Commit 678c7675 authored by Albert Astals Cid's avatar Albert Astals Cid

Fix crash in 1026.asan.0.42.pdf

We were not checking that bitmapOff was in bounds
parent fbea2241
......@@ -5420,6 +5420,7 @@ GBool Splash::gouraudTriangleShadedFill(SplashGouraudColor *shading)
SplashClip* clip = getClip();
SplashBitmap *blitTarget = bitmap;
SplashColorPtr bitmapData = bitmap->getDataPtr();
int bitmapOffLimit = bitmap->getHeight() * bitmap->getRowSize();
SplashColorPtr bitmapAlpha = bitmap->getAlphaPtr();
SplashColorPtr cur = NULL;
SplashCoord* userToCanvasMatrix = getMatrix();
......@@ -5652,7 +5653,7 @@ GBool Splash::gouraudTriangleShadedFill(SplashGouraudColor *shading)
colorinterp = scanColorMap[0] * scanLimitL + scanColorMap[1];
bitmapOff = scanLineOff + scanLimitL * colorComps;
for (int X = scanLimitL; X <= scanLimitR; ++X, colorinterp += scanColorMap[0], bitmapOff += colorComps) {
for (int X = scanLimitL; X <= scanLimitR && bitmapOff + colorComps <= bitmapOffLimit; ++X, colorinterp += scanColorMap[0], bitmapOff += colorComps) {
// FIXME : standard rectangular clipping can be done for a
// complete scanline which is faster
// --> see SplashClip and its methods
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment