Fix memory overwrites when plotting glyphs that are completely clipped.

This bug has been in here for ages, but was masked by a bug in the
gel clipping that was fixed by Tor earlier.

2 files changed, 11 insertions, 3 deletions

diff --git a/source/fitz/draw-device.c b/source/fitz/draw-device.c
index bdafc4d5..00b95e75 100644
--- a/source/fitz/draw-device.c
+++ b/source/fitz/draw-device.c
@@ -472,12 +472,16 @@ draw_glyph(unsigned char *colorbv, fz_pixmap *dst, fz_pixmap *msk,
 	int xorig, int yorig, const fz_irect *scissor)
 {
 	unsigned char *dp, *mp;
-	fz_irect bbox;
+	fz_irect bbox, bbox2;
 	int x, y, w, h;
 
 	fz_pixmap_bbox_no_ctx(msk, &bbox);
 	fz_translate_irect(&bbox, xorig, yorig);
 	fz_intersect_irect(&bbox, scissor); /* scissor < dst */
+
+	if (fz_is_empty_irect(fz_intersect_irect(&bbox, fz_pixmap_bbox_no_ctx(dst, &bbox2))))
+		return;
+
 	x = bbox.x0;
 	y = bbox.y0;
 	w = bbox.x1 - bbox.x0;
diff --git a/source/fitz/draw-edge.c b/source/fitz/draw-edge.c
index 7809de78..fcce6f5c 100644
--- a/source/fitz/draw-edge.c
+++ b/source/fitz/draw-edge.c
@@ -964,9 +964,13 @@ fz_scan_convert(fz_gel *gel, int eofill, const fz_irect *clip,
 	fz_pixmap *dst, unsigned char *color)
 {
 	fz_aa_context *ctxaa = gel->ctx->aa;
+	fz_irect local_clip;
+
+	if (fz_is_empty_irect(fz_intersect_irect(fz_pixmap_bbox_no_ctx(dst, &local_clip), clip)))
+		return;
 
 	if (fz_aa_bits > 0)
-		fz_scan_convert_aa(gel, eofill, clip, dst, color);
+		fz_scan_convert_aa(gel, eofill, &local_clip, dst, color);
 	else
-		fz_scan_convert_sharp(gel, eofill, clip, dst, color);
+		fz_scan_convert_sharp(gel, eofill, &local_clip, dst, color);
 }