summaryrefslogtreecommitdiff
path: root/draw
diff options
context:
space:
mode:
authorRobin Watts <robin.watts@artifex.com>2012-12-18 19:28:39 +0000
committerRobin Watts <robin.watts@artifex.com>2012-12-19 12:43:15 +0000
commit956945485624f0df0ffdfbd471a4ec095bd145c9 (patch)
tree8718dbab2e6267550e971ee3011ddd7ac16f6609 /draw
parent1f39afecc00df83ff3306f81716483d843e3f70e (diff)
downloadmupdf-956945485624f0df0ffdfbd471a4ec095bd145c9.tar.xz
Bug 693503: Fix potential SEGV in bitmap scalers.
With a small dst_w (e.g. 1e-23) the floating point maths governing scales can go wrong in the weight calculations. MSVC in particular seems to return 1<<31 for the result of the max_len calculation. It makes no real sense to scale bitmaps to < 1 pixel, so simply clamp width and height as required. Problem found in 2923.pdf.asan.22.2139, a test file supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks!
Diffstat (limited to 'draw')
-rw-r--r--draw/draw_simple_scale.c24
1 files changed, 24 insertions, 0 deletions
diff --git a/draw/draw_simple_scale.c b/draw/draw_simple_scale.c
index aa00a916..55c981b4 100644
--- a/draw/draw_simple_scale.c
+++ b/draw/draw_simple_scale.c
@@ -1241,6 +1241,30 @@ fz_scale_pixmap_cached(fz_context *ctx, fz_pixmap *src, float x, float y, float
if (w > (1<<24) || h > (1<<24) || w < -(1<<24) || h < -(1<<24))
return NULL;
+ /* Clamp small ranges of w and h */
+ if (w <= -1)
+ {
+ }
+ else if (w < 0)
+ {
+ w = -1;
+ }
+ else if (w < 1)
+ {
+ w = 1;
+ }
+ if (h <= -1)
+ {
+ }
+ else if (h < 0)
+ {
+ h = -1;
+ }
+ else if (h < 1)
+ {
+ h = 1;
+ }
+
/* Find the destination bbox, width/height, and sub pixel offset,
* allowing for whether we're flipping or not. */
/* The (x,y) position given describes where the top left corner of the