From bdbb2422b9f20372597367a032d822b4297eab41 Mon Sep 17 00:00:00 2001 From: caryclark Date: Wed, 20 Aug 2014 08:11:24 -0700 Subject: [PATCH] copy points in array that may stretch Description: Potential SkOpSegment::addT() use-after-free The 'pt' arg can be a reference to a point stored in the local fTs TDArray => appending may cause a realloc and leave the reference pointing to deallocated mem. Copy the points from the stretchy array before adding them. R=fmalita@google.com, fmalita@chromium.org, fmalita BUG=405417 Author: caryclark@google.com Review URL: https://codereview.chromium.org/489853002 --- src/pathops/SkOpSegment.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/pathops/SkOpSegment.cpp b/src/pathops/SkOpSegment.cpp index 747cd9d..f929455 100644 --- a/src/pathops/SkOpSegment.cpp +++ b/src/pathops/SkOpSegment.cpp @@ -251,8 +251,8 @@ void SkOpSegment::addCancelOutsides(const SkPoint& startPt, const SkPoint& endPt fTs[tIndexStart].fT, xyAtT(tIndexStart).fX, xyAtT(tIndexStart).fY); #endif - addTPair(fTs[tIndexStart].fT, other, other->fTs[oIndex].fT, false, - fTs[tIndexStart].fPt); + SkPoint copy = fTs[tIndexStart].fPt; // add t pair may move the point array + addTPair(fTs[tIndexStart].fT, other, other->fTs[oIndex].fT, false, copy); } if (nextT < 1 && fTs[tIndex].fWindValue) { #if DEBUG_CONCIDENT @@ -261,7 +261,8 @@ void SkOpSegment::addCancelOutsides(const SkPoint& startPt, const SkPoint& endPt fTs[tIndex].fT, xyAtT(tIndex).fX, xyAtT(tIndex).fY); #endif - addTPair(fTs[tIndex].fT, other, other->fTs[oIndexStart].fT, false, fTs[tIndex].fPt); + SkPoint copy = fTs[tIndex].fPt; // add t pair may move the point array + addTPair(fTs[tIndex].fT, other, other->fTs[oIndexStart].fT, false, copy); } } else { SkASSERT(!other->fTs[oIndexStart].fWindValue); -- 2.7.4