From 4e2981ae46261f3d4d715997bbc8dd4ee5dd5194 Mon Sep 17 00:00:00 2001 From: Tobias Mueller Date: Fri, 7 Oct 2016 15:40:54 +0200 Subject: libview: only access the relevant page cache for the height request In ev_view_get_height_to_page, the "height" or "dual_height" pointer can be set. If dual_height is set, the dual_height buffer is used. Using the "normal" height cache in dual view causes an out of bounds read. So we restrict the cache accesses to their relevant buffers. https://bugzilla.gnome.org/show_bug.cgi?id=771612 origin commit: https://git.gnome.org/browse/evince/commit/?id=0d44134 --- libview/ev-view.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libview/ev-view.c b/libview/ev-view.c index a4915746..a445ef2e 100644 --- a/libview/ev-view.c +++ b/libview/ev-view.c @@ -436,14 +436,16 @@ ev_view_get_height_to_page (EvView *view, cache->dual_even_left != view->dual_even_left) { ev_view_build_height_to_page_cache (view, cache); } - h = cache->height_to_page[page]; - dh = cache->dual_height_to_page[page]; - if (height) + if (height) { + h = cache->height_to_page[page]; *height = (gint)(h * view->scale + 0.5); + } - if (dual_height) + if (dual_height) { + dh = cache->dual_height_to_page[page]; *dual_height = (gint)(dh * view->scale + 0.5); + } } static gint -- cgit v1.2.1