Always check for allocation failure after calling SplashPath::grow and also...

Always check for allocation failure after calling SplashPath::grow and also set curSubpath to zero so that noCurrentPoint applies after allocation failure. oss-fuzz/10148

splash/SplashPath.cc

@@ -111,7 +111,7 @@ void SplashPath::grow(int nPts) {
     pts = (SplashPathPoint *)greallocn_checkoverflow(pts, size, sizeof(SplashPathPoint));
     flags = (Guchar *)greallocn_checkoverflow(flags, size, sizeof(Guchar));
     if (unlikely(!pts || !flags)) {
-      length = size = 0;
+      length = size = curSubpath = 0;
     }
   }
 }
@@ -119,8 +119,11 @@ void SplashPath::grow(int nPts) {
 void SplashPath::append(SplashPath *path) {
   int i;
 
-  curSubpath = length + path->curSubpath;
   grow(path->length);
+  if (unlikely(size == 0))
+    return;
+
+  curSubpath = length + path->curSubpath;
   for (i = 0; i < path->length; ++i) {
     pts[length] = path->pts[i];
     flags[length] = path->flags[i];
@@ -148,6 +151,8 @@ SplashError SplashPath::lineTo(SplashCoord x, SplashCoord y) {
   }
   flags[length-1] &= ~splashPathLast;
   grow(1);
+  if (unlikely(size == 0))
+    return splashErrBogusPath;
   pts[length].x = x;
   pts[length].y = y;
   flags[length] = splashPathLast;
@@ -163,6 +168,8 @@ SplashError SplashPath::curveTo(SplashCoord x1, SplashCoord y1,
   }
   flags[length-1] &= ~splashPathLast;
   grow(3);
+  if (unlikely(size == 0))
+    return splashErrBogusPath;
   pts[length].x = x1;
   pts[length].y = y1;
   flags[length] = splashPathCurve;