diff options
author | Robin Watts <robin.watts@artifex.com> | 2012-12-20 13:38:49 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2012-12-20 15:07:19 +0000 |
commit | 3440e0e3113e93ca2b7fa1a110ad52734d713fe4 (patch) | |
tree | ada9e3b8566a466ae0838399a4bd63681255e969 /draw | |
parent | 9da6013ae2ad8f0092837c8edfe95ccbbf5e2233 (diff) | |
download | mupdf-3440e0e3113e93ca2b7fa1a110ad52734d713fe4.tar.xz |
Bug 693503: Fix SEGV in glyph painting due to bbox overflow.
When calculating the bbox for draw_glyph, if the x and y origins of
the glyph are extreme (too large to fit in an int), we get overflows
of the bbox; empty bboxes are transformed to large ones.
The fix is to introduce an fz_translate_bbox function that checks for
such things.
Also, we update various bbox/rect functions to check for empty bboxes
before they check for infinite ones (as a bbox of x0=0 x1=0 y0=0 y1=-1
will be detected both as infinite and empty).
Problem found in 2485.pdf.SIGSEGV.2a.1652, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
Diffstat (limited to 'draw')
-rw-r--r-- | draw/draw_device.c | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/draw/draw_device.c b/draw/draw_device.c index 96c4dd53..605a335e 100644 --- a/draw/draw_device.c +++ b/draw/draw_device.c @@ -472,11 +472,7 @@ draw_glyph(unsigned char *colorbv, fz_pixmap *dst, fz_pixmap *msk, int x, y, w, h; bbox = fz_pixmap_bbox_no_ctx(msk); - bbox.x0 += xorig; - bbox.y0 += yorig; - bbox.x1 += xorig; - bbox.y1 += yorig; - + bbox = fz_translate_bbox(bbox, xorig, yorig); bbox = fz_intersect_bbox(bbox, scissor); /* scissor < dst */ x = bbox.x0; y = bbox.y0; |