From 92e41685dcef538a7fc669ca357ce9f448a8078e Mon Sep 17 00:00:00 2001

From: Albert Astals Cid <aacid@kde.org>

Date: Sat, 7 Feb 2015 21:54:39 +0100

Subject: Fix crash in malformed file from bug #85275

diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc

index 97af5c4..6640ab5 100644

--- a/poppler/SplashOutputDev.cc

+++ b/poppler/SplashOutputDev.cc

@@ -4048,8 +4048,8 @@ void SplashOutputDev::setSoftMask(GfxState *state, double *bbox,

   p = softMask->getDataPtr() + ty * softMask->getRowSize() + tx;

   int xMax = tBitmap->getWidth();

   int yMax = tBitmap->getHeight();

-  if (xMax + tx > bitmap->getWidth()) xMax = bitmap->getWidth() - tx;

-  if (yMax + ty > bitmap->getHeight()) yMax = bitmap->getHeight() - ty;

+  if (xMax > bitmap->getWidth() - tx) xMax = bitmap->getWidth() - tx;

+  if (yMax > bitmap->getHeight() - ty) yMax = bitmap->getHeight() - ty;

   for (y = 0; y < yMax; ++y) {

     for (x = 0; x < xMax; ++x) {

       if (alpha) {

diff --git a/splash/Splash.cc b/splash/Splash.cc

index fde272a..142516f 100644

--- a/splash/Splash.cc

+++ b/splash/Splash.cc

@@ -11,7 +11,7 @@

 // All changes made under the Poppler project to this file are licensed

 // under GPL version 2 or later

 //

-// Copyright (C) 2005-2014 Albert Astals Cid <aacid@kde.org>

+// Copyright (C) 2005-2015 Albert Astals Cid <aacid@kde.org>

 // Copyright (C) 2005 Marco Pesenti Gritti <mpg@redhat.com>

 // Copyright (C) 2010-2014 Thomas Freitag <Thomas.Freitag@alfa.de>

 // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>

@@ -5214,6 +5214,10 @@ SplashError Splash::composite(SplashBitmap *src, int xSrc, int ySrc,

     return splashErrModeMismatch;

   }

+  if (unlikely(!bitmap->data)) {

+    return splashErrZeroImage;

+  }

+

   if(src->getSeparationList()->getLength() > bitmap->getSeparationList()->getLength()) {

     for (x = bitmap->getSeparationList()->getLength(); x < src->getSeparationList()->getLength(); x++)

       bitmap->getSeparationList()->append(((GfxSeparationColorSpace *)src->getSeparationList()->get(x))->copy());

@@ -5783,6 +5787,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,

     return splashErrModeMismatch;

   }

+  if (unlikely(!bitmap->data)) {

+    return splashErrZeroImage;

+  }

+

   switch (bitmap->mode) {

   case splashModeMono1:

     for (y = 0; y < h; ++y) {

diff --git a/splash/SplashBitmap.cc b/splash/SplashBitmap.cc

index ac344f1..e886683 100644

--- a/splash/SplashBitmap.cc

+++ b/splash/SplashBitmap.cc

@@ -11,7 +11,7 @@

 // All changes made under the Poppler project to this file are licensed

 // under GPL version 2 or later

 //

-// Copyright (C) 2006, 2009, 2010, 2012 Albert Astals Cid <aacid@kde.org>

+// Copyright (C) 2006, 2009, 2010, 2012, 2015 Albert Astals Cid <aacid@kde.org>

 // Copyright (C) 2007 Ilmari Heikkinen <ilmari.heikkinen@gmail.com>

 // Copyright (C) 2009 Shen Liang <shenzhuxi@gmail.com>

 // Copyright (C) 2009 Stefan Thomas <thomas@eload24.com>

@@ -275,7 +275,7 @@ SplashError SplashBitmap::writeAlphaPGMFile(char *fileName) {

 void SplashBitmap::getPixel(int x, int y, SplashColorPtr pixel) {

   SplashColorPtr p;

-  if (y < 0 || y >= height || x < 0 || x >= width) {

+  if (y < 0 || y >= height || x < 0 || x >= width || !data) {

     return;

   }

   switch (mode) {

-- 

cgit v0.10.2