[poppler] splash/Splash.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Sun May 27 06:48:08 UTC 2018
splash/Splash.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit 9a8d33246601dbd2bea98bb3404596848f71162a
Author: Albert Astals Cid <aacid at kde.org>
Date: Sun May 27 08:47:19 2018 +0200
Splash::fillGlyph2: fix buffer overflow
Make sure xx / 8 + 1 is not out of bounds
fixes oss-fuzz/8422
diff --git a/splash/Splash.cc b/splash/Splash.cc
index 14f40cd7..c720f30c 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -2861,7 +2861,7 @@ void Splash::fillGlyph2(int x0, int y0, SplashGlyphBitmap *glyph, GBool noClip)
for (yy = 0, y1 = yStart; yy < yyLimit; ++yy, ++y1) {
pipeSetXY(&pipe, xStart, y1);
for (xx = 0, x1 = xStart; xx < xxLimit; xx += 8) {
- alpha0 = (xShift > 0 ? (p[xx / 8] << xShift) | (p[xx / 8 + 1] >> (8 - xShift)) : p[xx / 8]);
+ alpha0 = (xShift > 0 && xx < xxLimit - 8 ? (p[xx / 8] << xShift) | (p[xx / 8 + 1] >> (8 - xShift)) : p[xx / 8]);
for (xx1 = 0; xx1 < 8 && xx + xx1 < xxLimit; ++xx1, ++x1) {
if (alpha0 & 0x80) {
(this->*pipe.run)(&pipe);
@@ -2907,7 +2907,7 @@ void Splash::fillGlyph2(int x0, int y0, SplashGlyphBitmap *glyph, GBool noClip)
for (yy = 0, y1 = yStart; yy < yyLimit; ++yy, ++y1) {
pipeSetXY(&pipe, xStart, y1);
for (xx = 0, x1 = xStart; xx < xxLimit; xx += 8) {
- alpha0 = (xShift > 0 ? (p[xx / 8] << xShift) | (p[xx / 8 + 1] >> (8 - xShift)) : p[xx / 8]);
+ alpha0 = (xShift > 0 && xx < xxLimit - 8 ? (p[xx / 8] << xShift) | (p[xx / 8 + 1] >> (8 - xShift)) : p[xx / 8]);
for (xx1 = 0; xx1 < 8 && xx + xx1 < xxLimit; ++xx1, ++x1) {
if (state->clip->test(x1, y1)) {
if (alpha0 & 0x80) {
More information about the poppler
mailing list