diff options
author | Ray Johnston <ray.johnston@artifex.com> | 2017-07-19 12:13:30 -0700 |
---|---|---|
committer | Ray Johnston <ray.johnston@artifex.com> | 2017-07-20 09:35:32 -0700 |
commit | 877cbdf0b279bb4bf5f3b74182ab6d0101095f99 (patch) | |
tree | 90af3a1f7fb07e73d3862745b4a44490da70f8bf /base/gxidata.c | |
parent | 91fd78617440c18288b6d4cd226fa3f77db91705 (diff) | |
download | ghostpdl-877cbdf0b279bb4bf5f3b74182ab6d0101095f99.tar.gz |
Fix bug 696402: Segfault with fuzzed data caused by dda overflow.
The ty of the matrix in the fuzzed data was a very large value that
resulted in the Y for an image being near the limit for the dda,
so the first step (dda_next) overflowed from positive to negative
resulting is a large destination height calculation (vdi). Prevent
this by not stepping if it would cause an overflow. This will be
outside the clip limits, so will not affect the output.
Diffstat (limited to 'base/gxidata.c')
-rw-r--r-- | base/gxidata.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/base/gxidata.c b/base/gxidata.c index f9d05f802..f464b2b36 100644 --- a/base/gxidata.c +++ b/base/gxidata.c @@ -135,10 +135,14 @@ gx_image1_plane_data(gx_image_enum_common_t * info, dmputs(dev->memory, "\n"); } #endif + /* Bump DDA's if it doesn't cause overflow */ penum->cur.x = dda_current(penum->dda.row.x); - dda_next(penum->dda.row.x); + if (max_int - any_abs(penum->dda.row.x.step.dQ) > any_abs(penum->cur.x)) + dda_next(penum->dda.row.x); penum->cur.y = dda_current(penum->dda.row.y); - dda_next(penum->dda.row.y); + if (max_int - any_abs(penum->dda.row.y.step.dQ) > any_abs(penum->cur.y)) + dda_next(penum->dda.row.y); + if (penum->interpolate == interp_off) switch (penum->posture) { case image_portrait: |