Bug 693503: Fix potential SEGV in bitmap scalers.

With a small dst_w (e.g. 1e-23) the floating point maths governing
scales can go wrong in the weight calculations. MSVC in particular
seems to return 1<<31 for the result of the max_len calculation.

It makes no real sense to scale bitmaps to < 1 pixel, so simply clamp
width and height as required.

Problem found in 2923.pdf.asan.22.2139, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!

1 files changed, 24 insertions, 0 deletions

diff --git a/draw/draw_simple_scale.c b/draw/draw_simple_scale.c
index aa00a916..55c981b4 100644
--- a/draw/draw_simple_scale.c
+++ b/draw/draw_simple_scale.c
@@ -1241,6 +1241,30 @@ fz_scale_pixmap_cached(fz_context *ctx, fz_pixmap *src, float x, float y, float
 	if (w > (1<<24) || h > (1<<24) || w < -(1<<24) || h < -(1<<24))
 		return NULL;
 
+	/* Clamp small ranges of w and h */
+        if (w <= -1)
+	{
+	}
+	else if (w < 0)
+	{
+		w = -1;
+	}
+	else if (w < 1)
+	{
+		w = 1;
+	}
+        if (h <= -1)
+	{
+	}
+	else if (h < 0)
+	{
+		h = -1;
+	}
+	else if (h < 1)
+	{
+		h = 1;
+	}
+
 	/* Find the destination bbox, width/height, and sub pixel offset,
 	 * allowing for whether we're flipping or not. */
 	/* The (x,y) position given describes where the top left corner of the