Bug 699683: Skip painting too large images when using interpolation.

When painting images using interpolation 16.16 fixpoint arithmetics is used. This limits the width/height of any image that can be painted to 32767. There was no size check, so large images caused overflow and subsequent out of bounds accesses which triggered MSAN. This c Thanks to oss-fuzz for reporting.
author: Tor Andersson <tor.andersson@artifex.com> 2018-08-28 21:41:07 +0800
committer: Sebastian Rasmussen <sebras@gmail.com> 2018-08-28 22:48:13 +0800
commit: f85a9d6a08ebba9e319abdc05eadc3e443b878f1 (patch)
tree: 7087c4b55ad03b7ca4c357638cf6c2df34992929
parent: d958fdda891752563fc3b7b36448061f1809e683 (diff)
download: mupdf-f85a9d6a08ebba9e319abdc05eadc3e443b878f1.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/source/fitz/draw-affine.c b/source/fitz/draw-affine.c
index 61f7eb3f..14383612 100644
--- a/source/fitz/draw-affine.c
+++ b/source/fitz/draw-affine.c
@@ -4044,6 +4044,10 @@ fz_paint_image_imp(fz_pixmap *dst, const fz_irect *scissor, fz_pixmap *shape, fz
 
 	if (dolerp)
 	{
+		/* image size overflows 16.16 fixed point math */
+		if (sw >= 32768 || sh >= 32768)
+			return;
+
 		u -= 32768;
 		v -= 32768;
 		sw = (sw<<16) + 32768;
author	Tor Andersson <tor.andersson@artifex.com>	2018-08-28 21:41:07 +0800
committer	Sebastian Rasmussen <sebras@gmail.com>	2018-08-28 22:48:13 +0800
commit	f85a9d6a08ebba9e319abdc05eadc3e443b878f1 (patch)
tree	7087c4b55ad03b7ca4c357638cf6c2df34992929
parent	d958fdda891752563fc3b7b36448061f1809e683 (diff)
download	mupdf-f85a9d6a08ebba9e319abdc05eadc3e443b878f1.tar.xz