From f85a9d6a08ebba9e319abdc05eadc3e443b878f1 Mon Sep 17 00:00:00 2001 From: Tor Andersson Date: Tue, 28 Aug 2018 21:41:07 +0800 Subject: Bug 699683: Skip painting too large images when using interpolation. When painting images using interpolation 16.16 fixpoint arithmetics is used. This limits the width/height of any image that can be painted to 32767. There was no size check, so large images caused overflow and subsequent out of bounds accesses which triggered MSAN. This c Thanks to oss-fuzz for reporting. --- source/fitz/draw-affine.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source') diff --git a/source/fitz/draw-affine.c b/source/fitz/draw-affine.c index 61f7eb3f..14383612 100644 --- a/source/fitz/draw-affine.c +++ b/source/fitz/draw-affine.c @@ -4044,6 +4044,10 @@ fz_paint_image_imp(fz_pixmap *dst, const fz_irect *scissor, fz_pixmap *shape, fz if (dolerp) { + /* image size overflows 16.16 fixed point math */ + if (sw >= 32768 || sh >= 32768) + return; + u -= 32768; v -= 32768; sw = (sw<<16) + 32768; -- cgit v1.2.3