diff options
| author | Robin Watts <robin@peeves.(none)> | 2012-06-11 11:49:31 -0700 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2012-06-11 19:55:54 +0100 |
| commit | 4fddb35e247a2d81b9b78ca3543b97da9e9fce45 (patch) | |
| tree | fe87bc8ab4351a8cb5a9892c83ab63837bb109b5 /draw | |
| parent | 120dabdf30be66b5d17f4c59862907bb5d176e27 (diff) | |
| download | mupdf-4fddb35e247a2d81b9b78ca3543b97da9e9fce45.tar.xz | |
Fix Bug 693102: Overflows in large pixmap indexing.
When we allocate a pixmap > 2G, but < 4G, the index into that
pixmap, when calculated as an int can be negative. Fix this with
various casts to unsigned int.
If we ever move to support >4G images we'll need to rejig the
casting to cast each part of the element to ptrdiff_t first.
Diffstat (limited to 'draw')
| -rw-r--r-- | draw/draw_affine.c | 4 | ||||
| -rw-r--r-- | draw/draw_blend.c | 6 | ||||
| -rw-r--r-- | draw/draw_device.c | 8 | ||||
| -rw-r--r-- | draw/draw_edge.c | 4 | ||||
| -rw-r--r-- | draw/draw_mesh.c | 2 | ||||
| -rw-r--r-- | draw/draw_paint.c | 14 | ||||
| -rw-r--r-- | draw/draw_unpack.c | 4 |
7 files changed, 21 insertions, 21 deletions
diff --git a/draw/draw_affine.c b/draw/draw_affine.c index 52b8a847..67dbd37d 100644 --- a/draw/draw_affine.c +++ b/draw/draw_affine.c @@ -674,7 +674,7 @@ fz_paint_image_imp(fz_pixmap *dst, fz_bbox scissor, fz_pixmap *shape, fz_pixmap v -= 32768; } - dp = dst->samples + ((y - dst->y) * dst->w + (x - dst->x)) * dst->n; + dp = dst->samples + (unsigned int)(((y - dst->y) * dst->w + (x - dst->x)) * dst->n); n = dst->n; sp = img->samples; sw = img->w; @@ -682,7 +682,7 @@ fz_paint_image_imp(fz_pixmap *dst, fz_bbox scissor, fz_pixmap *shape, fz_pixmap if (shape) { hw = shape->w; - hp = shape->samples + ((y - shape->y) * hw) + x - shape->x; + hp = shape->samples + (unsigned int)(((y - shape->y) * hw) + x - shape->x); } else { diff --git a/draw/draw_blend.c b/draw/draw_blend.c index 7c74df79..8a751c08 100644 --- a/draw/draw_blend.c +++ b/draw/draw_blend.c @@ -598,14 +598,14 @@ fz_blend_pixmap(fz_pixmap *dst, fz_pixmap *src, int alpha, int blendmode, int is h = bbox.y1 - bbox.y0; n = src->n; - sp = src->samples + ((y - src->y) * src->w + (x - src->x)) * n; - dp = dst->samples + ((y - dst->y) * dst->w + (x - dst->x)) * n; + sp = src->samples + (unsigned int)(((y - src->y) * src->w + (x - src->x)) * n); + dp = dst->samples + (unsigned int)(((y - dst->y) * dst->w + (x - dst->x)) * n); assert(src->n == dst->n); if (!isolated) { - unsigned char *hp = shape->samples + (y - shape->y) * shape->w + (x - shape->x); + unsigned char *hp = shape->samples + (unsigned int)((y - shape->y) * shape->w + (x - shape->x)); while (h--) { diff --git a/draw/draw_device.c b/draw/draw_device.c index 3df440ef..6f74eabf 100644 --- a/draw/draw_device.c +++ b/draw/draw_device.c @@ -439,8 +439,8 @@ draw_glyph(unsigned char *colorbv, fz_pixmap *dst, fz_pixmap *msk, w = bbox.x1 - bbox.x0; h = bbox.y1 - bbox.y0; - mp = msk->samples + ((y - msk->y - yorig) * msk->w + (x - msk->x - xorig)); - dp = dst->samples + ((y - dst->y) * dst->w + (x - dst->x)) * dst->n; + mp = msk->samples + (unsigned int)((y - msk->y - yorig) * msk->w + (x - msk->x - xorig)); + dp = dst->samples + (unsigned int)(((y - dst->y) * dst->w + (x - dst->x)) * dst->n); assert(msk->n == 1); @@ -783,7 +783,7 @@ fz_draw_fill_shade(fz_device *devp, fz_shade *shade, fz_matrix ctm, float alpha) n = dest->n; for (y = scissor.y0; y < scissor.y1; y++) { - s = dest->samples + ((scissor.x0 - dest->x) + (y - dest->y) * dest->w) * dest->n; + s = dest->samples + (unsigned int)(((scissor.x0 - dest->x) + (y - dest->y) * dest->w) * dest->n); for (x = scissor.x0; x < scissor.x1; x++) { for (i = 0; i < n; i++) @@ -794,7 +794,7 @@ fz_draw_fill_shade(fz_device *devp, fz_shade *shade, fz_matrix ctm, float