Stop rendering if a span length overflowed in AGG

In AGG, len is of type coord_type, which we have as int16_t, but we can add to it large values, causing it to become negative. Stop the rendering when that occurs. Bug: chromium:719258 Change-Id: Ic7497666b01220a9cd3e7d749f1fc6ae4a210870 Reviewed-on: https://pdfium-review.googlesource.com/5370 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-05-11 12:33:48 -0400
committer: Chromium commit bot <commit-bot@chromium.org> 2017-05-11 16:49:55 +0000
commit: 6e4ecaf073843e571f4c0a72a0b6d81a01b01607 (patch)
tree: b85d9996d1f203b3edd8f95603709af77a8d18e1
parent: 2a2ee0f1ca747929acaf1b4f2eadbf7c8e8025e6 (diff)
download: pdfium-6e4ecaf073843e571f4c0a72a0b6d81a01b01607.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/core/fxge/agg/fx_agg_driver.cpp b/core/fxge/agg/fx_agg_driver.cpp
index 471fc9bb86..128d50c6e6 100644
--- a/core/fxge/agg/fx_agg_driver.cpp
+++ b/core/fxge/agg/fx_agg_driver.cpp
@@ -953,8 +953,10 @@ void CFX_Renderer::render(const Scanline& sl) {
   unsigned num_spans = sl.num_spans();
   typename Scanline::const_iterator span = sl.begin();
   while (1) {
+    if (span->len <= 0)
+      break;
+
     int x = span->x;
-    ASSERT(span->len > 0);
     uint8_t* dest_pos = nullptr;
     uint8_t* dest_extra_alpha_pos = nullptr;
     uint8_t* ori_pos = nullptr;
author	Nicolas Pena <npm@chromium.org>	2017-05-11 12:33:48 -0400
committer	Chromium commit bot <commit-bot@chromium.org>	2017-05-11 16:49:55 +0000
commit	6e4ecaf073843e571f4c0a72a0b6d81a01b01607 (patch)
tree	b85d9996d1f203b3edd8f95603709af77a8d18e1
parent	2a2ee0f1ca747929acaf1b4f2eadbf7c8e8025e6 (diff)
download	pdfium-6e4ecaf073843e571f4c0a72a0b6d81a01b01607.tar.xz