summaryrefslogtreecommitdiff
path: root/source/fitz/draw-device.c
diff options
context:
space:
mode:
authorRobin Watts <robin.watts@artifex.com>2014-01-13 16:59:46 +0000
committerRobin Watts <robin.watts@artifex.com>2014-01-13 17:22:03 +0000
commit588f6d54c6db707acaa044a914dee29004054e91 (patch)
tree177324a9b194ab646cd93ccc52b73b93a569c048 /source/fitz/draw-device.c
parent056a8de560419eedaf097703893c798284ebb0a2 (diff)
downloadmupdf-588f6d54c6db707acaa044a914dee29004054e91.tar.xz
Bug 694890: Solve valgrind issues/SEGV due to use of invalid pixmap
fz_draw_clip_text changes the value of 'state' during a loop. The 'if (glyph)' part of the loop assumes that it points to gstate[top-1] where the 'path' part of the loop changes it to point to gstate[top]. If we render a "non glyph" glyph, then a "glyph" glyph, we will access an invalid state. This can cause a draw_glyph call on an invalid destination bitmap. The fix is simply not to reset state. Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the fuzzing files.
Diffstat (limited to 'source/fitz/draw-device.c')
-rw-r--r--source/fitz/draw-device.c11
1 files changed, 5 insertions, 6 deletions
diff --git a/source/fitz/draw-device.c b/source/fitz/draw-device.c
index cf3daa51..3effa3a7 100644
--- a/source/fitz/draw-device.c
+++ b/source/fitz/draw-device.c
@@ -750,18 +750,17 @@ fz_draw_clip_text(fz_device *devp, fz_text *text, const fz_matrix *ctm, int accu
fz_pixmap *old_dest;
float white = 1;
- state = &dev->stack[dev->top];
- old_dest = state[0].dest;
- state[0].dest = state[0].mask;
- state[0].mask = NULL;
+ old_dest = state[1].dest;
+ state[1].dest = state[1].mask;
+ state[1].mask = NULL;
fz_try(ctx)
{
fz_draw_fill_path(devp, path, 0, &fz_identity, fz_device_gray(ctx), &white, 1);
}
fz_always(ctx)
{
- state[0].mask = state[0].dest;
- state[0].dest = old_dest;
+ state[1].mask = state[1].dest;
+ state[1].dest = old_dest;
fz_free_path(dev->ctx, path);
}
fz_catch(ctx)