diff options
author | Thomas Freitag <Thomas.Freitag@alfa.de> | 2012-09-09 23:25:47 +0200 |
---|---|---|
committer | Albert Astals Cid <aacid@kde.org> | 2012-09-09 23:25:47 +0200 |
commit | 558a7d9b046bbbe185dea263b48a3cb2664378fc (patch) | |
tree | 7187a100e117a87eeaa4240e50e5bdb22084ddac | |
parent | d0df8e54512f584ca2b3edbae1c19e167948e5c3 (diff) |
Fix invalid memory access in solves 1066.pdf.asan.38.75
-rw-r--r-- | splash/SplashClip.cc | 23 | ||||
-rw-r--r-- | splash/SplashXPathScanner.cc | 3 |
2 files changed, 26 insertions, 0 deletions
diff --git a/splash/SplashClip.cc b/splash/SplashClip.cc index 41b73c84..fb188317 100644 --- a/splash/SplashClip.cc +++ b/splash/SplashClip.cc @@ -384,4 +384,27 @@ void SplashClip::clipAALine(SplashBitmap *aaBuf, int *x0, int *x1, int y) { for (i = 0; i < length; ++i) { scanners[i]->clipAALine(aaBuf, x0, x1, y); } + if (*x0 > *x1) { + *x0 = *x1; + } + if (*x0 < 0) { + *x0 = 0; + } + if ((*x0>>1) >= aaBuf->getRowSize()) { + xx0 = *x0; + *x0 = (aaBuf->getRowSize() - 1) << 1; + if (xx0 & 1) { + *x0 = *x0 + 1; + } + } + if (*x1 < *x0) { + *x1 = *x0; + } + if ((*x1>>1) >= aaBuf->getRowSize()) { + xx0 = *x1; + *x1 = (aaBuf->getRowSize() - 1) << 1; + if (xx0 & 1) { + *x1 = *x1 + 1; + } + } } diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc index c9fe5e5d..738cef7b 100644 --- a/splash/SplashXPathScanner.cc +++ b/splash/SplashXPathScanner.cc @@ -441,6 +441,9 @@ void SplashXPathScanner::renderAALine(SplashBitmap *aaBuf, } } } + if (xxMin > xxMax) { + xxMin = xxMax; + } *x0 = xxMin / splashAASize; *x1 = (xxMax - 1) / splashAASize; } |