diff options
| author | Albert Astals Cid <aacid@kde.org> | 2013-08-18 16:19:27 +0200 |
|---|---|---|
| committer | Albert Astals Cid <aacid@kde.org> | 2013-08-18 16:19:52 +0200 |
| commit | 678c767584fa80620cc58a1d8a913cb3473209d4 (patch) | |
| tree | 846e649f626d93c670e86f4cb0631bc40a1f632e | |
| parent | fbea2241cccdde0106d2c34592b6ddda28a8d848 (diff) | |
Fix crash in 1026.asan.0.42.pdf
We were not checking that bitmapOff was in bounds
| -rw-r--r-- | splash/Splash.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/splash/Splash.cc b/splash/Splash.cc index ccfe1ed6..d5aec8f9 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -5420,6 +5420,7 @@ GBool Splash::gouraudTriangleShadedFill(SplashGouraudColor *shading) SplashClip* clip = getClip(); SplashBitmap *blitTarget = bitmap; SplashColorPtr bitmapData = bitmap->getDataPtr(); + int bitmapOffLimit = bitmap->getHeight() * bitmap->getRowSize(); SplashColorPtr bitmapAlpha = bitmap->getAlphaPtr(); SplashColorPtr cur = NULL; SplashCoord* userToCanvasMatrix = getMatrix(); @@ -5652,7 +5653,7 @@ GBool Splash::gouraudTriangleShadedFill(SplashGouraudColor *shading) colorinterp = scanColorMap[0] * scanLimitL + scanColorMap[1]; bitmapOff = scanLineOff + scanLimitL * colorComps; - for (int X = scanLimitL; X <= scanLimitR; ++X, colorinterp += scanColorMap[0], bitmapOff += colorComps) { + for (int X = scanLimitL; X <= scanLimitR && bitmapOff + colorComps <= bitmapOffLimit; ++X, colorinterp += scanColorMap[0], bitmapOff += colorComps) { // FIXME : standard rectangular clipping can be done for a // complete scanline which is faster // --> see SplashClip and its methods |