addStrokeAdjustHint(): fix crash in out-of-memory situation.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25411 #0 0xf7ef8f19 in [vdso] #1 0xf7ccdd08 in gsignal (/lib32/libc.so.6+0x2bd08) #2 0xf7ccf206 in abort (/lib32/libc.so.6+0x2d206) #3 0xbdb9c2e in grealloc(void*, unsigned int, bool) gdal/poppler/goo/gmem.h:85:5 #4 0xbdd9e11 in greallocn(void*, int, int, bool, bool) gdal/poppler/goo/gmem.h:171:12 #5 0xc012373 in SplashPath::addStrokeAdjustHint(int, int, int, int) gdal/poppler/splash/SplashPath.cc:211:35 #6 0xbfd156f in Splash::makeStrokePath(SplashPath*, double, bool) gdal/poppler/splash/Splash.cc:5987:34 #7 0xbfcaec2 in Splash::strokeWide(SplashPath*, double) gdal/poppler/splash/Splash.cc:2028:13 #8 0xbfc8a4d in Splash::stroke(SplashPath*) /src/gdal/poppler/splash/Splash.cc Based on patch by Even Rouault
giddie · Sep 5, 2020 · c477135 · c477135
1 parent 92ebc64
commit c477135
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/splash/Splash.cc b/splash/Splash.cc
@@ -5844,7 +5844,9 @@ SplashPath *Splash::makeStrokePath(SplashPath *path, SplashCoord w, bool flatten
         wdy = (SplashCoord)0.5 * w * dy;
 
         // draw the start cap
-        pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx);
+        if (pathOut->moveTo(pathIn->pts[i0].x - wdy, pathIn->pts[i0].y + wdx) != splashOk) {
+            break;
+        }
         if (i0 == subpathStart0) {
             firstPt = pathOut->length - 1;
         }

diff --git a/splash/SplashPath.cc b/splash/SplashPath.cc
@@ -196,7 +196,10 @@ SplashError SplashPath::close(bool force)
         return splashErrNoCurPt;
     }
     if (force || curSubpath == length - 1 || pts[length - 1].x != pts[curSubpath].x || pts[length - 1].y != pts[curSubpath].y) {
-        lineTo(pts[curSubpath].x, pts[curSubpath].y);
+        const auto lineToStatus = lineTo(pts[curSubpath].x, pts[curSubpath].y);
+        if (lineToStatus != splashOk) {
+            return lineToStatus;
+        }
     }
     flags[curSubpath] |= splashPathClosed;
     flags[length - 1] |= splashPathClosed;
@@ -208,7 +211,10 @@ void SplashPath::addStrokeAdjustHint(int ctrl0, int ctrl1, int firstPt, int last
 {
     if (hintsLength == hintsSize) {
         hintsSize = hintsLength ? 2 * hintsLength : 8;
-        hints = (SplashPathHint *)greallocn(hints, hintsSize, sizeof(SplashPathHint));
+        hints = (SplashPathHint *)greallocn_checkoverflow(hints, hintsSize, sizeof(SplashPathHint));
+    }
+    if (unlikely(!hints)) {
+        return;
     }
     hints[hintsLength].ctrl0 = ctrl0;
     hints[hintsLength].ctrl1 = ctrl1;