| Age | Commit message (Collapse) | Author |
|---|
|
The gel bbox was being stored internally as floats (despite
only holding ints). This means that as numbers get large the
bbox can become approximate, rather than exact. If the bbox
becomes smaller than it should, this causes crashes in the
scanline filling code.
This is seen with:
tests_private/fuzzing/mupdf2/17f8aee51ac776994af0b36195cdadd7_signal_sigsegv_5607be_7308_5912.pdf
The solution is simply to use ints rather than floats.
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
|
|
fz_reset_gel fails to reset the length of active edges, which could
(AFAICT) lead to pointers in gel->active pointing to memory that's
been previously freed by fz_resize_array.
|
|
The first file of this bug (hang-66.pdf) hangs while stroking a
VERY long line segment; so long that 'used' is sufficinetly large
that:
used += dash_segment_len
doesn't result in a change in the value of used. The fix is
to clip strokes to the edge of the gel's clip area, meaning
that this should never occur.
|
|
|
|
This bug has been in here for ages, but was masked by a bug in the
gel clipping that was fixed by Tor earlier.
|
|
The case with infinite scissor didn't work.
|
|
|
