Bug 699631: Handle unsupported triangle mesh edge flags.

There were two issues with the code parsing the triangle mesh's
edge flags:

  * meshes were not require to start with an independent triangle
  * out of range edge flags caused vertices to be ignored

A mesh where the edge flag of the first vertice is out of range,
and the edge flag of the second vertex indicates continuation
of a prior triangle would result in trying to create a triangle
where the third coordinate would be uninitialized.

This commit requires the edge flag of the first vertex to indicate
a new independent triangle and if out of range edge flags are
encountered they are treated as if they indicate a new triangle.

Thanks to oss-fuzz for reporting.

1 files changed, 15 insertions, 0 deletions

diff --git a/source/fitz/shade.c b/source/fitz/shade.c
index faf8b67c..63089235 100644
--- a/source/fitz/shade.c
+++ b/source/fitz/shade.c
@@ -314,6 +314,7 @@ fz_process_shade_type4(fz_context *ctx, fz_shade *shade, fz_matrix ctm, fz_mesh_
 	const float *c0 = shade->u.m.c0;
 	const float *c1 = shade->u.m.c1;
 	float x, y, c[FZ_MAX_COLORS];
+	int first_triangle = 1;
 
 	fz_try(ctx)
 	{
@@ -326,8 +327,22 @@ fz_process_shade_type4(fz_context *ctx, fz_shade *shade, fz_matrix ctm, fz_mesh_
 				c[i] = read_sample(ctx, stream, bpcomp, c0[i], c1[i]);
 			fz_prepare_vertex(ctx, painter, vd, ctm, x, y, c);
 
+			if (first_triangle)
+			{
+				if (flag != 0)
+				{
+					fz_warn(ctx, "ignoring non-zero edge flags for first vertex in mesh");
+					flag = 0;
+				}
+				first_triangle = 0;
+			}
+
 			switch (flag)
 			{
+			default:
+				fz_warn(ctx, "ignoring out of range edge flag in mesh");
+				/* fallthrough */
+
 			case 0: /* start new triangle */
 				SWAP(va, vd);