diff options
| author | Tobias Mueller <[email protected]> | 2016-10-07 15:40:54 +0200 |
|---|---|---|
| committer | raveit65 <[email protected]> | 2017-08-31 13:28:21 +0200 |
| commit | 4e2981ae46261f3d4d715997bbc8dd4ee5dd5194 (patch) | |
| tree | bfbb81da4bd54f25204553337fabfe3eeec31af1 | |
| parent | 89a0e4e1c0c5566129309b64873675f61f5362b8 (diff) | |
| download | atril-4e2981ae46261f3d4d715997bbc8dd4ee5dd5194.tar.bz2 atril-4e2981ae46261f3d4d715997bbc8dd4ee5dd5194.tar.xz | |
libview: only access the relevant page cache for the height request
In ev_view_get_height_to_page, the "height" or "dual_height"
pointer can be set. If dual_height is set, the dual_height buffer
is used. Using the "normal" height cache in dual view causes
an out of bounds read. So we restrict the cache accesses to their
relevant buffers.
https://bugzilla.gnome.org/show_bug.cgi?id=771612
origin commit:
https://git.gnome.org/browse/evince/commit/?id=0d44134
| -rw-r--r-- | libview/ev-view.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/libview/ev-view.c b/libview/ev-view.c index a4915746..a445ef2e 100644 --- a/libview/ev-view.c +++ b/libview/ev-view.c @@ -436,14 +436,16 @@ ev_view_get_height_to_page (EvView *view, cache->dual_even_left != view->dual_even_left) { ev_view_build_height_to_page_cache (view, cache); } - h = cache->height_to_page[page]; - dh = cache->dual_height_to_page[page]; - if (height) + if (height) { + h = cache->height_to_page[page]; *height = (gint)(h * view->scale + 0.5); + } - if (dual_height) + if (dual_height) { + dh = cache->dual_height_to_page[page]; *dual_height = (gint)(dh * view->scale + 0.5); + } } static gint |