Bug 693503: Fix out of bounds memory access in scaler.

When extreme ranges (+/- MAX_INT) are passed into the scaler signed wrap around gives us problems when calculating the patch. Simply ignore such cases. Problem found in 1792.pdf.SIGSEGV.387.883, a test file supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks!
author: Robin Watts <robin.watts@artifex.com> 2012-12-15 00:05:00 +0000
committer: Robin Watts <robin.watts@artifex.com> 2012-12-18 20:30:36 +0000
commit: d54880994238be020d5e7298b45eb74ae5e846b6 (patch)
tree: 0d8188562e21257451a2df7065a7547f4891c571 /draw/draw_simple_scale.c
parent: 5e969e35932106ccea0163159f0652627115081a (diff)
download: mupdf-d54880994238be020d5e7298b45eb74ae5e846b6.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/draw/draw_simple_scale.c b/draw/draw_simple_scale.c
index 606ee2bb..aa00a916 100644
--- a/draw/draw_simple_scale.c
+++ b/draw/draw_simple_scale.c
@@ -1237,6 +1237,10 @@ fz_scale_pixmap_cached(fz_context *ctx, fz_pixmap *src, float x, float y, float
 
 	DBUG(("Scale: (%d,%d) to (%g,%g) at (%g,%g)\n",src->w,src->h,w,h,x,y));
 
+	/* Avoid extreme scales where overflows become problematic. */
+	if (w > (1<<24) || h > (1<<24) || w < -(1<<24) || h < -(1<<24))
+		return NULL;
+
 	/* Find the destination bbox, width/height, and sub pixel offset,
 	 * allowing for whether we're flipping or not. */
 	/* The (x,y) position given describes where the top left corner of the
author	Robin Watts <robin.watts@artifex.com>	2012-12-15 00:05:00 +0000
committer	Robin Watts <robin.watts@artifex.com>	2012-12-18 20:30:36 +0000
commit	d54880994238be020d5e7298b45eb74ae5e846b6 (patch)
tree	0d8188562e21257451a2df7065a7547f4891c571 /draw/draw_simple_scale.c
parent	5e969e35932106ccea0163159f0652627115081a (diff)
download	mupdf-d54880994238be020d5e7298b45eb74ae5e846b6.tar.xz