From 6c29b7da65710d435aa39c01178ffe8bf49f686c Mon Sep 17 00:00:00 2001
From: NiLuJe <ninuje@gmail.com>
Date: Thu, 21 Feb 2019 08:59:41 +0100
Subject: [PATCH] [fix] PicDocument: Pass a copy of image_bb in
 getCoverPageImage() (#4628)

Avoids a use-after-free in mupdf.scaleBlitBuffer

Fix koreader/koreader-base#821

Thanks for the hint, @poire-z ;).

* As @poire-z suggested, the original unscaled bb should probably be free'd.
---
 frontend/document/picdocument.lua                 | 2 +-
 plugins/coverbrowser.koplugin/bookinfomanager.lua | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/document/picdocument.lua b/frontend/document/picdocument.lua
index f5b0385a0..06258cb02 100644
--- a/frontend/document/picdocument.lua
+++ b/frontend/document/picdocument.lua
@@ -43,7 +43,7 @@ end
 function PicDocument:getCoverPageImage()
     local first_page = self._document:openPage(1)
     if first_page.image_bb then
-        return first_page.image_bb
+        return first_page.image_bb:copy()
     end
     return nil
 end
diff --git a/plugins/coverbrowser.koplugin/bookinfomanager.lua b/plugins/coverbrowser.koplugin/bookinfomanager.lua
index d4171eb09..f1773f3be 100644
--- a/plugins/coverbrowser.koplugin/bookinfomanager.lua
+++ b/plugins/coverbrowser.koplugin/bookinfomanager.lua
@@ -438,7 +438,7 @@ function BookInfoManager:extractBookInfo(filepath, cover_specs)
                         scale_factor = math.min(spec_max_cover_w / cbb_w, spec_max_cover_h / cbb_h)
                         cbb_w = math.min(math.floor(cbb_w * scale_factor)+1, spec_max_cover_w)
                         cbb_h = math.min(math.floor(cbb_h * scale_factor)+1, spec_max_cover_h)
-                        cover_bb = RenderImage:scaleBlitBuffer(cover_bb, cbb_w, cbb_h)
+                        cover_bb = RenderImage:scaleBlitBuffer(cover_bb, cbb_w, cbb_h, true)
                     end
                     dbrow.cover_w = cbb_w
                     dbrow.cover_h = cbb_h