692336 – crash on excessive clipping in list device

Bug 692336 - crash on excessive clipping in list device

Summary: crash on excessive clipping in list device

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	fitz (show other bugs)
Version:	unspecified
Hardware:	PC Windows 7

Importance:	P4 normal
Assignee:	Tor Andersson

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-07-09 21:28 UTC by zeniko
Modified:	2011-08-05 23:49 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
testcase (698 bytes, application/pdf) 2011-07-09 21:28 UTC, zeniko	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zeniko 2011-07-09 21:28:47 UTC

Created attachment 7660 [details]
testcase

Bug 692287 introduced a clip stack in the list device which has a maximum of 96 entries which can be quite easily overflow into the heap (cf. testcase).

@Robin: Style nit: Please open braces on the following lines, as everywhere else in MuPDF code. Thanks.

Comment 1 zeniko 2011-07-09 23:02:00 UTC

BTW: FZ_CMD_END_MASK also affects the clipping stack. As of bug 692287, too much is clipped out of a document, as soon as the first FZ_CMD_POP_CLIP belonging to an FZ_CMD_END_MASK is encountered.

IOW: assert(list->top > 0) doesn't always hold for FZ_CMD_POP_CLIP , even though it really should.

Comment 2 zeniko 2011-07-10 00:05:24 UTC

FYI: Both issues are fixed in http://code.google.com/p/sumatrapdf/source/detail?r=4069