splash/Splash.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
New commits: commit 678c767584fa80620cc58a1d8a913cb3473209d4 Author: Albert Astals Cid <[email protected]> Date: Sun Aug 18 16:19:27 2013 +0200 Fix crash in 1026.asan.0.42.pdf We were not checking that bitmapOff was in bounds diff --git a/splash/Splash.cc b/splash/Splash.cc index ccfe1ed..d5aec8f 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -5420,6 +5420,7 @@ GBool Splash::gouraudTriangleShadedFill(SplashGouraudColor *shading) SplashClip* clip = getClip(); SplashBitmap *blitTarget = bitmap; SplashColorPtr bitmapData = bitmap->getDataPtr(); + int bitmapOffLimit = bitmap->getHeight() * bitmap->getRowSize(); SplashColorPtr bitmapAlpha = bitmap->getAlphaPtr(); SplashColorPtr cur = NULL; SplashCoord* userToCanvasMatrix = getMatrix(); @@ -5652,7 +5653,7 @@ GBool Splash::gouraudTriangleShadedFill(SplashGouraudColor *shading) colorinterp = scanColorMap[0] * scanLimitL + scanColorMap[1]; bitmapOff = scanLineOff + scanLimitL * colorComps; - for (int X = scanLimitL; X <= scanLimitR; ++X, colorinterp += scanColorMap[0], bitmapOff += colorComps) { + for (int X = scanLimitL; X <= scanLimitR && bitmapOff + colorComps <= bitmapOffLimit; ++X, colorinterp += scanColorMap[0], bitmapOff += colorComps) { // FIXME : standard rectangular clipping can be done for a // complete scanline which is faster // --> see SplashClip and its methods _______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
