Resolves: fdo#86493 Fix crash while scaling large bitmaps.

Fast bitmap scaling overflowed the LUT used by the nearest-neighbor algorithm. When a bitmap has 46k pixel on a side and is enlarged, the scaling code overflows the 32-bit long, resulting in negative indexes, which then segfaults. This isn't as rare as it sounds. At least in web-view in writer the border/shadow bitmap is as long as the document (which is an issue in its own right,) which can overflow for large documents during scaling and segfault. Reviewed-on: https://gerrit.libreoffice.org/14597 Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com> (cherry picked from commit c91bfb9ac7d110c5dca0ea34ec0e1668a985b34c) Change-Id: I1ccf73d02469f6601a9a7e67b30524cb497cf6bc Reviewed-on: https://gerrit.libreoffice.org/14809 Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Miklos Vajna <vmiklos@collabora.co.uk>
author: Ashod Nakashian <ashodnakashian@yahoo.com> 2015-02-23 22:33:27 -0500
committer: Miklos Vajna <vmiklos@collabora.co.uk> 2015-03-09 13:56:52 +0000
commit: e40f78753e10be6ca867aac593b6f0be166f3b73 (patch)
tree: c5946d4fad0e1cb3e0eed6873a99699209ff51ed /vcl
parent: 3feb8d18cfc7620891976c7fe116988a57192b79 (diff)
1 files changed, 7 insertions, 6 deletions
diff --git a/vcl/source/gdi/bitmap3.cxx b/vcl/source/gdi/bitmap3.cxx
index a99cd7705d2b..6891289b8da6 100644
--- a/vcl/source/gdi/bitmap3.cxx
+++ b/vcl/source/gdi/bitmap3.cxx
@@ -1075,18 +1075,19 @@ bool Bitmap::ImplScaleFast( const double& rScaleX, const double& rScaleY )
                 const long nScanlineSize = pWriteAcc->GetScanlineSize();
                 const long nNewWidth1 = nNewWidth - 1L;
                 const long nNewHeight1 = nNewHeight - 1L;
-                const long nWidth = pReadAcc->Width();
-                const long nHeight = pReadAcc->Height();
-                boost::scoped_array<long> pLutX(new long[ nNewWidth ]);
-                boost::scoped_array<long> pLutY(new long[ nNewHeight ]);
 
                 if( nNewWidth1 && nNewHeight1 )
                 {
+                    const double nWidth = pReadAcc->Width();
+                    const double nHeight = pReadAcc->Height();
+                    boost::scoped_array<long> pLutX(new long[ nNewWidth ]);
+                    boost::scoped_array<long> pLutY(new long[ nNewHeight ]);
+
                     for( long nX = 0L; nX < nNewWidth; nX++ )
-                        pLutX[ nX ] = nX * nWidth / nNewWidth;
+                        pLutX[ nX ] = long(nX * nWidth / nNewWidth);
 
                     for( long nY = 0L; nY < nNewHeight; nY++ )
-                        pLutY[ nY ] = nY * nHeight / nNewHeight;
+                        pLutY[ nY ] = long(nY * nHeight / nNewHeight);
 
                     long nActY = 0L;
                     while( nActY < nNewHeight )
author	Ashod Nakashian <ashodnakashian@yahoo.com>	2015-02-23 22:33:27 -0500
committer	Miklos Vajna <vmiklos@collabora.co.uk>	2015-03-09 13:56:52 +0000
commit	e40f78753e10be6ca867aac593b6f0be166f3b73 (patch)
tree	c5946d4fad0e1cb3e0eed6873a99699209ff51ed /vcl
parent	3feb8d18cfc7620891976c7fe116988a57192b79 (diff)