From 3440e0e3113e93ca2b7fa1a110ad52734d713fe4 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Thu, 20 Dec 2012 13:38:49 +0000 Subject: Bug 693503: Fix SEGV in glyph painting due to bbox overflow. When calculating the bbox for draw_glyph, if the x and y origins of the glyph are extreme (too large to fit in an int), we get overflows of the bbox; empty bboxes are transformed to large ones. The fix is to introduce an fz_translate_bbox function that checks for such things. Also, we update various bbox/rect functions to check for empty bboxes before they check for infinite ones (as a bbox of x0=0 x1=0 y0=0 y1=-1 will be detected both as infinite and empty). Problem found in 2485.pdf.SIGSEGV.2a.1652, a test file supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks! --- draw/draw_device.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'draw') diff --git a/draw/draw_device.c b/draw/draw_device.c index 96c4dd53..605a335e 100644 --- a/draw/draw_device.c +++ b/draw/draw_device.c @@ -472,11 +472,7 @@ draw_glyph(unsigned char *colorbv, fz_pixmap *dst, fz_pixmap *msk, int x, y, w, h; bbox = fz_pixmap_bbox_no_ctx(msk); - bbox.x0 += xorig; - bbox.y0 += yorig; - bbox.x1 += xorig; - bbox.y1 += yorig; - + bbox = fz_translate_bbox(bbox, xorig, yorig); bbox = fz_intersect_bbox(bbox, scissor); /* scissor < dst */ x = bbox.x0; y = bbox.y0; -- cgit v1.2.3