diff options
| author | Albert Astals Cid <aacid@kde.org> | 2018-05-27 08:47:19 +0200 |
|---|---|---|
| committer | Albert Astals Cid <aacid@kde.org> | 2018-05-27 08:47:19 +0200 |
| commit | 9a8d33246601dbd2bea98bb3404596848f71162a (patch) | |
| tree | 34aececedd525e25807c7010d5da08c94cac8eff /splash | |
| parent | 1bc71245fa88dc23dc355f926f50f04896739fff (diff) | |
Splash::fillGlyph2: fix buffer overflow
Make sure xx / 8 + 1 is not out of bounds
fixes oss-fuzz/8422
Diffstat (limited to 'splash')
| -rw-r--r-- | splash/Splash.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/splash/Splash.cc b/splash/Splash.cc index 14f40cd7..c720f30c 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -2861,7 +2861,7 @@ void Splash::fillGlyph2(int x0, int y0, SplashGlyphBitmap *glyph, GBool noClip) for (yy = 0, y1 = yStart; yy < yyLimit; ++yy, ++y1) { pipeSetXY(&pipe, xStart, y1); for (xx = 0, x1 = xStart; xx < xxLimit; xx += 8) { - alpha0 = (xShift > 0 ? (p[xx / 8] << xShift) | (p[xx / 8 + 1] >> (8 - xShift)) : p[xx / 8]); + alpha0 = (xShift > 0 && xx < xxLimit - 8 ? (p[xx / 8] << xShift) | (p[xx / 8 + 1] >> (8 - xShift)) : p[xx / 8]); for (xx1 = 0; xx1 < 8 && xx + xx1 < xxLimit; ++xx1, ++x1) { if (alpha0 & 0x80) { (this->*pipe.run)(&pipe); @@ -2907,7 +2907,7 @@ void Splash::fillGlyph2(int x0, int y0, SplashGlyphBitmap *glyph, GBool noClip) for (yy = 0, y1 = yStart; yy < yyLimit; ++yy, ++y1) { pipeSetXY(&pipe, xStart, y1); for (xx = 0, x1 = xStart; xx < xxLimit; xx += 8) { - alpha0 = (xShift > 0 ? (p[xx / 8] << xShift) | (p[xx / 8 + 1] >> (8 - xShift)) : p[xx / 8]); + alpha0 = (xShift > 0 && xx < xxLimit - 8 ? (p[xx / 8] << xShift) | (p[xx / 8 + 1] >> (8 - xShift)) : p[xx / 8]); for (xx1 = 0; xx1 < 8 && xx + xx1 < xxLimit; ++xx1, ++x1) { if (state->clip->test(x1, y1)) { if (alpha0 & 0x80) { |