[poppler] splash/Splash.cc splash/SplashPath.cc

[GitLab Mirror]

 splash/Splash.cc     |    4 +++-
 splash/SplashPath.cc |   10 ++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

New commits:
commit c47713528f770ac89c90d662aae72c7e48c9497b
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Sep 5 21:26:37 2020 +0200

    addStrokeAdjustHint(): fix crash in out-of-memory situation.
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25411
    
        #0 0xf7ef8f19 in [vdso]
        #1 0xf7ccdd08 in gsignal (/lib32/libc.so.6+0x2bd08)
        #2 0xf7ccf206 in abort (/lib32/libc.so.6+0x2d206)
        #3 0xbdb9c2e in grealloc(void*, unsigned int, bool) gdal/poppler/goo/gmem.h:85:5
        #4 0xbdd9e11 in greallocn(void*, int, int, bool, bool) gdal/poppler/goo/gmem.h:171:12
        #5 0xc012373 in SplashPath::addStrokeAdjustHint(int, int, int, int) gdal/poppler/splash/SplashPath.cc:211:35
        #6 0xbfd156f in Splash::makeStrokePath(SplashPath*, double, bool) gdal/poppler/splash/Splash.cc:5987:34
        #7 0xbfcaec2 in Splash::strokeWide(SplashPath*, double) gdal/poppler/splash/Splash.cc:2028:13
        #8 0xbfc8a4d in Splash::stroke(SplashPath*) /src/gdal/poppler/splash/Splash.cc
    
    Based on patch by Even Rouault

diff --git a/splash/Splash.cc b/splash/Splash.cc
index a020c749..584e65c7 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -5844,7 +5844,9 @@ SplashPath *Splash::makeStrokePath(SplashPath *path, SplashCoord w, bool flatten
         wdy = (SplashCoord)0.5 * w * dy;
 
         // draw the start cap
-        pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx);
+        if (pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx) != splashOk) {
+            break;
+        }
         if (i0 == subpathStart0) {
             firstPt = pathOut->length - 1;
         }
diff --git a/splash/SplashPath.cc b/splash/SplashPath.cc
index 33216cfb..7c7e8523 100644
--- a/splash/SplashPath.cc
+++ b/splash/SplashPath.cc
@@ -196,7 +196,10 @@ SplashError SplashPath::close(bool force)
         return splashErrNoCurPt;
     }
     if (force || curSubpath == length - 1 || pts[length - 1].x != pts[curSubpath].x || pts[length - 1].y != pts[curSubpath].y) {
-        lineTo(pts[curSubpath].x, pts[curSubpath].y);
+        const auto lineToStatus = lineTo(pts[curSubpath].x, pts[curSubpath].y);
+        if (lineToStatus != splashOk) {
+            return lineToStatus;
+        }
     }
     flags[curSubpath] |= splashPathClosed;
     flags[length - 1] |= splashPathClosed;
@@ -208,7 +211,10 @@ void SplashPath::addStrokeAdjustHint(int ctrl0, int ctrl1, int firstPt, int last
 {
     if (hintsLength == hintsSize) {
         hintsSize = hintsLength ? 2 * hintsLength : 8;
-        hints = (SplashPathHint *)greallocn(hints, hintsSize, sizeof(SplashPathHint));
+        hints = (SplashPathHint *)greallocn_checkoverflow(hints, hintsSize, sizeof(SplashPathHint));
+    }
+    if (unlikely(!hints)) {
+        return;
     }
     hints[hintsLength].ctrl0 = ctrl0;
     hints[hintsLength].ctrl1 = ctrl1;