From ce67be4c48bf1bdc037141237c1db6ecc2054337 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Wed, 14 Jun 2017 14:52:49 -0400
Subject: Fix crash when inserting empty path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The path creation method begins with an open MoveTo point. If nothing
else is added, CFX_PathData::GetBoundingBox will try an OOB access in
its m_Points. This CL adds a check similar to the one in
CPDF_StreamContentParser::AddPathObject.
Change-Id: Iec7cfe3379253c021ba7d5f276306a66009f84e2
Reviewed-on: https://pdfium-review.googlesource.com/6593
Commit-Queue: Nicolás Peña <npm@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fxge/ge/cfx_pathdata.cpp     | 3 +++
 fpdfsdk/fpdfedit_embeddertest.cpp | 5 ++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/core/fxge/ge/cfx_pathdata.cpp b/core/fxge/ge/cfx_pathdata.cpp
index 6fae44acb1..fe3c6778d5 100644
--- a/core/fxge/ge/cfx_pathdata.cpp
+++ b/core/fxge/ge/cfx_pathdata.cpp
@@ -240,6 +240,9 @@ CFX_FloatRect CFX_PathData::GetBoundingBox(float line_width,
   bool bJoin;
   while (iPoint < m_Points.size()) {
     if (m_Points[iPoint].IsTypeAndOpen(FXPT_TYPE::MoveTo)) {
+      if (iPoint + 1 == m_Points.size())
+        break;
+
       iStartPoint = iPoint + 1;
       iEndPoint = iPoint;
       bJoin = false;
diff --git a/fpdfsdk/fpdfedit_embeddertest.cpp b/fpdfsdk/fpdfedit_embeddertest.cpp
index 1146a8c546..f7bade9155 100644
--- a/fpdfsdk/fpdfedit_embeddertest.cpp
+++ b/fpdfsdk/fpdfedit_embeddertest.cpp
@@ -593,13 +593,12 @@ TEST_F(FPDFEditEmbeddertest, GraphicsData) {
   EXPECT_EQ(2, static_cast<int>(graphics_dict->GetCount()));
 
   // Add a path that should reuse graphics
-  // TODO(npm): This causes a crash on Windows.
-  /*FPDF_PAGEOBJECT path = FPDFPageObj_CreateNewPath(400, 100);
+  FPDF_PAGEOBJECT path = FPDFPageObj_CreateNewPath(400, 100);
   FPDFPageObj_SetBlendMode(path, "Darken");
   EXPECT_TRUE(FPDFPath_SetFillColor(path, 200, 200, 100, 150));
   FPDFPage_InsertObject(page.get(), path);
   EXPECT_TRUE(FPDFPage_GenerateContent(page.get()));
-  EXPECT_EQ(2, static_cast<int>(graphics_dict->GetCount()));*/
+  EXPECT_EQ(2, static_cast<int>(graphics_dict->GetCount()));
 
   // Add a rect increasing the size of the graphics dictionary
   FPDF_PAGEOBJECT rect2 = FPDFPageObj_CreateNewRect(10, 10, 100, 100);
-- 
cgit v1.2.3