From 588f6d54c6db707acaa044a914dee29004054e91 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Mon, 13 Jan 2014 16:59:46 +0000 Subject: Bug 694890: Solve valgrind issues/SEGV due to use of invalid pixmap fz_draw_clip_text changes the value of 'state' during a loop. The 'if (glyph)' part of the loop assumes that it points to gstate[top-1] where the 'path' part of the loop changes it to point to gstate[top]. If we render a "non glyph" glyph, then a "glyph" glyph, we will access an invalid state. This can cause a draw_glyph call on an invalid destination bitmap. The fix is simply not to reset state. Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the fuzzing files. --- source/fitz/draw-device.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'source') diff --git a/source/fitz/draw-device.c b/source/fitz/draw-device.c index cf3daa51..3effa3a7 100644 --- a/source/fitz/draw-device.c +++ b/source/fitz/draw-device.c @@ -750,18 +750,17 @@ fz_draw_clip_text(fz_device *devp, fz_text *text, const fz_matrix *ctm, int accu fz_pixmap *old_dest; float white = 1; - state = &dev->stack[dev->top]; - old_dest = state[0].dest; - state[0].dest = state[0].mask; - state[0].mask = NULL; + old_dest = state[1].dest; + state[1].dest = state[1].mask; + state[1].mask = NULL; fz_try(ctx) { fz_draw_fill_path(devp, path, 0, &fz_identity, fz_device_gray(ctx), &white, 1); } fz_always(ctx) { - state[0].mask = state[0].dest; - state[0].dest = old_dest; + state[1].mask = state[1].dest; + state[1].dest = old_dest; fz_free_path(dev->ctx, path); } fz_catch(ctx) -- cgit v1.2.3