summaryrefslogtreecommitdiff
path: root/core/fxge/skia
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-09-12 17:21:11 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-09-12 17:21:11 +0000
commit987416db22712d0b5c666be08a148946ce4b9bdb (patch)
tree85807aaedcec135da2aaea7f1783ade7f26b4f78 /core/fxge/skia
parentb4c1b016c9d3c71b739cba60e8b7b26638781793 (diff)
downloadpdfium-987416db22712d0b5c666be08a148946ce4b9bdb.tar.xz
Avoid out of bound access in ClipAngledGradient().chromium/3551
BUG=chromium:835667 Change-Id: I3b9fd04d26f1baa30d48f938616b187410134b5f Reviewed-on: https://pdfium-review.googlesource.com/42311 Reviewed-by: Cary Clark <caryclark@google.com> Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'core/fxge/skia')
-rw-r--r--core/fxge/skia/fx_skia_device.cpp20
1 files changed, 14 insertions, 6 deletions
diff --git a/core/fxge/skia/fx_skia_device.cpp b/core/fxge/skia/fx_skia_device.cpp
index b0d1fd04fb..2ffd446023 100644
--- a/core/fxge/skia/fx_skia_device.cpp
+++ b/core/fxge/skia/fx_skia_device.cpp
@@ -503,15 +503,23 @@ void ClipAngledGradient(const SkPoint pts[2],
}
if (minPerpPtIndex < 0 && maxPerpPtIndex < 0) // nothing's outside
return;
+
// determine if negative distances are before start or after end
SkPoint beforeStart = {pts[0].fX * 2 - pts[1].fX, pts[0].fY * 2 - pts[1].fY};
bool beforeNeg = LineSide(startPerp, beforeStart) < 0;
- const SkPoint& startEdgePt =
- clipStart ? pts[0] : beforeNeg ? rectPts[minPerpPtIndex]
- : rectPts[maxPerpPtIndex];
- const SkPoint& endEdgePt = clipEnd ? pts[1] : beforeNeg
- ? rectPts[maxPerpPtIndex]
- : rectPts[minPerpPtIndex];
+
+ int noClipStartIndex = maxPerpPtIndex;
+ int noClipEndIndex = minPerpPtIndex;
+ if (beforeNeg)
+ std::swap(noClipStartIndex, noClipEndIndex);
+ if ((!clipStart && noClipStartIndex < 0) ||
+ (!clipEnd && noClipEndIndex < 0)) {
+ return;
+ }
+
+ const SkPoint& startEdgePt = clipStart ? pts[0] : rectPts[noClipStartIndex];
+ const SkPoint& endEdgePt = clipEnd ? pts[1] : rectPts[noClipEndIndex];
+
// find the corners that bound the gradient
SkScalar minDist = SK_ScalarMax;
SkScalar maxDist = SK_ScalarMin;