diff options
author | Robin Watts <robin.watts@artifex.com> | 2012-12-15 00:05:00 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2012-12-18 20:30:36 +0000 |
commit | d54880994238be020d5e7298b45eb74ae5e846b6 (patch) | |
tree | 0d8188562e21257451a2df7065a7547f4891c571 | |
parent | 5e969e35932106ccea0163159f0652627115081a (diff) | |
download | mupdf-d54880994238be020d5e7298b45eb74ae5e846b6.tar.xz |
Bug 693503: Fix out of bounds memory access in scaler.
When extreme ranges (+/- MAX_INT) are passed into the scaler
signed wrap around gives us problems when calculating the patch.
Simply ignore such cases.
Problem found in 1792.pdf.SIGSEGV.387.883, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
-rw-r--r-- | draw/draw_simple_scale.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/draw/draw_simple_scale.c b/draw/draw_simple_scale.c index 606ee2bb..aa00a916 100644 --- a/draw/draw_simple_scale.c +++ b/draw/draw_simple_scale.c @@ -1237,6 +1237,10 @@ fz_scale_pixmap_cached(fz_context *ctx, fz_pixmap *src, float x, float y, float DBUG(("Scale: (%d,%d) to (%g,%g) at (%g,%g)\n",src->w,src->h,w,h,x,y)); + /* Avoid extreme scales where overflows become problematic. */ + if (w > (1<<24) || h > (1<<24) || w < -(1<<24) || h < -(1<<24)) + return NULL; + /* Find the destination bbox, width/height, and sub pixel offset, * allowing for whether we're flipping or not. */ /* The (x,y) position given describes where the top left corner of the |