From d54880994238be020d5e7298b45eb74ae5e846b6 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Sat, 15 Dec 2012 00:05:00 +0000
Subject: Bug 693503: Fix out of bounds memory access in scaler.

When extreme ranges (+/- MAX_INT) are passed into the scaler
signed wrap around gives us problems when calculating the patch.
Simply ignore such cases.

Problem found in 1792.pdf.SIGSEGV.387.883, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
---
 draw/draw_simple_scale.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'draw')

diff --git a/draw/draw_simple_scale.c b/draw/draw_simple_scale.c
index 606ee2bb..aa00a916 100644
--- a/draw/draw_simple_scale.c
+++ b/draw/draw_simple_scale.c
@@ -1237,6 +1237,10 @@ fz_scale_pixmap_cached(fz_context *ctx, fz_pixmap *src, float x, float y, float
 
 	DBUG(("Scale: (%d,%d) to (%g,%g) at (%g,%g)\n",src->w,src->h,w,h,x,y));
 
+	/* Avoid extreme scales where overflows become problematic. */
+	if (w > (1<<24) || h > (1<<24) || w < -(1<<24) || h < -(1<<24))
+		return NULL;
+
 	/* Find the destination bbox, width/height, and sub pixel offset,
 	 * allowing for whether we're flipping or not. */
 	/* The (x,y) position given describes where the top left corner of the
-- 
cgit v1.2.3