<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style> </head> <body dir="ltr"> <div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> Should tests for != splashOk be wrapped in unlikely()? </div> <div> <div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> </div> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="divRplyFwdMsg" dir="ltr">From: poppler <poppler-bounces@lists.freedesktop.org> on behalf of GitLab Mirror <gitlab-mirror@kemper.freedesktop.org> Sent: Saturday, September 5, 2020 3:41 PM To: poppler@lists.freedesktop.org <poppler@lists.freedesktop.org> Subject: [poppler] splash/Splash.cc splash/SplashPath.cc <div> </div> </div> <div class="BodyFragment"> <div class="PlainText">splash/Splash.cc | 4 +++- splash/SplashPath.cc | 10 ++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) New commits: commit c47713528f770ac89c90d662aae72c7e48c9497b Author: Albert Astals Cid <aacid@kde.org> Date: Sat Sep 5 21:26:37 2020 +0200 addStrokeAdjustHint(): fix crash in out-of-memory situation. Fixes <a href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25411">https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25411</a> #0 0xf7ef8f19 in [vdso] #1 0xf7ccdd08 in gsignal (/lib32/libc.so.6+0x2bd08) #2 0xf7ccf206 in abort (/lib32/libc.so.6+0x2d206) #3 0xbdb9c2e in grealloc(void*, unsigned int, bool) gdal/poppler/goo/gmem.h:85:5 #4 0xbdd9e11 in greallocn(void*, int, int, bool, bool) gdal/poppler/goo/gmem.h:171:12 #5 0xc012373 in SplashPath::addStrokeAdjustHint(int, int, int, int) gdal/poppler/splash/SplashPath.cc:211:35 #6 0xbfd156f in Splash::makeStrokePath(SplashPath*, double, bool) gdal/poppler/splash/Splash.cc:5987:34 #7 0xbfcaec2 in Splash::strokeWide(SplashPath*, double) gdal/poppler/splash/Splash.cc:2028:13 #8 0xbfc8a4d in Splash::stroke(SplashPath*) /src/gdal/poppler/splash/Splash.cc Based on patch by Even Rouault diff --git a/splash/Splash.cc b/splash/Splash.cc index a020c749..584e65c7 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -5844,7 +5844,9 @@ SplashPath *Splash::makeStrokePath(SplashPath *path, SplashCoord w, bool flatten wdy = (SplashCoord)0.5 * w * dy; // draw the start cap - pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx); + if (pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx) != splashOk) { + break; + } if (i0 == subpathStart0) { firstPt = pathOut->length - 1; } diff --git a/splash/SplashPath.cc b/splash/SplashPath.cc index 33216cfb..7c7e8523 100644 --- a/splash/SplashPath.cc +++ b/splash/SplashPath.cc @@ -196,7 +196,10 @@ SplashError SplashPath::close(bool force) return splashErrNoCurPt; } if (force || curSubpath == length - 1 || pts[length - 1].x != pts[curSubpath].x || pts[length - 1].y != pts[curSubpath].y) { - lineTo(pts[curSubpath].x, pts[curSubpath].y); + const auto lineToStatus = lineTo(pts[curSubpath].x, pts[curSubpath].y); + if (lineToStatus != splashOk) { + return lineToStatus; + } } flags[curSubpath] |= splashPathClosed; flags[length - 1] |= splashPathClosed; @@ -208,7 +211,10 @@ void SplashPath::addStrokeAdjustHint(int ctrl0, int ctrl1, int firstPt, int last { if (hintsLength == hintsSize) { hintsSize = hintsLength ? 2 * hintsLength : 8; - hints = (SplashPathHint *)greallocn(hints, hintsSize, sizeof(SplashPathHint)); + hints = (SplashPathHint *)greallocn_checkoverflow(hints, hintsSize, sizeof(SplashPathHint)); + } + if (unlikely(!hints)) { + return; } hints[hintsLength].ctrl0 = ctrl0; hints[hintsLength].ctrl1 = ctrl1; _______________________________________________ poppler mailing list poppler@lists.freedesktop.org <a href="https://lists.freedesktop.org/mailman/listinfo/poppler">https://lists.freedesktop.org/mailman/listinfo/poppler</a> </div> </div> </div> </body> </html>