diff options
| author | Lei Zhang <thestig@chromium.org> | 2018-04-27 19:02:27 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-27 19:02:27 +0000 |
| commit | 77315d696138a83b86ad050870300c2c52935f29 (patch) | |
| tree | 629e104996da234d77209cd06c422a3300eec793 /third_party | |
| parent | 5a2114eced31ce389ede4486d492faf6db4d7a04 (diff) | |
| download | pdfium-77315d696138a83b86ad050870300c2c52935f29.tar.xz | |
Fix undefined behavior in AGG.
BUG=chromium:746232
Change-Id: Id8f22d09bc7768603ea67bd52a5a5b3d87885ea9
Reviewed-on: https://pdfium-review.googlesource.com/31370
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'third_party')
| -rw-r--r-- | third_party/agg23/0004-ubsan-sweep-scanline-error.patch | 33 | ||||
| -rw-r--r-- | third_party/agg23/README.pdfium | 2 | ||||
| -rw-r--r-- | third_party/agg23/agg_rasterizer_scanline_aa.h | 9 |
3 files changed, 42 insertions, 2 deletions
diff --git a/third_party/agg23/0004-ubsan-sweep-scanline-error.patch b/third_party/agg23/0004-ubsan-sweep-scanline-error.patch new file mode 100644 index 0000000000..3348f0500b --- /dev/null +++ b/third_party/agg23/0004-ubsan-sweep-scanline-error.patch @@ -0,0 +1,33 @@ +diff --git a/third_party/agg23/agg_rasterizer_scanline_aa.h b/third_party/agg23/agg_rasterizer_scanline_aa.h +index c747ee379..da166bb14 100644 +--- a/third_party/agg23/agg_rasterizer_scanline_aa.h ++++ b/third_party/agg23/agg_rasterizer_scanline_aa.h +@@ -349,14 +349,14 @@ public: + cover += cur_cell->cover; + } + if(area) { +- alpha = calculate_alpha((cover << (poly_base_shift + 1)) - area, no_smooth); ++ alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1) - area, no_smooth); + if(alpha) { + sl.add_cell(x, alpha); + } + x++; + } + if(num_cells && cur_cell->x > x) { +- alpha = calculate_alpha(cover << (poly_base_shift + 1), no_smooth); ++ alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1), no_smooth); + if(alpha) { + sl.add_span(x, cur_cell->x - x, alpha); + } +@@ -458,6 +458,11 @@ private: + m_prev_x = x; + m_prev_y = y; + } ++ static int calculate_area(int cover, int shift) { ++ unsigned int result = cover; ++ result <<= shift; ++ return result; ++ } + private: + outline_aa m_outline; + filling_rule_e m_filling_rule; diff --git a/third_party/agg23/README.pdfium b/third_party/agg23/README.pdfium index 4b1ff49146..fa50951c66 100644 --- a/third_party/agg23/README.pdfium +++ b/third_party/agg23/README.pdfium @@ -16,3 +16,5 @@ Possibly more? non-enumeral type in conditional. 0002-ubsan-error-fixes.path: Fix UBSan errors for overflows. 0003-ubsan-render-line-error.patch: Fix UBSan overflow error in render_line. +0004-ubsan-sweep-scanline-error.patch: Fix UBSan left shift of negative value +error in sweep_scanline. diff --git a/third_party/agg23/agg_rasterizer_scanline_aa.h b/third_party/agg23/agg_rasterizer_scanline_aa.h index c747ee379e..da166bb14a 100644 --- a/third_party/agg23/agg_rasterizer_scanline_aa.h +++ b/third_party/agg23/agg_rasterizer_scanline_aa.h @@ -349,14 +349,14 @@ public: cover += cur_cell->cover; } if(area) { - alpha = calculate_alpha((cover << (poly_base_shift + 1)) - area, no_smooth); + alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1) - area, no_smooth); if(alpha) { sl.add_cell(x, alpha); } x++; } if(num_cells && cur_cell->x > x) { - alpha = calculate_alpha(cover << (poly_base_shift + 1), no_smooth); + alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1), no_smooth); if(alpha) { sl.add_span(x, cur_cell->x - x, alpha); } @@ -458,6 +458,11 @@ private: m_prev_x = x; m_prev_y = y; } + static int calculate_area(int cover, int shift) { + unsigned int result = cover; + result <<= shift; + return result; + } private: outline_aa m_outline; filling_rule_e m_filling_rule; |