summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin Watts <robin.watts@artifex.com>2013-01-04 15:24:15 +0000
committerRobin Watts <robin.watts@artifex.com>2013-01-11 15:34:15 +0000
commit3bed887949e87cc010b69bb247e30132e92057d2 (patch)
tree9656b9bb99253408484f932b508d5439417db025
parent5ee271fd9c8b51b65d3e62a1eb47971adc090328 (diff)
downloadmupdf-3bed887949e87cc010b69bb247e30132e92057d2.tar.xz
Attempt to fix SEGVs seen in fax decoder.
Talking to zeniko, he reports that SEGVs still occur in find_changing within the fax decoder; he doesn't have an example that shows the problem though (either one he can share, or one he cannot). Presumably he has some sort of online feedback thing in the event of crashes. Having stared at the code for a while, I see a potential problem. I think the code may read too many bytes in the case where we are entered with x already within the last byte of w. (i.e. where x >= ((w-1)>>3)<<3). Fixed here.
-rw-r--r--fitz/filt_faxd.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/fitz/filt_faxd.c b/fitz/filt_faxd.c
index d5d636f6..463d9de1 100644
--- a/fitz/filt_faxd.c
+++ b/fitz/filt_faxd.c
@@ -218,11 +218,23 @@ find_changing(const unsigned char *line, int x, int w)
* we started from) */
m = mask[x & 7];
}
+ /* We have 'w' pixels (bits) in line. The last pixel that can be
+ * safely accessed is the (w-1)th bit of line.
+ * By taking W = w>>3, we know that the first W bytes of line are
+ * full, with w&7 stray bits following. */
W = w>>3;
x >>= 3;
- a = line[x];
+ a = line[x]; /* Safe as x < w => x <= w-1 => x>>3 <= (w-1)>>3 */
b = a ^ (a>>1);
b &= m;
+ if (x >= W)
+ {
+ /* Within the last byte already */
+ x = (x<<3) + clz[b];
+ if (x > w)
+ x = w;
+ return x;
+ }
while (b == 0)
{
if (++x >= W)