splash/SplashPath.cc | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
New commits: commit bb078cbd88252e421d14747b98c5c71062cf7571 Author: Adam Reichold <[email protected]> Date: Fri Aug 31 20:18:23 2018 +0200 Always check for allocation failure after calling SplashPath::grow and also set curSubpath to zero so that noCurrentPoint applies after allocation failure. oss-fuzz/10148 diff --git a/splash/SplashPath.cc b/splash/SplashPath.cc index 188279e8..1de0dc97 100644 --- a/splash/SplashPath.cc +++ b/splash/SplashPath.cc @@ -111,7 +111,7 @@ void SplashPath::grow(int nPts) { pts = (SplashPathPoint *)greallocn_checkoverflow(pts, size, sizeof(SplashPathPoint)); flags = (Guchar *)greallocn_checkoverflow(flags, size, sizeof(Guchar)); if (unlikely(!pts || !flags)) { - length = size = 0; + length = size = curSubpath = 0; } } } @@ -119,8 +119,11 @@ void SplashPath::grow(int nPts) { void SplashPath::append(SplashPath *path) { int i; - curSubpath = length + path->curSubpath; grow(path->length); + if (unlikely(size == 0)) + return; + + curSubpath = length + path->curSubpath; for (i = 0; i < path->length; ++i) { pts[length] = path->pts[i]; flags[length] = path->flags[i]; @@ -148,6 +151,8 @@ SplashError SplashPath::lineTo(SplashCoord x, SplashCoord y) { } flags[length-1] &= ~splashPathLast; grow(1); + if (unlikely(size == 0)) + return splashErrBogusPath; pts[length].x = x; pts[length].y = y; flags[length] = splashPathLast; @@ -163,6 +168,8 @@ SplashError SplashPath::curveTo(SplashCoord x1, SplashCoord y1, } flags[length-1] &= ~splashPathLast; grow(3); + if (unlikely(size == 0)) + return splashErrBogusPath; pts[length].x = x1; pts[length].y = y1; flags[length] = splashPathCurve; _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
