diff options
| author | Robin Watts <robin.watts@artifex.com> | 2014-01-13 16:59:46 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2014-01-13 17:22:03 +0000 |
| commit | 588f6d54c6db707acaa044a914dee29004054e91 (patch) | |
| tree | 177324a9b194ab646cd93ccc52b73b93a569c048 /source | |
| parent | 056a8de560419eedaf097703893c798284ebb0a2 (diff) | |
| download | mupdf-588f6d54c6db707acaa044a914dee29004054e91.tar.xz | |
Bug 694890: Solve valgrind issues/SEGV due to use of invalid pixmap
fz_draw_clip_text changes the value of 'state' during a loop. The
'if (glyph)' part of the loop assumes that it points to gstate[top-1]
where the 'path' part of the loop changes it to point to gstate[top].
If we render a "non glyph" glyph, then a "glyph" glyph, we will access
an invalid state. This can cause a draw_glyph call on an invalid
destination bitmap.
The fix is simply not to reset state.
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the fuzzing files.
Diffstat (limited to 'source')
| -rw-r--r-- | source/fitz/draw-device.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/source/fitz/draw-device.c b/source/fitz/draw-device.c index cf3daa51..3effa3a7 100644 --- a/source/fitz/draw-device.c +++ b/source/fitz/draw-device.c @@ -750,18 +750,17 @@ fz_draw_clip_text(fz_device *devp, fz_text *text, const fz_matrix *ctm, int accu fz_pixmap *old_dest; float white = 1; - state = &dev->stack[dev->top]; - old_dest = state[0].dest; - state[0].dest = state[0].mask; - state[0].mask = NULL; + old_dest = state[1].dest; + state[1].dest = state[1].mask; + state[1].mask = NULL; fz_try(ctx) { fz_draw_fill_path(devp, path, 0, &fz_identity, fz_device_gray(ctx), &white, 1); } fz_always(ctx) { - state[0].mask = state[0].dest; - state[0].dest = old_dest; + state[1].mask = state[1].dest; + state[1].dest = old_dest; fz_free_path(dev->ctx, path); } fz_catch(ctx) |