summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-05-11 12:33:48 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-05-11 16:49:55 +0000
commit6e4ecaf073843e571f4c0a72a0b6d81a01b01607 (patch)
treeb85d9996d1f203b3edd8f95603709af77a8d18e1
parent2a2ee0f1ca747929acaf1b4f2eadbf7c8e8025e6 (diff)
downloadpdfium-6e4ecaf073843e571f4c0a72a0b6d81a01b01607.tar.xz
Stop rendering if a span length overflowed in AGG
In AGG, len is of type coord_type, which we have as int16_t, but we can add to it large values, causing it to become negative. Stop the rendering when that occurs. Bug: chromium:719258 Change-Id: Ic7497666b01220a9cd3e7d749f1fc6ae4a210870 Reviewed-on: https://pdfium-review.googlesource.com/5370 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
-rw-r--r--core/fxge/agg/fx_agg_driver.cpp4
1 files changed, 3 insertions, 1 deletions
diff --git a/core/fxge/agg/fx_agg_driver.cpp b/core/fxge/agg/fx_agg_driver.cpp
index 471fc9bb86..128d50c6e6 100644
--- a/core/fxge/agg/fx_agg_driver.cpp
+++ b/core/fxge/agg/fx_agg_driver.cpp
@@ -953,8 +953,10 @@ void CFX_Renderer::render(const Scanline& sl) {
unsigned num_spans = sl.num_spans();
typename Scanline::const_iterator span = sl.begin();
while (1) {
+ if (span->len <= 0)
+ break;
+
int x = span->x;
- ASSERT(span->len > 0);
uint8_t* dest_pos = nullptr;
uint8_t* dest_extra_alpha_pos = nullptr;
uint8_t* ori_pos = nullptr;