| From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 |
| From: Chris Liddell <chris.liddell@artifex.com> |
| Date: Mon, 17 Jul 2023 14:06:37 +0100 |
| Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from |
| devices/gdevpcx.c |
| |
| Bounds check the buffer, before dereferencing the pointer. |
| |
| CVE: CVE-2023-38559 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@arm.com> |
| --- |
| base/gdevdevn.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/base/gdevdevn.c b/base/gdevdevn.c |
| index 7b14d9c71..6351fb77a 100644 |
| --- a/base/gdevdevn.c |
| +++ b/base/gdevdevn.c |
| @@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file |
| byte data = *from; |
| |
| from += step; |
| - if (data != *from || from == end) { |
| + if (from >= end || data != *from) { |
| if (data >= 0xc0) |
| gp_fputc(0xc1, file); |
| } else { |
| -- |
| 2.34.1 |
| |