From 6e4ecaf073843e571f4c0a72a0b6d81a01b01607 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Thu, 11 May 2017 12:33:48 -0400 Subject: Stop rendering if a span length overflowed in AGG MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In AGG, len is of type coord_type, which we have as int16_t, but we can add to it large values, causing it to become negative. Stop the rendering when that occurs. Bug: chromium:719258 Change-Id: Ic7497666b01220a9cd3e7d749f1fc6ae4a210870 Reviewed-on: https://pdfium-review.googlesource.com/5370 Reviewed-by: dsinclair Commit-Queue: Nicolás Peña --- core/fxge/agg/fx_agg_driver.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/core/fxge/agg/fx_agg_driver.cpp b/core/fxge/agg/fx_agg_driver.cpp index 471fc9bb86..128d50c6e6 100644 --- a/core/fxge/agg/fx_agg_driver.cpp +++ b/core/fxge/agg/fx_agg_driver.cpp @@ -953,8 +953,10 @@ void CFX_Renderer::render(const Scanline& sl) { unsigned num_spans = sl.num_spans(); typename Scanline::const_iterator span = sl.begin(); while (1) { + if (span->len <= 0) + break; + int x = span->x; - ASSERT(span->len > 0); uint8_t* dest_pos = nullptr; uint8_t* dest_extra_alpha_pos = nullptr; uint8_t* ori_pos = nullptr; -- cgit v1.2.3