summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin Watts <robin.watts@artifex.com>2012-12-15 00:05:00 +0000
committerRobin Watts <robin.watts@artifex.com>2012-12-18 20:30:36 +0000
commitd54880994238be020d5e7298b45eb74ae5e846b6 (patch)
tree0d8188562e21257451a2df7065a7547f4891c571
parent5e969e35932106ccea0163159f0652627115081a (diff)
downloadmupdf-d54880994238be020d5e7298b45eb74ae5e846b6.tar.xz
Bug 693503: Fix out of bounds memory access in scaler.
When extreme ranges (+/- MAX_INT) are passed into the scaler signed wrap around gives us problems when calculating the patch. Simply ignore such cases. Problem found in 1792.pdf.SIGSEGV.387.883, a test file supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks!
-rw-r--r--draw/draw_simple_scale.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/draw/draw_simple_scale.c b/draw/draw_simple_scale.c
index 606ee2bb..aa00a916 100644
--- a/draw/draw_simple_scale.c
+++ b/draw/draw_simple_scale.c
@@ -1237,6 +1237,10 @@ fz_scale_pixmap_cached(fz_context *ctx, fz_pixmap *src, float x, float y, float
DBUG(("Scale: (%d,%d) to (%g,%g) at (%g,%g)\n",src->w,src->h,w,h,x,y));
+ /* Avoid extreme scales where overflows become problematic. */
+ if (w > (1<<24) || h > (1<<24) || w < -(1<<24) || h < -(1<<24))
+ return NULL;
+
/* Find the destination bbox, width/height, and sub pixel offset,
* allowing for whether we're flipping or not. */
/* The (x,y) position given describes where the top left corner of the