Fix fuzzing bug due to float representation limitations.

The gel bbox was being stored internally as floats (despite only holding ints). This means that as numbers get large the bbox can become approximate, rather than exact. If the bbox becomes smaller than it should, this causes crashes in the scanline filling code. This is seen with: tests_private/fuzzing/mupdf2/17f8aee51ac776994af0b36195cdadd7_signal_sigsegv_5607be_7308_5912.pdf The solution is simply to use ints rather than floats. Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the example files.
author: Robin Watts <robin.watts@artifex.com> 2014-01-08 17:17:45 +0000
committer: Robin Watts <robin.watts@artifex.com> 2014-01-08 19:20:54 +0000
commit: 32f9ae732fc4f33ef2644a09b05d8ad35bc140ca (patch)
tree: f0bb7e189e6ff05377f22c42bec6b7987b9b2a17 /source/fitz/draw-edge.c
parent: fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e (diff)
download: mupdf-32f9ae732fc4f33ef2644a09b05d8ad35bc140ca.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/source/fitz/draw-edge.c b/source/fitz/draw-edge.c
index 7d57f3b6..769116ac 100644
--- a/source/fitz/draw-edge.c
+++ b/source/fitz/draw-edge.c
@@ -160,7 +160,7 @@ struct fz_edge_s
 struct fz_gel_s
 {
 	fz_rect clip;
-	fz_rect bbox;
+	fz_irect bbox;
 	int cap, len;
 	fz_edge *edges;
 	int acap, alen;
author	Robin Watts <robin.watts@artifex.com>	2014-01-08 17:17:45 +0000
committer	Robin Watts <robin.watts@artifex.com>	2014-01-08 19:20:54 +0000
commit	32f9ae732fc4f33ef2644a09b05d8ad35bc140ca (patch)
tree	f0bb7e189e6ff05377f22c42bec6b7987b9b2a17 /source/fitz/draw-edge.c
parent	fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e (diff)
download	mupdf-32f9ae732fc4f33ef2644a09b05d8ad35bc140ca.tar.xz