diff options
author | Tor Andersson <tor.andersson@artifex.com> | 2018-08-28 21:41:07 +0800 |
---|---|---|
committer | Sebastian Rasmussen <sebras@gmail.com> | 2018-08-28 22:48:13 +0800 |
commit | f85a9d6a08ebba9e319abdc05eadc3e443b878f1 (patch) | |
tree | 7087c4b55ad03b7ca4c357638cf6c2df34992929 /source/fitz | |
parent | d958fdda891752563fc3b7b36448061f1809e683 (diff) | |
download | mupdf-f85a9d6a08ebba9e319abdc05eadc3e443b878f1.tar.xz |
Bug 699683: Skip painting too large images when using interpolation.
When painting images using interpolation 16.16 fixpoint
arithmetics is used. This limits the width/height of any
image that can be painted to 32767. There was no size check,
so large images caused overflow and subsequent out of bounds
accesses which triggered MSAN. This c
Thanks to oss-fuzz for reporting.
Diffstat (limited to 'source/fitz')
-rw-r--r-- | source/fitz/draw-affine.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/source/fitz/draw-affine.c b/source/fitz/draw-affine.c index 61f7eb3f..14383612 100644 --- a/source/fitz/draw-affine.c +++ b/source/fitz/draw-affine.c @@ -4044,6 +4044,10 @@ fz_paint_image_imp(fz_pixmap *dst, const fz_irect *scissor, fz_pixmap *shape, fz if (dolerp) { + /* image size overflows 16.16 fixed point math */ + if (sw >= 32768 || sh >= 32768) + return; + u -= 32768; v -= 32768; sw = (sw<<16) + 32768; |