commit 1c9ce610501b7b864617356aeda12cd0caebe066
author caryclark <caryclark@google.com> Fri Nov 20 14:06:28 2015 -0800
committer Commit bot <commit-bot@chromium.org> Fri Nov 20 14:06:28 2015 -0800
tree fd8a8c6ea250a247a92fd021fcaad9a8164e53ff
parent 73ee6770260dbeeabc4a78eee4f13533f0031211

fix pathops coincidence fuzz bug

Simplifying a series of rects with very large bounds
triggers a coincidence bug where, after one of the
intersection points that marks a coincident range
has been deleted, it is referenced.

Both the deletion and reference is (probably) happening
in the SkOpCoincidence::AddExpanded() phase of
HandleCoincidence(), and may signify a bug that could
happen with usable input data, but I haven't been
able to determine that.

For now, abort the Simplify() when the erroneous
condition is detected.

TBR=reed@google.com
BUG=558281

Review URL: https://codereview.chromium.org/1463923002

src/pathops/SkOpCoincidence.cpp

diff --git a/src/pathops/SkOpCoincidence.cpp b/src/pathops/SkOpCoincidence.cpp
index 0d808db..87bb913 100755
--- a/src/pathops/SkOpCoincidence.cpp
+++ b/src/pathops/SkOpCoincidence.cpp
@@ -85,6 +85,9 @@
         SkOpSpanBase* oStart = oStartPtT->span();
         const SkOpSpanBase* end = coin->fCoinPtTEnd->span();
         const SkOpSpanBase* oEnd = coin->fOppPtTEnd->span();
+        if (oEnd->deleted()) {
+            return false;
+        }
         SkOpSpanBase* test = start->upCast()->next();
         SkOpSpanBase* oTest = coin->fFlipped ? oStart->prev() : oStart->upCast()->next();
         while (test != end || oTest != oEnd) {

tests/PathOpsSimplifyTest.cpp

diff --git a/tests/PathOpsSimplifyTest.cpp b/tests/PathOpsSimplifyTest.cpp
index 6221182..a4a33eb 100644
--- a/tests/PathOpsSimplifyTest.cpp
+++ b/tests/PathOpsSimplifyTest.cpp
@@ -5024,11 +5024,43 @@
     testSimplify(reporter, path, filename);
 }
 
+static void fuzz_twister2(skiatest::Reporter* reporter, const char* filename) {
+    SkPath path;
+
+path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x44160000));  // 0, 600
+path.lineTo(SkBits2Float(0x4bfffffe), SkBits2Float(0x44160000));  // 3.35544e+07f, 600
+path.lineTo(SkBits2Float(0x4bfffffe), SkBits2Float(0x00000000));  // 3.35544e+07f, 0
+path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
+path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x44160000));  // 0, 600
+path.close();
+
+path.moveTo(SkBits2Float(0x427c0000), SkBits2Float(0x00000000));  // 63, 0
+path.lineTo(SkBits2Float(0x4c00000f), SkBits2Float(0x00000000));  // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x4c00000f), SkBits2Float(0x00000000));  // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x427c0000), SkBits2Float(0x00000000));  // 63, 0
+path.close();
+
+path.moveTo(SkBits2Float(0x42ba0000), SkBits2Float(0x00000000));  // 93, 0
+path.lineTo(SkBits2Float(0x4c000016), SkBits2Float(0x00000000));  // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x4c000016), SkBits2Float(0x00000000));  // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x42ba0000), SkBits2Float(0x00000000));  // 93, 0
+path.close();
+
+path.moveTo(SkBits2Float(0x42f60000), SkBits2Float(0x00000000));  // 123, 0
+path.lineTo(SkBits2Float(0x4c00001e), SkBits2Float(0x00000000));  // 3.35546e+07f, 0
+path.lineTo(SkBits2Float(0x4c00001e), SkBits2Float(0x00000000));  // 3.35546e+07f, 0
+path.lineTo(SkBits2Float(0x42f60000), SkBits2Float(0x00000000));  // 123, 0
+path.close();
+
+    REPORTER_ASSERT(reporter, !Simplify(path, &path));
+}
+
 static void (*skipTest)(skiatest::Reporter* , const char* filename) = 0;
 static void (*firstTest)(skiatest::Reporter* , const char* filename) = 0;
 static void (*stopTest)(skiatest::Reporter* , const char* filename) = 0;
 
 static TestDesc tests[] = {
+    TEST(fuzz_twister2),
     TEST(fuzz_twister),
     TEST(fuzz994s_3414),
     TEST(fuzz994s_11),