core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp - Issue 384593002: Fix uninitialized coords in _DrawCoonPatchMeshes

Side by Side Diff: core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp

Issue 384593002: Fix uninitialized coords in _DrawCoonPatchMeshes (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 PDFium Authors. All rights reserved.	1 // Copyright 2014 PDFium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com	5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com

6	6

7 #include "../../../include/fpdfapi/fpdf_render.h"	7 #include "../../../include/fpdfapi/fpdf_render.h"

8 #include "../../../include/fpdfapi/fpdf_pageobj.h"	8 #include "../../../include/fpdfapi/fpdf_pageobj.h"

9 #include "../../../include/fxge/fx_ge.h"	9 #include "../../../include/fxge/fx_ge.h"

10 #include "../fpdf_page/pageint.h"	10 #include "../fpdf_page/pageint.h"

(...skipping 670 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
681 patch.alpha = alpha;	681 patch.alpha = alpha;

682 patch.pDevice = &device;	682 patch.pDevice = &device;

683 patch.fill_mode = fill_mode;	683 patch.fill_mode = fill_mode;

684 patch.path.SetPointCount(13);	684 patch.path.SetPointCount(13);

685 FX_PATHPOINT* pPoints = patch.path.GetPoints();	685 FX_PATHPOINT* pPoints = patch.path.GetPoints();

686 pPoints[0].m_Flag = FXPT_MOVETO;	686 pPoints[0].m_Flag = FXPT_MOVETO;

687 for (int i = 1; i < 13; i ++) {	687 for (int i = 1; i < 13; i ++) {

688 pPoints[i].m_Flag = FXPT_BEZIERTO;	688 pPoints[i].m_Flag = FXPT_BEZIERTO;

689 }	689 }

690 CFX_FloatPoint coords[16];	690 CFX_FloatPoint coords[16];

	691 for (int i = 0; i < 16; i ++)
	palmer 2014/07/10 23:11:01 This is fine. But a more elegant solution is to d This is fine. But a more elegant solution is to declare that the default constructor of \|CFX_FloatPoint\| sets its member fields to 0 (or whatever). The default constructor will be called for each element of the array. jun_fang 2014/07/15 01:13:41 CFX_FloatPoint is created by CFX_PSVTTemplate<FX_F Show quoted text On 2014/07/10 23:11:01, Chromium Palmer wrote: > This is fine. > > But a more elegant solution is to declare that the default constructor of > \|CFX_FloatPoint\| sets its member fields to 0 (or whatever). The default > constructor will be called for each element of the array. CFX_FloatPoint is created by CFX_PSVTTemplate<FX_FLOAT>. This template supports couple types. palmer 2014/07/15 01:49:17 Yes. I am saying, you could give that template a d Show quoted text > CFX_FloatPoint is created by CFX_PSVTTemplate<FX_FLOAT>. This template supports > couple types. Yes. I am saying, you could give that template a default constructor. Currently it does not have one. jun_fang 2014/07/15 03:56:17 :-). I know. I tried to add a default constructor. Show quoted text On 2014/07/15 01:49:17, Chromium Palmer wrote: > > CFX_FloatPoint is created by CFX_PSVTTemplate<FX_FLOAT>. This template > supports > > couple types. > > Yes. I am saying, you could give that template a default constructor. Currently > it does not have one. :-). I know. I tried to add a default constructor. However there is a minor issue that we may use 0 to initialize a float/double variable because we don't know which type will be created. We can only use one type to initialize. Ryan Sleevi 2014/07/15 23:59:00 Just happened to see this CL go by. The nice thing Show quoted text On 2014/07/15 03:56:17, jun_fang wrote: > On 2014/07/15 01:49:17, Chromium Palmer wrote: > > > CFX_FloatPoint is created by CFX_PSVTTemplate<FX_FLOAT>. This template > > supports > > > couple types. > > > > Yes. I am saying, you could give that template a default constructor. > Currently > > it does not have one. > > :-). I know. I tried to add a default constructor. However there is a minor > issue that we may use 0 to initialize a float/double variable because we don't > know which type will be created. We can only use one type to initialize. Just happened to see this CL go by. The nice thing with templates is you can use the "typename T" and T() (default initializer) to zero-initialize numeric types. In C++ language, this is known as the "Default Constructible" requirement (20.1.5 of C++03), which defines the requirement that T() must be a well-formed expression. Among the STL, you have many types require default-constructible; among them, vectors and maps (which also zero-initialize). This behaviour (for primitives) is defined in Section 8.5 of C++03. In particular, the language of 8.5 subclause 5 and 7. That is, the initializer for all scalar types (which are a subset of the object types clause) have a default initializer (), which is a value-initializer (subclause 7). The default value-initializer for a scalar type is to zero-initialize (subclause 5). It's an extremely portable way to zero-initialize all types T, where T may be a scalar type. You're guaranteed that the CFX_FloatPoint constructor (really, CFX_PSVVTTemplate<FX_FLOAT> constructor) will be run for every member in the array (subclause 5 dictates that array types have every member value-initialized), ergo if your constructor value-initialized the coords using T() [Or, in the case of CFX_PSVTemplate, "baseType()"], this would be entirely unnecessary. To express this in an initializer list, you could do CFX_PSVTemplate::CFX_PSVTemplate() : x(), y() {} which would appropriately value-initialize (ergo zero-initialize)
	692 {

