patches/source/kdegraphics/kdegraphics-4.4.x.okular.CVE-2010-2575.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

Index: okular/generators/plucker/unpluck/image.cpp
===================================================================
--- okular/generators/plucker/unpluck/image.cpp	(revision 1167825)
+++ okular/generators/plucker/unpluck/image.cpp	(revision 1167826)
@@ -289,8 +289,23 @@
             for (j = 0; j < bytes_per_row;) {
                 incount = *palm_ptr++;
                 inval = *palm_ptr++;
-                memset (rowbuf + j, inval, incount);
-                j += incount;
+                if (incount + j <= bytes_per_row  * width)
+                {
+                    memset (rowbuf + j, inval, incount);
+                    j += incount;
+                }
+                else
+                {
+                    free (rowbuf);
+                    free (lastrow);
+                    free (jpeg_row);
+
+                    jpeg_destroy_compress (&cinfo);
+
+                    fclose( outfile );
+
+                    return false;
+                }
             }
         }
         else if ((flags & PALM_IS_COMPRESSED_FLAG)