Fix invalid memory access in solves 1066.pdf.asan.38.75

commit: 558a7d9b046bbbe185dea263b48a3cb2664378fc [log] [tgz]
author: Thomas Freitag <Thomas.Freitag@alfa.de> Sun Sep 09 23:25:47 2012 +0200
committer: Albert Astals Cid <aacid@kde.org> Sun Sep 09 23:25:47 2012 +0200
tree: 7187a100e117a87eeaa4240e50e5bdb22084ddac
parent: d0df8e54512f584ca2b3edbae1c19e167948e5c3 [diff]
diff --git a/splash/SplashClip.cc b/splash/SplashClip.cc
index 41b73c8..fb18831 100644
--- a/splash/SplashClip.cc
+++ b/splash/SplashClip.cc

@@ -384,4 +384,27 @@
   for (i = 0; i < length; ++i) {
     scanners[i]->clipAALine(aaBuf, x0, x1, y);
   }
+  if (*x0 > *x1) {
+    *x0 = *x1;
+  }
+  if (*x0 < 0) {
+    *x0 = 0;
+  }
+  if ((*x0>>1) >= aaBuf->getRowSize()) {
+    xx0 = *x0;
+    *x0 = (aaBuf->getRowSize() - 1) << 1;
+    if (xx0 & 1) {
+      *x0 = *x0 + 1;
+    }
+  }
+  if (*x1 < *x0) {
+    *x1 = *x0;
+  }
+  if ((*x1>>1) >= aaBuf->getRowSize()) {
+    xx0 = *x1;
+    *x1 = (aaBuf->getRowSize() - 1) << 1;
+    if (xx0 & 1) {
+      *x1 = *x1 + 1;
+    }
+  }
 }

diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc
index c9fe5e5..738cef7 100644
--- a/splash/SplashXPathScanner.cc
+++ b/splash/SplashXPathScanner.cc

@@ -441,6 +441,9 @@
       }
     }
   }
+  if (xxMin > xxMax) {
+    xxMin = xxMax;
+  }
   *x0 = xxMin / splashAASize;
   *x1 = (xxMax - 1) / splashAASize;
 }
commit	558a7d9b046bbbe185dea263b48a3cb2664378fc	[log] [tgz]
author	Thomas Freitag <Thomas.Freitag@alfa.de>	Sun Sep 09 23:25:47 2012 +0200
committer	Albert Astals Cid <aacid@kde.org>	Sun Sep 09 23:25:47 2012 +0200
tree	7187a100e117a87eeaa4240e50e5bdb22084ddac
parent	d0df8e54512f584ca2b3edbae1c19e167948e5c3 [diff]