[evince] libview: only access the relevant page cache for the height request



commit 0d44134d7b28dca7953e48b6d7ceb01ecdea0dc7
Author: Tobias Mueller <muelli cryptobitch de>
Date:   Fri Oct 7 15:40:54 2016 +0200

    libview: only access the relevant page cache for the height request
    
    In ev_view_get_height_to_page, the "height" or "dual_height"
    pointer can be set.  If dual_height is set, the dual_height buffer
    is used. Using the "normal" height cache in dual view causes
    an out of bounds read. So we restrict the cache accesses to their
    relevant buffers.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=771612

 libview/ev-view.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)
---
diff --git a/libview/ev-view.c b/libview/ev-view.c
index 1b26449..7c416f6 100644
--- a/libview/ev-view.c
+++ b/libview/ev-view.c
@@ -460,14 +460,16 @@ ev_view_get_height_to_page (EvView *view,
            cache->dual_even_left != view->dual_even_left) {
                ev_view_build_height_to_page_cache (view, cache);
        }
-       h = cache->height_to_page[page];
-       dh = cache->dual_height_to_page[page];
 
-       if (height)
+       if (height) {
+               h = cache->height_to_page[page];
                *height = (gint)(h * view->scale + 0.5);
+    }
 
-       if (dual_height)
+       if (dual_height) {
+               dh = cache->dual_height_to_page[page];
                *dual_height = (gint)(dh * view->scale + 0.5);
+       }
 }
 
 static gint


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]