Commit c4771352 authored by Albert Astals Cid's avatar Albert Astals Cid

addStrokeAdjustHint(): fix crash in out-of-memory situation.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25411

    #0 0xf7ef8f19 in [vdso]
    #1 0xf7ccdd08 in gsignal (/lib32/libc.so.6+0x2bd08)
    #2 0xf7ccf206 in abort (/lib32/libc.so.6+0x2d206)
    #3 0xbdb9c2e in grealloc(void*, unsigned int, bool) gdal/poppler/goo/gmem.h:85:5
    #4 0xbdd9e11 in greallocn(void*, int, int, bool, bool) gdal/poppler/goo/gmem.h:171:12
    #5 0xc012373 in SplashPath::addStrokeAdjustHint(int, int, int, int) gdal/poppler/splash/SplashPath.cc:211:35
    #6 0xbfd156f in Splash::makeStrokePath(SplashPath*, double, bool) gdal/poppler/splash/Splash.cc:5987:34
    #7 0xbfcaec2 in Splash::strokeWide(SplashPath*, double) gdal/poppler/splash/Splash.cc:2028:13
    #8 0xbfc8a4d in Splash::stroke(SplashPath*) /src/gdal/poppler/splash/Splash.cc

Based on patch by Even Rouault
parent 92ebc641
......@@ -5844,7 +5844,9 @@ SplashPath *Splash::makeStrokePath(SplashPath *path, SplashCoord w, bool flatten
wdy = (SplashCoord)0.5 * w * dy;
// draw the start cap
pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx);
if (pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx) != splashOk) {
break;
}
if (i0 == subpathStart0) {
firstPt = pathOut->length - 1;
}
......
......@@ -196,7 +196,10 @@ SplashError SplashPath::close(bool force)
return splashErrNoCurPt;
}
if (force || curSubpath == length - 1 || pts[length - 1].x != pts[curSubpath].x || pts[length - 1].y != pts[curSubpath].y) {
lineTo(pts[curSubpath].x, pts[curSubpath].y);
const auto lineToStatus = lineTo(pts[curSubpath].x, pts[curSubpath].y);
if (lineToStatus != splashOk) {
return lineToStatus;
}
}
flags[curSubpath] |= splashPathClosed;
flags[length - 1] |= splashPathClosed;
......@@ -208,7 +211,10 @@ void SplashPath::addStrokeAdjustHint(int ctrl0, int ctrl1, int firstPt, int last
{
if (hintsLength == hintsSize) {
hintsSize = hintsLength ? 2 * hintsLength : 8;
hints = (SplashPathHint *)greallocn(hints, hintsSize, sizeof(SplashPathHint));
hints = (SplashPathHint *)greallocn_checkoverflow(hints, hintsSize, sizeof(SplashPathHint));
}
if (unlikely(!hints)) {
return;
}
hints[hintsLength].ctrl0 = ctrl0;
hints[hintsLength].ctrl1 = ctrl1;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment