Stop rendering if a span length overflowed in AGG
In AGG, len is of type coord_type, which we have as int16_t, but we can add to
it large values, causing it to become negative. Stop the rendering when that
occurs.
Bug: chromium:719258
Change-Id: Ic7497666b01220a9cd3e7d749f1fc6ae4a210870
Reviewed-on: https://pdfium-review.googlesource.com/5370
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
diff --git a/core/fxge/agg/fx_agg_driver.cpp b/core/fxge/agg/fx_agg_driver.cpp
index 471fc9b..128d50c 100644
--- a/core/fxge/agg/fx_agg_driver.cpp
+++ b/core/fxge/agg/fx_agg_driver.cpp
@@ -953,8 +953,10 @@
unsigned num_spans = sl.num_spans();
typename Scanline::const_iterator span = sl.begin();
while (1) {
+ if (span->len <= 0)
+ break;
+
int x = span->x;
- ASSERT(span->len > 0);
uint8_t* dest_pos = nullptr;
uint8_t* dest_extra_alpha_pos = nullptr;
uint8_t* ori_pos = nullptr;