From 877cbdf0b279bb4bf5f3b74182ab6d0101095f99 Mon Sep 17 00:00:00 2001 From: Ray Johnston Date: Wed, 19 Jul 2017 12:13:30 -0700 Subject: Fix bug 696402: Segfault with fuzzed data caused by dda overflow. The ty of the matrix in the fuzzed data was a very large value that resulted in the Y for an image being near the limit for the dda, so the first step (dda_next) overflowed from positive to negative resulting is a large destination height calculation (vdi). Prevent this by not stepping if it would cause an overflow. This will be outside the clip limits, so will not affect the output. --- base/gxidata.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'base/gxidata.c') diff --git a/base/gxidata.c b/base/gxidata.c index f9d05f802..f464b2b36 100644 --- a/base/gxidata.c +++ b/base/gxidata.c @@ -135,10 +135,14 @@ gx_image1_plane_data(gx_image_enum_common_t * info, dmputs(dev->memory, "\n"); } #endif + /* Bump DDA's if it doesn't cause overflow */ penum->cur.x = dda_current(penum->dda.row.x); - dda_next(penum->dda.row.x); + if (max_int - any_abs(penum->dda.row.x.step.dQ) > any_abs(penum->cur.x)) + dda_next(penum->dda.row.x); penum->cur.y = dda_current(penum->dda.row.y); - dda_next(penum->dda.row.y); + if (max_int - any_abs(penum->dda.row.y.step.dQ) > any_abs(penum->cur.y)) + dda_next(penum->dda.row.y); + if (penum->interpolate == interp_off) switch (penum->posture) { case image_portrait: -- cgit v1.2.1