diff options
author | Cary Clark <caryclark@skia.org> | 2017-07-05 11:52:16 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-07-05 19:23:29 +0000 |
commit | 8528723bc8aa97c62254c9f22afdd6b9f19570de (patch) | |
tree | 3df043a167bb0caa2aa57ec3c9e607c34dc34a3c | |
parent | 4bba683632b1db429343ca6cc54f803ac857ef35 (diff) | |
download | pdfium-8528723bc8aa97c62254c9f22afdd6b9f19570de.tar.xz |
fix fuzzer generated out of range
I could not get this to reproduce. It was also
reported in April, but I marked it fixed because
I couldn't reproduce this then, either. I suspect
that the result of LineSide() is +/-inf, causing
either minBounds or maxBounds in
ClipAngledGradient() to be set to -1, triggering
the stack buffer misread.
R=dsinclair@chromium.org,npm@chromium.org
Bug: 736574
Change-Id: Id828321f8c5481b862822be43d76a41dd8e74ef0
Reviewed-on: https://pdfium-review.googlesource.com/7273
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: Cary Clark <caryclark@google.com>
-rw-r--r-- | core/fxge/skia/fx_skia_device.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/core/fxge/skia/fx_skia_device.cpp b/core/fxge/skia/fx_skia_device.cpp index 8e9dfa6126..0bdf3f8b7b 100644 --- a/core/fxge/skia/fx_skia_device.cpp +++ b/core/fxge/skia/fx_skia_device.cpp @@ -523,8 +523,8 @@ void ClipAngledGradient(const SkPoint pts[2], maxBounds = i; } } - ASSERT(minBounds >= 0); - ASSERT(maxBounds >= 0); + if (minBounds < 0 || maxBounds < 0) + return; if (minBounds == maxBounds) return; // construct a clip parallel to the gradient that goes through |