alpha) { for (y = scissor.y0; y < scissor.y1; y++) { - s = shape->samples + (scissor.x0 - shape->x) + (y - shape->y) * shape->w; + s = shape->samples + (unsigned int)((scissor.x0 - shape->x) + (y - shape->y) * shape->w); for (x = scissor.x0; x < scissor.x1; x++) { *s++ = 255; diff --git a/draw/draw_edge.c b/draw/draw_edge.c index 53b67b73..eac7cfba 100644 --- a/draw/draw_edge.c +++ b/draw/draw_edge.c @@ -624,7 +624,7 @@ static inline void blit_aa(fz_pixmap *dst, int x, int y, unsigned char *mp, int w, unsigned char *color) { unsigned char *dp; - dp = dst->samples + ( (y - dst->y) * dst->w + (x - dst->x) ) * dst->n; + dp = dst->samples + (unsigned int)(( (y - dst->y) * dst->w + (x - dst->x) ) * dst->n); if (color) fz_paint_span_with_color(dp, mp, dst->n, w, color); else @@ -725,7 +725,7 @@ static inline void blit_sharp(int x0, int x1, int y, x1 = CLAMP(x1, dst->x, dst->x + dst->w); if (x0 < x1) { - dp = dst->samples + ( (y - dst->y) * dst->w + (x0 - dst->x) ) * dst->n; + dp = dst->samples + (unsigned int)(( (y - dst->y) * dst->w + (x0 - dst->x) ) * dst->n); if (color) fz_paint_solid_color(dp, dst->n, x1 - x0, color); else diff --git a/draw/draw_mesh.c b/draw/draw_mesh.c index 025ec366..924bd34d 100644 --- a/draw/draw_mesh.c +++ b/draw/draw_mesh.c @@ -269,7 +269,7 @@ static int clip_poly(float src[MAXV][MAXN], static void paint_scan(fz_pixmap *pix, int y, int x1, int x2, int *v1, int *v2, int n) { - unsigned char *p = pix->samples + ((y - pix->y) * pix->w + (x1 - pix->x)) * pix->n; + unsigned char *p = pix->samples + (unsigned int)(((y - pix->y) * pix->w + (x1 - pix->x)) * pix->n); int v[FZ_MAX_COLORS]; int dv[FZ_MAX_COLORS]; int w = x2 - x1; diff --git a/draw/draw_paint.c b/draw/draw_paint.c index 2a5f9607..57e69748 100644 --- a/draw/draw_paint.c +++ b/draw/draw_paint.c @@ -393,8 +393,8 @@ fz_paint_pixmap_with_rect(fz_pixmap *dst, fz_pixmap *src, int alpha, fz_bbox bbo return; n = src->n; - sp = src->samples + ((y - src->y) * src->w + (x - src->x)) * src->n; - dp = dst->samples + ((y - dst->y) * dst->w + (x - dst->x)) * dst->n; + sp = src->samples + (unsigned int)(((y - src->y) * src->w + (x - src->x)) * src->n); + dp = dst->samples + (unsigned int)(((y - dst->y) * dst->w + (x - dst->x)) * dst->n); while (h--) { @@ -424,8 +424,8 @@ fz_paint_pixmap(fz_pixmap *dst, fz_pixmap *src, int alpha) return; n = src->n; - sp = src->samples + ((y - src->y) * src->w + (x - src->x)) * src->n; - dp = dst->samples + ((y - dst->y) * dst->w + (x - dst->x)) * dst->n; + sp = src->samples + (unsigned int)(((y - src->y) * src->w + (x - src->x)) * src->n); + dp = dst->samples + (unsigned int)(((y - dst->y) * dst->w + (x - dst->x)) * dst->n); while (h--) { @@ -457,9 +457,9 @@ fz_paint_pixmap_with_mask(fz_pixmap *dst, fz_pixmap *src, fz_pixmap *msk) return; n = src->n; - sp = src->samples + ((y - src->y) * src->w + (x - src->x)) * src->n; - mp = msk->samples + ((y - msk->y) * msk->w + (x - msk->x)) * msk->n; - dp = dst->samples + ((y - dst->y) * dst->w + (x - dst->x)) * dst->n; + sp = src->samples + (unsigned int)(((y - src->y) * src->w + (x - src->x)) * src->n); + mp = msk->samples + (unsigned int)(((y - msk->y) * msk->w + (x - msk->x)) * msk->n); + dp = dst->samples + (unsigned int)(((y - dst->y) * dst->w + (x - dst->x)) * dst->n); while (h--) { diff --git a/draw/draw_unpack.c b/draw/draw_unpack.c index f988dcf9..39c287c6 100644 --- a/draw/draw_unpack.c +++ b/draw/draw_unpack.c @@ -70,8 +70,8 @@ fz_unpack_tile(fz_pixmap *dst, unsigned char * restrict src, int n, int depth, i for (y = 0; y < dst->h; y++) { - unsigned char *sp = src + y * stride; - unsigned char *dp = dst->samples + y * (dst->w * dst->n); + unsigned char *sp = src + (unsigned int)(y * stride); + unsigned char *dp = dst->samples + (unsigned int)(y * dst->w * dst->n); /* Specialized loops */ |