From dac34508c049d12c801416727652f94daed4fd4b Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Sun, 12 Aug 2018 20:55:17 +0800 Subject: Bug 699631: Handle unsupported triangle mesh edge flags. There were two issues with the code parsing the triangle mesh's edge flags: * meshes were not require to start with an independent triangle * out of range edge flags caused vertices to be ignored A mesh where the edge flag of the first vertice is out of range, and the edge flag of the second vertex indicates continuation of a prior triangle would result in trying to create a triangle where the third coordinate would be uninitialized. This commit requires the edge flag of the first vertex to indicate a new independent triangle and if out of range edge flags are encountered they are treated as if they indicate a new triangle. Thanks to oss-fuzz for reporting. --- source/fitz/shade.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'source/fitz') diff --git a/source/fitz/shade.c b/source/fitz/shade.c index faf8b67c..63089235 100644 --- a/source/fitz/shade.c +++ b/source/fitz/shade.c @@ -314,6 +314,7 @@ fz_process_shade_type4(fz_context *ctx, fz_shade *shade, fz_matrix ctm, fz_mesh_ const float *c0 = shade->u.m.c0; const float *c1 = shade->u.m.c1; float x, y, c[FZ_MAX_COLORS]; + int first_triangle = 1; fz_try(ctx) { @@ -326,8 +327,22 @@ fz_process_shade_type4(fz_context *ctx, fz_shade *shade, fz_matrix ctm, fz_mesh_ c[i] = read_sample(ctx, stream, bpcomp, c0[i], c1[i]); fz_prepare_vertex(ctx, painter, vd, ctm, x, y, c); + if (first_triangle) + { + if (flag != 0) + { + fz_warn(ctx, "ignoring non-zero edge flags for first vertex in mesh"); + flag = 0; + } + first_triangle = 0; + } + switch (flag) { + default: + fz_warn(ctx, "ignoring out of range edge flag in mesh"); + /* fallthrough */ + case 0: /* start new triangle */ SWAP(va, vd); -- cgit v1.2.3