	693 coords[i].Set(0.0f, 0.0f);

	694 }

	695

691 int point_count = bTensor ? 16 : 12;	696 int point_count = bTensor ? 16 : 12;

692 while (!stream.m_BitStream.IsEOF()) {	697 while (!stream.m_BitStream.IsEOF()) {

693 FX_DWORD flag = stream.GetFlag();	698 FX_DWORD flag = stream.GetFlag();
	palmer 2014/07/10 23:11:01 Because this value is untrustworthy (comes from th Because this value is untrustworthy (comes from the PDF itself, right?) and is unchecked, ... jun_fang 2014/07/15 01:13:41 The value from GetFlag() is limited to 0 to 3. The Show quoted text On 2014/07/10 23:11:01, Chromium Palmer wrote: > Because this value is untrustworthy (comes from the PDF itself, right?) and is > unchecked, ... The value from GetFlag() is limited to 0 to 3. The definition of GetFlag is shown as below: FX_DWORD CPDF_MeshStream::GetFlag() { return m_BitStream.GetBits(m_nFlagBits) & 0x03; } palmer 2014/07/15 01:49:17 Acknowledged. Show quoted text On 2014/07/15 01:13:41, jun_fang wrote: > On 2014/07/10 23:11:01, Chromium Palmer wrote: > > Because this value is untrustworthy (comes from the PDF itself, right?) and is > > unchecked, ... > > The value from GetFlag() is limited to 0 to 3. The definition of GetFlag is > shown as below: > > FX_DWORD CPDF_MeshStream::GetFlag() > { > return m_BitStream.GetBits(m_nFlagBits) & 0x03; > } Acknowledged.
694 int iStartPoint = 0, iStartColor = 0, i;	699 int iStartPoint = 0, iStartColor = 0, i;

695 if (flag) {	700 if (flag) {

696 iStartPoint = 4;	701 iStartPoint = 4;

697 iStartColor = 2;	702 iStartColor = 2;

698 CFX_FloatPoint tempCoords[4];	703 CFX_FloatPoint tempCoords[4];

699 for (int i = 0; i < 4; i ++) {	704 for (int i = 0; i < 4; i ++) {

700 tempCoords[i] = coords[(flag * 3 + i) % 12];	705 tempCoords[i] = coords[(flag * 3 + i) % 12];

701 }	706 }

702 FXSYS_memcpy32(coords, tempCoords, sizeof(CFX_FloatPoint) * 4);	707 FXSYS_memcpy32(coords, tempCoords, sizeof(CFX_FloatPoint) * 4);

703 Coon_Color tempColors[2];	708 Coon_Color tempColors[2];

704 tempColors[0] = patch.patch_colors[flag];	709 tempColors[0] = patch.patch_colors[flag];
	palmer 2014/07/10 23:11:01 ... this could be an out-of-bounds read, I think. ... this could be an out-of-bounds read, I think. jun_fang 2014/07/15 01:13:41 flag should be 0 to 3 as explained before. So it's Show quoted text On 2014/07/10 23:11:01, Chromium Palmer wrote: > ... this could be an out-of-bounds read, I think. flag should be 0 to 3 as explained before. So it's safe. palmer 2014/07/15 01:49:17 Acknowledged. Show quoted text On 2014/07/15 01:13:41, jun_fang wrote: > On 2014/07/10 23:11:01, Chromium Palmer wrote: > > ... this could be an out-of-bounds read, I think. > > flag should be 0 to 3 as explained before. So it's safe. Acknowledged.
705 tempColors[1] = patch.patch_colors[(flag + 1) % 4];	710 tempColors[1] = patch.patch_colors[(flag + 1) % 4];

706 FXSYS_memcpy32(patch.patch_colors, tempColors, sizeof(Coon_Color) * 2);	711 FXSYS_memcpy32(patch.patch_colors, tempColors, sizeof(Coon_Color) * 2);

707 }	712 }

708 for (i = iStartPoint; i < point_count; i ++) {	713 for (i = iStartPoint; i < point_count; i ++) {

709 stream.GetCoords(coords[i].x, coords[i].y);	714 stream.GetCoords(coords[i].x, coords[i].y);

710 pObject2Bitmap->Transform(coords[i].x, coords[i].y);	715 pObject2Bitmap->Transform(coords[i].x, coords[i].y);

711 }	716 }

712 for (i = iStartColor; i < 4; i ++) {	717 for (i = iStartColor; i < 4; i ++) {

713 FX_FLOAT r=0.0f, g=0.0f, b=0.0f;	718 FX_FLOAT r=0.0f, g=0.0f, b=0.0f;

714 stream.GetColor(r, g, b);	719 stream.GetColor(r, g, b);

(...skipping 369 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1084 bStroke = FALSE;	1089 bStroke = FALSE;

1085 bPattern = TRUE;	1090 bPattern = TRUE;

1086 }	1091 }

1087 }	1092 }

1088 #ifdef _FPDFAPI_MINI_	1093 #ifdef _FPDFAPI_MINI_

1089 if (bPattern && m_DitherBits) {	1094 if (bPattern && m_DitherBits) {

1090 DitherObjectArea(pPathObj, pObj2Device);	1095 DitherObjectArea(pPathObj, pObj2Device);

1091 }	1096 }

1092 #endif	1097 #endif

1093 }	1098 }

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »