From: caryclark Date: Wed, 20 Aug 2014 15:11:24 +0000 (-0700) Subject: copy points in array that may stretch X-Git-Tag: accepted/tizen/5.0/unified/20181102.025319~6227 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bdbb2422b9f20372597367a032d822b4297eab41;p=platform%2Fupstream%2FlibSkiaSharp.git copy points in array that may stretch Description: Potential SkOpSegment::addT() use-after-free The 'pt' arg can be a reference to a point stored in the local fTs TDArray => appending may cause a realloc and leave the reference pointing to deallocated mem. Copy the points from the stretchy array before adding them. R=fmalita@google.com, fmalita@chromium.org, fmalita BUG=405417 Author: caryclark@google.com Review URL: https://codereview.chromium.org/489853002 --- diff --git a/src/pathops/SkOpSegment.cpp b/src/pathops/SkOpSegment.cpp index 747cd9d..f929455 100644 --- a/src/pathops/SkOpSegment.cpp +++ b/src/pathops/SkOpSegment.cpp @@ -251,8 +251,8 @@ void SkOpSegment::addCancelOutsides(const SkPoint& startPt, const SkPoint& endPt fTs[tIndexStart].fT, xyAtT(tIndexStart).fX, xyAtT(tIndexStart).fY); #endif - addTPair(fTs[tIndexStart].fT, other, other->fTs[oIndex].fT, false, - fTs[tIndexStart].fPt); + SkPoint copy = fTs[tIndexStart].fPt; // add t pair may move the point array + addTPair(fTs[tIndexStart].fT, other, other->fTs[oIndex].fT, false, copy); } if (nextT < 1 && fTs[tIndex].fWindValue) { #if DEBUG_CONCIDENT @@ -261,7 +261,8 @@ void SkOpSegment::addCancelOutsides(const SkPoint& startPt, const SkPoint& endPt fTs[tIndex].fT, xyAtT(tIndex).fX, xyAtT(tIndex).fY); #endif - addTPair(fTs[tIndex].fT, other, other->fTs[oIndexStart].fT, false, fTs[tIndex].fPt); + SkPoint copy = fTs[tIndex].fPt; // add t pair may move the point array + addTPair(fTs[tIndex].fT, other, other->fTs[oIndexStart].fT, false, copy); } } else { SkASSERT(!other->fTs[oIndexStart].fWindValue);