From 4e2981ae46261f3d4d715997bbc8dd4ee5dd5194 Mon Sep 17 00:00:00 2001
From: Tobias Mueller <muelli@cryptobitch.de>
Date: Fri, 7 Oct 2016 15:40:54 +0200
Subject: libview: only access the relevant page cache for the height request

In ev_view_get_height_to_page, the "height" or "dual_height"
pointer can be set.  If dual_height is set, the dual_height buffer
is used. Using the "normal" height cache in dual view causes
an out of bounds read. So we restrict the cache accesses to their
relevant buffers.

https://bugzilla.gnome.org/show_bug.cgi?id=771612
origin commit:
https://git.gnome.org/browse/evince/commit/?id=0d44134
---
 libview/ev-view.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'libview')

diff --git a/libview/ev-view.c b/libview/ev-view.c
index a4915746..a445ef2e 100644
--- a/libview/ev-view.c
+++ b/libview/ev-view.c
@@ -436,14 +436,16 @@ ev_view_get_height_to_page (EvView *view,
 	    cache->dual_even_left != view->dual_even_left) {
 		ev_view_build_height_to_page_cache (view, cache);
 	}
-	h = cache->height_to_page[page];
-	dh = cache->dual_height_to_page[page];
 
-	if (height)
+	if (height) {
+		h = cache->height_to_page[page];
 		*height = (gint)(h * view->scale + 0.5);
+    }
 
-	if (dual_height)
+	if (dual_height) {
+		dh = cache->dual_height_to_page[page];
 		*dual_height = (gint)(dh * view->scale + 0.5);
+	}
 }
 
 static gint
-- 
cgit v1.2.1