Fix bug 696402: Segfault with fuzzed data caused by dda overflow.

The ty of the matrix in the fuzzed data was a very large value that
resulted in the Y for an image being near the limit for the dda,
so the first step (dda_next) overflowed from positive to negative
resulting is a large destination height calculation (vdi). Prevent
this by not stepping if it would cause an overflow. This will be
outside the clip limits, so will not affect the output.

1 files changed, 6 insertions, 2 deletions

diff --git a/base/gxidata.c b/base/gxidata.c
index f9d05f802..f464b2b36 100644
--- a/base/gxidata.c
+++ b/base/gxidata.c
@@ -135,10 +135,14 @@ gx_image1_plane_data(gx_image_enum_common_t * info,
             dmputs(dev->memory, "\n");
         }
 #endif
+        /* Bump DDA's if it doesn't cause overflow */
         penum->cur.x = dda_current(penum->dda.row.x);
-        dda_next(penum->dda.row.x);
+        if (max_int - any_abs(penum->dda.row.x.step.dQ) > any_abs(penum->cur.x))
+            dda_next(penum->dda.row.x);
         penum->cur.y = dda_current(penum->dda.row.y);
-        dda_next(penum->dda.row.y);
+        if (max_int - any_abs(penum->dda.row.y.step.dQ) > any_abs(penum->cur.y))
+            dda_next(penum->dda.row.y);
+
         if (penum->interpolate == interp_off)
             switch (penum->posture) {
                 case image_portrait: