Fix invalid memory access in solves 1066.pdf.asan.38.75

author: Thomas Freitag <Thomas.Freitag@alfa.de> 2012-09-09 23:25:47 +0200
committer: Albert Astals Cid <aacid@kde.org> 2012-09-09 23:25:47 +0200
commit: 558a7d9b046bbbe185dea263b48a3cb2664378fc (patch)
tree: 7187a100e117a87eeaa4240e50e5bdb22084ddac
parent: d0df8e54512f584ca2b3edbae1c19e167948e5c3 (diff)
2 files changed, 26 insertions, 0 deletions
diff --git a/splash/SplashClip.cc b/splash/SplashClip.cc
index 41b73c84..fb188317 100644
--- a/splash/SplashClip.cc
+++ b/splash/SplashClip.cc
@@ -384,4 +384,27 @@ void SplashClip::clipAALine(SplashBitmap *aaBuf, int *x0, int *x1, int y) {
   for (i = 0; i < length; ++i) {
     scanners[i]->clipAALine(aaBuf, x0, x1, y);
   }
+  if (*x0 > *x1) {
+    *x0 = *x1;
+  }
+  if (*x0 < 0) {
+    *x0 = 0;
+  }
+  if ((*x0>>1) >= aaBuf->getRowSize()) {
+    xx0 = *x0;
+    *x0 = (aaBuf->getRowSize() - 1) << 1;
+    if (xx0 & 1) {
+      *x0 = *x0 + 1;
+    }
+  }
+  if (*x1 < *x0) {
+    *x1 = *x0;
+  }
+  if ((*x1>>1) >= aaBuf->getRowSize()) {
+    xx0 = *x1;
+    *x1 = (aaBuf->getRowSize() - 1) << 1;
+    if (xx0 & 1) {
+      *x1 = *x1 + 1;
+    }
+  }
 }
diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc
index c9fe5e5d..738cef7b 100644
--- a/splash/SplashXPathScanner.cc
+++ b/splash/SplashXPathScanner.cc
@@ -441,6 +441,9 @@ void SplashXPathScanner::renderAALine(SplashBitmap *aaBuf,
       }
     }
   }
+  if (xxMin > xxMax) {
+    xxMin = xxMax;
+  }
   *x0 = xxMin / splashAASize;
   *x1 = (xxMax - 1) / splashAASize;
 }
author	Thomas Freitag <Thomas.Freitag@alfa.de>	2012-09-09 23:25:47 +0200
committer	Albert Astals Cid <aacid@kde.org>	2012-09-09 23:25:47 +0200
commit	558a7d9b046bbbe185dea263b48a3cb2664378fc (patch)
tree	7187a100e117a87eeaa4240e50e5bdb22084ddac
parent	d0df8e54512f584ca2b3edbae1c19e167948e5c3 (diff)