diff options
author | Robin Watts <robin.watts@artifex.com> | 2013-01-04 15:24:15 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2013-01-11 15:34:15 +0000 |
commit | 3bed887949e87cc010b69bb247e30132e92057d2 (patch) | |
tree | 9656b9bb99253408484f932b508d5439417db025 | |
parent | 5ee271fd9c8b51b65d3e62a1eb47971adc090328 (diff) | |
download | mupdf-3bed887949e87cc010b69bb247e30132e92057d2.tar.xz |
Attempt to fix SEGVs seen in fax decoder.
Talking to zeniko, he reports that SEGVs still occur in find_changing
within the fax decoder; he doesn't have an example that shows the
problem though (either one he can share, or one he cannot). Presumably
he has some sort of online feedback thing in the event of crashes.
Having stared at the code for a while, I see a potential problem.
I think the code may read too many bytes in the case where we
are entered with x already within the last byte of w. (i.e. where
x >= ((w-1)>>3)<<3). Fixed here.
-rw-r--r-- | fitz/filt_faxd.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/fitz/filt_faxd.c b/fitz/filt_faxd.c index d5d636f6..463d9de1 100644 --- a/fitz/filt_faxd.c +++ b/fitz/filt_faxd.c @@ -218,11 +218,23 @@ find_changing(const unsigned char *line, int x, int w) * we started from) */ m = mask[x & 7]; } + /* We have 'w' pixels (bits) in line. The last pixel that can be + * safely accessed is the (w-1)th bit of line. + * By taking W = w>>3, we know that the first W bytes of line are + * full, with w&7 stray bits following. */ W = w>>3; x >>= 3; - a = line[x]; + a = line[x]; /* Safe as x < w => x <= w-1 => x>>3 <= (w-1)>>3 */ b = a ^ (a>>1); b &= m; + if (x >= W) + { + /* Within the last byte already */ + x = (x<<3) + clz[b]; + if (x > w) + x = w; + return x; + } while (b == 0) { if (++x >= W) |