diff options
author | Julian Smith <jules@op59.net> | 2019-10-29 17:28:53 +0000 |
---|---|---|
committer | Julian Smith <jules@op59.net> | 2019-10-29 17:40:36 +0000 |
commit | 849e74e5ab450dd581942192da7101e0664fa5af (patch) | |
tree | e09ebabe5f541343f102896df6fe4ea14a5ed069 | |
parent | 89f58f1aa95b3482cadf6977da49457194ee5358 (diff) |
Bug 701799: avoid out-of-range array access in mj_color_correct().
Code is obscure, so this fix merely avoids out-of-range access in the simplest
way possible, without understanding what the code is trying to do.
Fixes:
./sanbin/gs -sOutputFile=tmp -sDEVICE=mj6000c ../bug-701799.pdf
-rw-r--r-- | contrib/japanese/gdevmjc.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/contrib/japanese/gdevmjc.c b/contrib/japanese/gdevmjc.c index f7f6a136a..a181304e6 100644 --- a/contrib/japanese/gdevmjc.c +++ b/contrib/japanese/gdevmjc.c @@ -1504,7 +1504,10 @@ mj_color_correct(gx_color_value *Rptr ,gx_color_value *Gptr , gx_color_value *Bp if (Y<0) Y=0; - if(H>256 && H<1024){ /* green correct */ + /* 2019-10-29 this used to be 'if(H>256 && H<1024)', which can then go + beyond bounds of the 512-element grnsep2[]. So have patched up to avoid + this, but without any proper idea about what's going on. */ + if(H>256 && H<768){ /* green correct */ short work; work=(((long)grnsep[M]*(long)grnsep2[H-256])>>16); C+=work; |