fix pathops coincidence fuzz bug
Simplifying a series of rects with very large bounds
triggers a coincidence bug where, after one of the
intersection points that marks a coincident range
has been deleted, it is referenced.
Both the deletion and reference is (probably) happening
in the SkOpCoincidence::AddExpanded() phase of
HandleCoincidence(), and may signify a bug that could
happen with usable input data, but I haven't been
able to determine that.
For now, abort the Simplify() when the erroneous
condition is detected.
TBR=reed@google.com
BUG=558281
Review URL: https://codereview.chromium.org/1463923002
diff --git a/src/pathops/SkOpCoincidence.cpp b/src/pathops/SkOpCoincidence.cpp
index 0d808db..87bb913 100755
--- a/src/pathops/SkOpCoincidence.cpp
+++ b/src/pathops/SkOpCoincidence.cpp
@@ -85,6 +85,9 @@
SkOpSpanBase* oStart = oStartPtT->span();
const SkOpSpanBase* end = coin->fCoinPtTEnd->span();
const SkOpSpanBase* oEnd = coin->fOppPtTEnd->span();
+ if (oEnd->deleted()) {
+ return false;
+ }
SkOpSpanBase* test = start->upCast()->next();
SkOpSpanBase* oTest = coin->fFlipped ? oStart->prev() : oStart->upCast()->next();
while (test != end || oTest != oEnd) {
diff --git a/tests/PathOpsSimplifyTest.cpp b/tests/PathOpsSimplifyTest.cpp
index 6221182..a4a33eb 100644
--- a/tests/PathOpsSimplifyTest.cpp
+++ b/tests/PathOpsSimplifyTest.cpp
@@ -5024,11 +5024,43 @@
testSimplify(reporter, path, filename);
}
+static void fuzz_twister2(skiatest::Reporter* reporter, const char* filename) {
+ SkPath path;
+
+path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x44160000)); // 0, 600
+path.lineTo(SkBits2Float(0x4bfffffe), SkBits2Float(0x44160000)); // 3.35544e+07f, 600
+path.lineTo(SkBits2Float(0x4bfffffe), SkBits2Float(0x00000000)); // 3.35544e+07f, 0
+path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000)); // 0, 0
+path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x44160000)); // 0, 600
+path.close();
+
+path.moveTo(SkBits2Float(0x427c0000), SkBits2Float(0x00000000)); // 63, 0
+path.lineTo(SkBits2Float(0x4c00000f), SkBits2Float(0x00000000)); // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x4c00000f), SkBits2Float(0x00000000)); // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x427c0000), SkBits2Float(0x00000000)); // 63, 0
+path.close();
+
+path.moveTo(SkBits2Float(0x42ba0000), SkBits2Float(0x00000000)); // 93, 0
+path.lineTo(SkBits2Float(0x4c000016), SkBits2Float(0x00000000)); // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x4c000016), SkBits2Float(0x00000000)); // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x42ba0000), SkBits2Float(0x00000000)); // 93, 0
+path.close();
+
+path.moveTo(SkBits2Float(0x42f60000), SkBits2Float(0x00000000)); // 123, 0
+path.lineTo(SkBits2Float(0x4c00001e), SkBits2Float(0x00000000)); // 3.35546e+07f, 0
+path.lineTo(SkBits2Float(0x4c00001e), SkBits2Float(0x00000000)); // 3.35546e+07f, 0
+path.lineTo(SkBits2Float(0x42f60000), SkBits2Float(0x00000000)); // 123, 0
+path.close();
+
+ REPORTER_ASSERT(reporter, !Simplify(path, &path));
+}
+
static void (*skipTest)(skiatest::Reporter* , const char* filename) = 0;
static void (*firstTest)(skiatest::Reporter* , const char* filename) = 0;
static void (*stopTest)(skiatest::Reporter* , const char* filename) = 0;
static TestDesc tests[] = {
+ TEST(fuzz_twister2),
TEST(fuzz_twister),
TEST(fuzz994s_3414),
TEST(fuzz994s_11),