in kde's CVS
This is obviously a dupe of bug 75204. Please reopen if I'm wrong. *** This bug has been marked as a duplicate of 75204 ***