From 8528723bc8aa97c62254c9f22afdd6b9f19570de Mon Sep 17 00:00:00 2001
From: Cary Clark <caryclark@skia.org>
Date: Wed, 5 Jul 2017 11:52:16 -0400
Subject: fix fuzzer generated out of range
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I could not get this to reproduce. It was also
reported in April, but I marked it fixed because
I couldn't reproduce this then, either. I suspect
that the result of LineSide() is +/-inf, causing
either minBounds or maxBounds in
ClipAngledGradient() to be set to -1, triggering
the stack buffer misread.

R=dsinclair@chromium.org,npm@chromium.org
Bug: 736574
Change-Id: Id828321f8c5481b862822be43d76a41dd8e74ef0
Reviewed-on: https://pdfium-review.googlesource.com/7273
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: Cary Clark <caryclark@google.com>
---
 core/fxge/skia/fx_skia_device.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/fxge/skia/fx_skia_device.cpp b/core/fxge/skia/fx_skia_device.cpp
index 8e9dfa6126..0bdf3f8b7b 100644
--- a/core/fxge/skia/fx_skia_device.cpp
+++ b/core/fxge/skia/fx_skia_device.cpp
@@ -523,8 +523,8 @@ void ClipAngledGradient(const SkPoint pts[2],
       maxBounds = i;
     }
   }
-  ASSERT(minBounds >= 0);
-  ASSERT(maxBounds >= 0);
+  if (minBounds < 0 || maxBounds < 0)
+    return;
   if (minBounds == maxBounds)
     return;
   // construct a clip parallel to the gradient that goes through
-- 
cgit v1.2.3