From 8122f6d6d409b53151a20c5578fc525ee97315e8 Mon Sep 17 00:00:00 2001 From: Marek Kasik Date: Thu, 21 Mar 2019 13:47:51 +0100 Subject: [PATCH 2/2] cairo: Constrain number of cycles in rescale filter Pass address of the first byte after end of the source buffer to downsample_row_box_filter() so that we can check that we don't run out of it. Fixes issue #736 --- poppler/CairoRescaleBox.cc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc index d7615010..7fd07041 100644 --- a/poppler/CairoRescaleBox.cc +++ b/poppler/CairoRescaleBox.cc @@ -62,7 +62,7 @@ static void downsample_row_box_filter ( int start, int width, - uint32_t *src, uint32_t *dest, + uint32_t *src, uint32_t *src_limit, uint32_t *dest, int coverage[], int pixel_coverage) { /* we need an array of the pixel contribution of each destination pixel on the boundaries. @@ -90,13 +90,13 @@ static void downsample_row_box_filter ( /* skip to start */ /* XXX: it might be possible to do this directly instead of iteratively, however * the iterative solution is simple */ - while (x < start) + while (x < start && src < src_limit) { int box = 1 << FIXED_SHIFT; int start_coverage = coverage[x]; box -= start_coverage; src++; - while (box >= pixel_coverage) + while (box >= pixel_coverage && src < src_limit) { src++; box -= pixel_coverage; @@ -104,7 +104,7 @@ static void downsample_row_box_filter ( x++; } - while (x < start + width) + while (x < start + width && src < src_limit) { uint32_t a = 0; uint32_t r = 0; @@ -121,7 +121,7 @@ static void downsample_row_box_filter ( x++; box -= start_coverage; - while (box >= pixel_coverage) + while (box >= pixel_coverage && src < src_limit) { a += ((*src >> 24) & 0xff) * pixel_coverage; r += ((*src >> 16) & 0xff) * pixel_coverage; @@ -135,7 +135,7 @@ static void downsample_row_box_filter ( /* multiply by whatever is leftover * this ensures that we don't bias down. * i.e. start_coverage + n*pixel_coverage + box == 1 << 24 */ - if (box > 0) + if (box > 0 && src < src_limit) { a += ((*src >> 24) & 0xff) * box; r += ((*src >> 16) & 0xff) * box; @@ -337,7 +337,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, int start_coverage_y = y_coverage[dest_y]; getRow(src_y, scanline); - downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); + downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); columns++; src_y++; box -= start_coverage_y; @@ -345,7 +345,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, while (box >= pixel_coverage_y) { getRow(src_y, scanline); - downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); + downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); columns++; src_y++; box -= pixel_coverage_y; @@ -355,7 +355,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, if (box > 0) { getRow(src_y, scanline); - downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); + downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); columns++; } -- 2.20.1