From 77315d696138a83b86ad050870300c2c52935f29 Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Fri, 27 Apr 2018 19:02:27 +0000 Subject: Fix undefined behavior in AGG. BUG=chromium:746232 Change-Id: Id8f22d09bc7768603ea67bd52a5a5b3d87885ea9 Reviewed-on: https://pdfium-review.googlesource.com/31370 Reviewed-by: Tom Sepez Commit-Queue: Lei Zhang --- .../agg23/0004-ubsan-sweep-scanline-error.patch | 33 ++++++++++++++++++++++ third_party/agg23/README.pdfium | 2 ++ third_party/agg23/agg_rasterizer_scanline_aa.h | 9 ++++-- 3 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 third_party/agg23/0004-ubsan-sweep-scanline-error.patch (limited to 'third_party') diff --git a/third_party/agg23/0004-ubsan-sweep-scanline-error.patch b/third_party/agg23/0004-ubsan-sweep-scanline-error.patch new file mode 100644 index 0000000000..3348f0500b --- /dev/null +++ b/third_party/agg23/0004-ubsan-sweep-scanline-error.patch @@ -0,0 +1,33 @@ +diff --git a/third_party/agg23/agg_rasterizer_scanline_aa.h b/third_party/agg23/agg_rasterizer_scanline_aa.h +index c747ee379..da166bb14 100644 +--- a/third_party/agg23/agg_rasterizer_scanline_aa.h ++++ b/third_party/agg23/agg_rasterizer_scanline_aa.h +@@ -349,14 +349,14 @@ public: + cover += cur_cell->cover; + } + if(area) { +- alpha = calculate_alpha((cover << (poly_base_shift + 1)) - area, no_smooth); ++ alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1) - area, no_smooth); + if(alpha) { + sl.add_cell(x, alpha); + } + x++; + } + if(num_cells && cur_cell->x > x) { +- alpha = calculate_alpha(cover << (poly_base_shift + 1), no_smooth); ++ alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1), no_smooth); + if(alpha) { + sl.add_span(x, cur_cell->x - x, alpha); + } +@@ -458,6 +458,11 @@ private: + m_prev_x = x; + m_prev_y = y; + } ++ static int calculate_area(int cover, int shift) { ++ unsigned int result = cover; ++ result <<= shift; ++ return result; ++ } + private: + outline_aa m_outline; + filling_rule_e m_filling_rule; diff --git a/third_party/agg23/README.pdfium b/third_party/agg23/README.pdfium index 4b1ff49146..fa50951c66 100644 --- a/third_party/agg23/README.pdfium +++ b/third_party/agg23/README.pdfium @@ -16,3 +16,5 @@ Possibly more? non-enumeral type in conditional. 0002-ubsan-error-fixes.path: Fix UBSan errors for overflows. 0003-ubsan-render-line-error.patch: Fix UBSan overflow error in render_line. +0004-ubsan-sweep-scanline-error.patch: Fix UBSan left shift of negative value +error in sweep_scanline. diff --git a/third_party/agg23/agg_rasterizer_scanline_aa.h b/third_party/agg23/agg_rasterizer_scanline_aa.h index c747ee379e..da166bb14a 100644 --- a/third_party/agg23/agg_rasterizer_scanline_aa.h +++ b/third_party/agg23/agg_rasterizer_scanline_aa.h @@ -349,14 +349,14 @@ public: cover += cur_cell->cover; } if(area) { - alpha = calculate_alpha((cover << (poly_base_shift + 1)) - area, no_smooth); + alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1) - area, no_smooth); if(alpha) { sl.add_cell(x, alpha); } x++; } if(num_cells && cur_cell->x > x) { - alpha = calculate_alpha(cover << (poly_base_shift + 1), no_smooth); + alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1), no_smooth); if(alpha) { sl.add_span(x, cur_cell->x - x, alpha); } @@ -458,6 +458,11 @@ private: m_prev_x = x; m_prev_y = y; } + static int calculate_area(int cover, int shift) { + unsigned int result = cover; + result <<= shift; + return result; + } private: outline_aa m_outline; filling_rule_e m_filling_rule; -- cgit v1.2.3