diff options
| author | Dan Sinclair <dsinclair@chromium.org> | 2017-09-20 14:39:30 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-09-20 18:49:04 +0000 |
| commit | 0c2e705f8d8dec68c1afc8344872fe8bee527c48 (patch) | |
| tree | e5d522737fdf19f611fb78e08371548d445be1cc | |
| parent | 4fe8ea5bba4bd505b5bd35395c68799771b0bd7d (diff) | |
| download | pdfium-0c2e705f8d8dec68c1afc8344872fe8bee527c48.tar.xz | |
Add bounds checks in CAgg_PathData::BuildPath
When working with LineTo and BezierTo commands, verify we are within the
bounds of the path data before accessing elements.
Bug: pdfium:899
Change-Id: Iae9f9f3d0e5dbaf8d5452b86961ab8c79a6210f1
Reviewed-on: https://pdfium-review.googlesource.com/14490
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
| -rw-r--r-- | core/fxge/agg/fx_agg_driver.cpp | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/core/fxge/agg/fx_agg_driver.cpp b/core/fxge/agg/fx_agg_driver.cpp index b01987fc6b..5e0308c551 100644 --- a/core/fxge/agg/fx_agg_driver.cpp +++ b/core/fxge/agg/fx_agg_driver.cpp @@ -1072,7 +1072,7 @@ void CAgg_PathData::BuildPath(const CFX_PathData* pPathData, if (point_type == FXPT_TYPE::MoveTo) { m_PathData.move_to(pos.x, pos.y); } else if (point_type == FXPT_TYPE::LineTo) { - if (pPoints[i - 1].IsTypeAndOpen(FXPT_TYPE::MoveTo) && + if (i > 0 && pPoints[i - 1].IsTypeAndOpen(FXPT_TYPE::MoveTo) && (i == pPoints.size() - 1 || pPoints[i + 1].IsTypeAndOpen(FXPT_TYPE::MoveTo)) && pPoints[i].m_Point == pPoints[i - 1].m_Point) { @@ -1080,21 +1080,23 @@ void CAgg_PathData::BuildPath(const CFX_PathData* pPathData, } m_PathData.line_to(pos.x, pos.y); } else if (point_type == FXPT_TYPE::BezierTo) { - CFX_PointF pos0 = pPoints[i - 1].m_Point; - CFX_PointF pos2 = pPoints[i + 1].m_Point; - CFX_PointF pos3 = pPoints[i + 2].m_Point; - if (pObject2Device) { - pos0 = pObject2Device->Transform(pos0); - pos2 = pObject2Device->Transform(pos2); - pos3 = pObject2Device->Transform(pos3); + if (i > 0 && i + 2 < pPoints.size()) { + CFX_PointF pos0 = pPoints[i - 1].m_Point; + CFX_PointF pos2 = pPoints[i + 1].m_Point; + CFX_PointF pos3 = pPoints[i + 2].m_Point; + if (pObject2Device) { + pos0 = pObject2Device->Transform(pos0); + pos2 = pObject2Device->Transform(pos2); + pos3 = pObject2Device->Transform(pos3); + } + pos0 = HardClip(pos0); + pos2 = HardClip(pos2); + pos3 = HardClip(pos3); + agg::curve4 curve(pos0.x, pos0.y, pos.x, pos.y, pos2.x, pos2.y, pos3.x, + pos3.y); + i += 2; + m_PathData.add_path_curve(curve); } - pos0 = HardClip(pos0); - pos2 = HardClip(pos2); - pos3 = HardClip(pos3); - agg::curve4 curve(pos0.x, pos0.y, pos.x, pos.y, pos2.x, pos2.y, pos3.x, - pos3.y); - i += 2; - m_PathData.add_path_curve(curve); } if (pPoints[i].m_CloseFigure) m_PathData.end_poly(); |