| From e2fe98a11511dac4da94c9ffb8d469ddaace0e15 Mon Sep 17 00:00:00 2001 |
| From: Ray Johnston <ray.johnston@artifex.com> |
| Date: Sun, 15 Nov 2020 19:59:15 -0800 |
| Subject: [PATCH] Fix bug 703088. ASAN reports read outside allocated buffer of |
| an image. |
| |
| There was an area in gx_begin_image3_generic setup for bug 700538 to |
| detect rangecheck but it did not check all extremes. Note that this |
| stems from an absurd CTM in the PDF: 548.0 0 0 -1.43262569e+37 0 0 cm |
| --- |
| base/gximage3.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| diff --git a/base/gximage3.c b/base/gximage3.c |
| index 522c71ffd..681bf5031 100644 |
| --- a/base/gximage3.c |
| +++ b/base/gximage3.c |
| @@ -368,7 +368,10 @@ gx_begin_image3_generic(gx_device * dev, |
| |
| /* Bug 700438: If the rectangle is out of range, bail */ |
| if (mrect.p.x >= (double)INT_MAX || mrect.q.x <= (double)INT_MIN || |
| - mrect.p.y >= (double)INT_MAX || mrect.q.y <= (double)INT_MIN) { |
| + mrect.p.y >= (double)INT_MAX || mrect.q.y <= (double)INT_MIN || |
| + mrect.p.x <= (double)INT_MIN || mrect.q.x >= (double)INT_MAX || |
| + mrect.p.y <= (double)INT_MIN || mrect.q.y >= (double)INT_MAX |
| + ) { |
| code = gs_note_error(gs_error_rangecheck); |
| goto out1; |
| } |
| -- |
| 2.30.0.284.gd98b1dd5eaa7-goog |
| |
