Bug 1452375 - sse3-scaler: make sure iter->x/y is representable. r=sotaro, a=abillings
authorjmuizelaar@mozilla.com
Tue, 29 May 2018 14:27:09 +0900
changeset 805975 e205f08f30a726cc6edbb53ae4aa1bf438e4ffc5
parent 805974 cbf5d1ea2f9ac44be54ead384af566236752ad18
child 805976 0e83c9c98b6c55e0b5500dec8aba2164ca38d546
push id112832
push userbballo@mozilla.com
push dateFri, 08 Jun 2018 21:11:22 +0000
reviewerssotaro, abillings
bugs1452375
milestone60.0.2
Bug 1452375 - sse3-scaler: make sure iter->x/y is representable. r=sotaro, a=abillings
gfx/2d/ssse3-scaler.c
--- a/gfx/2d/ssse3-scaler.c
+++ b/gfx/2d/ssse3-scaler.c
@@ -40,16 +40,18 @@
 #include "ssse3-scaler.h"
 
 typedef int32_t                 pixman_fixed_16_16_t;
 typedef pixman_fixed_16_16_t    pixman_fixed_t;
 #define pixman_fixed_1                  (pixman_int_to_fixed(1))
 #define pixman_fixed_to_int(f)          ((int) ((f) >> 16))
 #define pixman_int_to_fixed(i)          ((pixman_fixed_t) ((i) << 16))
 #define pixman_double_to_fixed(d)       ((pixman_fixed_t) ((d) * 65536.0))
+#define PIXMAN_FIXED_INT_MAX 32767
+#define PIXMAN_FIXED_INT_MIN -32768
 typedef struct pixman_vector pixman_vector_t;
 
 typedef int pixman_bool_t;
 typedef int64_t                 pixman_fixed_32_32_t;
 typedef pixman_fixed_32_32_t    pixman_fixed_48_16_t;
 typedef struct { pixman_fixed_48_16_t v[3]; } pixman_vector_48_16_t;
 
 struct pixman_vector
@@ -459,16 +461,22 @@ ssse3_bilinear_cover_iter_fini (pixman_i
 
 static void
 ssse3_bilinear_cover_iter_init (pixman_iter_t *iter)
 {
     int width = iter->width;
     bilinear_info_t *info;
     pixman_vector_t v;
 
+    if (iter->x > PIXMAN_FIXED_INT_MAX ||
+        iter->x < PIXMAN_FIXED_INT_MIN ||
+        iter->y > PIXMAN_FIXED_INT_MAX ||
+        iter->y < PIXMAN_FIXED_INT_MIN)
+      goto fail;
+
     /* Reference point is the center of the pixel */
     v.vector[0] = pixman_int_to_fixed (iter->x) + pixman_fixed_1 / 2;
     v.vector[1] = pixman_int_to_fixed (iter->y) + pixman_fixed_1 / 2;
     v.vector[2] = pixman_fixed_1;
 
     if (!pixman_transform_point_3d (iter->image->transform, &v))
 	goto fail;