Bug 694890: Solve valgrind issues/SEGV due to use of invalid pixmap

fz_draw_clip_text changes the value of 'state' during a loop. The
'if (glyph)' part of the loop assumes that it points to gstate[top-1]
where the 'path' part of the loop changes it to point to gstate[top].

If we render a "non glyph" glyph, then a "glyph" glyph, we will access
an invalid state. This can cause a draw_glyph call on an invalid
destination bitmap.

The fix is simply not to reset state.

Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the fuzzing files.

1 files changed, 5 insertions, 6 deletions

diff --git a/source/fitz/draw-device.c b/source/fitz/draw-device.c
index cf3daa51..3effa3a7 100644
--- a/source/fitz/draw-device.c
+++ b/source/fitz/draw-device.c
@@ -750,18 +750,17 @@ fz_draw_clip_text(fz_device *devp, fz_text *text, const fz_matrix *ctm, int accu
 						fz_pixmap *old_dest;
 						float white = 1;
 
-						state = &dev->stack[dev->top];
-						old_dest = state[0].dest;
-						state[0].dest = state[0].mask;
-						state[0].mask = NULL;
+						old_dest = state[1].dest;
+						state[1].dest = state[1].mask;
+						state[1].mask = NULL;
 						fz_try(ctx)
 						{
 							fz_draw_fill_path(devp, path, 0, &fz_identity, fz_device_gray(ctx), &white, 1);
 						}
 						fz_always(ctx)
 						{
-							state[0].mask = state[0].dest;
-							state[0].dest = old_dest;
+							state[1].mask = state[1].dest;
+							state[1].dest = old_dest;
 							fz_free_path(dev->ctx, path);
 						}
 						fz_catch(ctx)