From 987416db22712d0b5c666be08a148946ce4b9bdb Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Wed, 12 Sep 2018 17:21:11 +0000 Subject: Avoid out of bound access in ClipAngledGradient(). BUG=chromium:835667 Change-Id: I3b9fd04d26f1baa30d48f938616b187410134b5f Reviewed-on: https://pdfium-review.googlesource.com/42311 Reviewed-by: Cary Clark Commit-Queue: Lei Zhang --- core/fxge/skia/fx_skia_device.cpp | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'core') diff --git a/core/fxge/skia/fx_skia_device.cpp b/core/fxge/skia/fx_skia_device.cpp index b0d1fd04fb..2ffd446023 100644 --- a/core/fxge/skia/fx_skia_device.cpp +++ b/core/fxge/skia/fx_skia_device.cpp @@ -503,15 +503,23 @@ void ClipAngledGradient(const SkPoint pts[2], } if (minPerpPtIndex < 0 && maxPerpPtIndex < 0) // nothing's outside return; + // determine if negative distances are before start or after end SkPoint beforeStart = {pts[0].fX * 2 - pts[1].fX, pts[0].fY * 2 - pts[1].fY}; bool beforeNeg = LineSide(startPerp, beforeStart) < 0; - const SkPoint& startEdgePt = - clipStart ? pts[0] : beforeNeg ? rectPts[minPerpPtIndex] - : rectPts[maxPerpPtIndex]; - const SkPoint& endEdgePt = clipEnd ? pts[1] : beforeNeg - ? rectPts[maxPerpPtIndex] - : rectPts[minPerpPtIndex]; + + int noClipStartIndex = maxPerpPtIndex; + int noClipEndIndex = minPerpPtIndex; + if (beforeNeg) + std::swap(noClipStartIndex, noClipEndIndex); + if ((!clipStart && noClipStartIndex < 0) || + (!clipEnd && noClipEndIndex < 0)) { + return; + } + + const SkPoint& startEdgePt = clipStart ? pts[0] : rectPts[noClipStartIndex]; + const SkPoint& endEdgePt = clipEnd ? pts[1] : rectPts[noClipEndIndex]; + // find the corners that bound the gradient SkScalar minDist = SK_ScalarMax; SkScalar maxDist = SK_ScalarMin; -- cgit v1.2.3