summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCary Clark <caryclark@skia.org>2017-07-05 11:52:16 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-07-05 19:23:29 +0000
commit8528723bc8aa97c62254c9f22afdd6b9f19570de (patch)
tree3df043a167bb0caa2aa57ec3c9e607c34dc34a3c
parent4bba683632b1db429343ca6cc54f803ac857ef35 (diff)
downloadpdfium-8528723bc8aa97c62254c9f22afdd6b9f19570de.tar.xz
fix fuzzer generated out of range
I could not get this to reproduce. It was also reported in April, but I marked it fixed because I couldn't reproduce this then, either. I suspect that the result of LineSide() is +/-inf, causing either minBounds or maxBounds in ClipAngledGradient() to be set to -1, triggering the stack buffer misread. R=dsinclair@chromium.org,npm@chromium.org Bug: 736574 Change-Id: Id828321f8c5481b862822be43d76a41dd8e74ef0 Reviewed-on: https://pdfium-review.googlesource.com/7273 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Nicolás Peña <npm@chromium.org> Commit-Queue: Cary Clark <caryclark@google.com>
-rw-r--r--core/fxge/skia/fx_skia_device.cpp4
1 files changed, 2 insertions, 2 deletions
diff --git a/core/fxge/skia/fx_skia_device.cpp b/core/fxge/skia/fx_skia_device.cpp
index 8e9dfa6126..0bdf3f8b7b 100644
--- a/core/fxge/skia/fx_skia_device.cpp
+++ b/core/fxge/skia/fx_skia_device.cpp
@@ -523,8 +523,8 @@ void ClipAngledGradient(const SkPoint pts[2],
maxBounds = i;
}
}
- ASSERT(minBounds >= 0);
- ASSERT(maxBounds >= 0);
+ if (minBounds < 0 || maxBounds < 0)
+ return;
if (minBounds == maxBounds)
return;
// construct a clip parallel to the gradient that goes through