splash/Splash.cc | 4 +++- splash/SplashPath.cc | 10 ++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-)
New commits: commit c47713528f770ac89c90d662aae72c7e48c9497b Author: Albert Astals Cid <[email protected]> Date: Sat Sep 5 21:26:37 2020 +0200 addStrokeAdjustHint(): fix crash in out-of-memory situation. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25411 #0 0xf7ef8f19 in [vdso] #1 0xf7ccdd08 in gsignal (/lib32/libc.so.6+0x2bd08) #2 0xf7ccf206 in abort (/lib32/libc.so.6+0x2d206) #3 0xbdb9c2e in grealloc(void*, unsigned int, bool) gdal/poppler/goo/gmem.h:85:5 #4 0xbdd9e11 in greallocn(void*, int, int, bool, bool) gdal/poppler/goo/gmem.h:171:12 #5 0xc012373 in SplashPath::addStrokeAdjustHint(int, int, int, int) gdal/poppler/splash/SplashPath.cc:211:35 #6 0xbfd156f in Splash::makeStrokePath(SplashPath*, double, bool) gdal/poppler/splash/Splash.cc:5987:34 #7 0xbfcaec2 in Splash::strokeWide(SplashPath*, double) gdal/poppler/splash/Splash.cc:2028:13 #8 0xbfc8a4d in Splash::stroke(SplashPath*) /src/gdal/poppler/splash/Splash.cc Based on patch by Even Rouault diff --git a/splash/Splash.cc b/splash/Splash.cc index a020c749..584e65c7 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -5844,7 +5844,9 @@ SplashPath *Splash::makeStrokePath(SplashPath *path, SplashCoord w, bool flatten wdy = (SplashCoord)0.5 * w * dy; // draw the start cap - pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx); + if (pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx) != splashOk) { + break; + } if (i0 == subpathStart0) { firstPt = pathOut->length - 1; } diff --git a/splash/SplashPath.cc b/splash/SplashPath.cc index 33216cfb..7c7e8523 100644 --- a/splash/SplashPath.cc +++ b/splash/SplashPath.cc @@ -196,7 +196,10 @@ SplashError SplashPath::close(bool force) return splashErrNoCurPt; } if (force || curSubpath == length - 1 || pts[length - 1].x != pts[curSubpath].x || pts[length - 1].y != pts[curSubpath].y) { - lineTo(pts[curSubpath].x, pts[curSubpath].y); + const auto lineToStatus = lineTo(pts[curSubpath].x, pts[curSubpath].y); + if (lineToStatus != splashOk) { + return lineToStatus; + } } flags[curSubpath] |= splashPathClosed; flags[length - 1] |= splashPathClosed; @@ -208,7 +211,10 @@ void SplashPath::addStrokeAdjustHint(int ctrl0, int ctrl1, int firstPt, int last { if (hintsLength == hintsSize) { hintsSize = hintsLength ? 2 * hintsLength : 8; - hints = (SplashPathHint *)greallocn(hints, hintsSize, sizeof(SplashPathHint)); + hints = (SplashPathHint *)greallocn_checkoverflow(hints, hintsSize, sizeof(SplashPathHint)); + } + if (unlikely(!hints)) { + return; } hints[hintsLength].ctrl0 = ctrl0; hints[hintsLength].ctrl1 = ctrl1; _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
