diff options
| author |  caryclark <caryclark@google.com> | 2015-11-20 14:06:28 -0800 |
|---|---|---|
| committer |  Commit bot <commit-bot@chromium.org> | 2015-11-20 14:06:28 -0800 |
| commit | 1c9ce610501b7b864617356aeda12cd0caebe066 (patch) | |
| tree | fd8a8c6ea250a247a92fd021fcaad9a8164e53ff | |
| parent | 73ee6770260dbeeabc4a78eee4f13533f0031211 (diff) | |
fix pathops coincidence fuzz bug
Simplifying a series of rects with very large bounds
triggers a coincidence bug where, after one of the
intersection points that marks a coincident range
has been deleted, it is referenced.
Both the deletion and reference is (probably) happening
in the SkOpCoincidence::AddExpanded() phase of
HandleCoincidence(), and may signify a bug that could
happen with usable input data, but I haven't been
able to determine that.
For now, abort the Simplify() when the erroneous
condition is detected.
TBR=reed@google.com
BUG=558281
Review URL: https://codereview.chromium.org/1463923002
| -rwxr-xr-x | src/pathops/SkOpCoincidence.cpp | 3 | ||||
| -rw-r--r-- | tests/PathOpsSimplifyTest.cpp | 32 |
2 files changed, 35 insertions, 0 deletions
diff --git a/src/pathops/SkOpCoincidence.cpp b/src/pathops/SkOpCoincidence.cpp index 0d808db454..87bb913869 100755 --- a/src/pathops/SkOpCoincidence.cpp +++ b/src/pathops/SkOpCoincidence.cpp @@ -85,6 +85,9 @@ bool SkOpCoincidence::addExpanded(SkChunkAlloc* allocator SkOpSpanBase* oStart = oStartPtT->span(); const SkOpSpanBase* end = coin->fCoinPtTEnd->span(); const SkOpSpanBase* oEnd = coin->fOppPtTEnd->span(); + if (oEnd->deleted()) { + return false; + } SkOpSpanBase* test = start->upCast()->next(); SkOpSpanBase* oTest = coin->fFlipped ? oStart->prev() : oStart->upCast()->next(); while (test != end || oTest != oEnd) { diff --git a/tests/PathOpsSimplifyTest.cpp b/tests/PathOpsSimplifyTest.cpp index 622118248d..a4a33eb68c 100644 --- a/tests/PathOpsSimplifyTest.cpp +++ b/tests/PathOpsSimplifyTest.cpp @@ -5024,11 +5024,43 @@ path.close(); testSimplify(reporter, path, filename); } +static void fuzz_twister2(skiatest::Reporter* reporter, const char* filename) { + SkPath path; + +path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x44160000)); // 0, 600 +path.lineTo(SkBits2Float(0x4bfffffe), SkBits2Float(0x44160000)); // 3.35544e+07f, 600 +path.lineTo(SkBits2Float(0x4bfffffe), SkBits2Float(0x00000000)); // 3.35544e+07f, 0 +path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000)); // 0, 0 +path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x44160000)); // 0, 600 +path.close(); + +path.moveTo(SkBits2Float(0x427c0000), SkBits2Float(0x00000000)); // 63, 0 +path.lineTo(SkBits2Float(0x4c00000f), SkBits2Float(0x00000000)); // 3.35545e+07f, 0 +path.lineTo(SkBits2Float(0x4c00000f), SkBits2Float(0x00000000)); // 3.35545e+07f, 0 +path.lineTo(SkBits2Float(0x427c0000), SkBits2Float(0x00000000)); // 63, 0 +path.close(); + +path.moveTo(SkBits2Float(0x42ba0000), SkBits2Float(0x00000000)); // 93, 0 +path.lineTo(SkBits2Float(0x4c000016), SkBits2Float(0x00000000)); // 3.35545e+07f, 0 +path.lineTo(SkBits2Float(0x4c000016), SkBits2Float(0x00000000)); // 3.35545e+07f, 0 +path.lineTo(SkBits2Float(0x42ba0000), SkBits2Float(0x00000000)); // 93, 0 +path.close(); + +path.moveTo(SkBits2Float(0x42f60000), SkBits2Float(0x00000000)); // 123, 0 +path.lineTo(SkBits2Float(0x4c00001e), SkBits2Float(0x00000000)); // 3.35546e+07f, 0 +path.lineTo(SkBits2Float(0x4c00001e), SkBits2Float(0x00000000)); // 3.35546e+07f, 0 +path.lineTo(SkBits2Float(0x42f60000), SkBits2Float(0x00000000)); // 123, 0 +path.close(); + + REPORTER_ASSERT(reporter, !Simplify(path, &path)); +} + static void (*skipTest)(skiatest::Reporter* , const char* filename) = 0; static void (*firstTest)(skiatest::Reporter* , const char* filename) = 0; static void (*stopTest)(skiatest::Reporter* , const char* filename) = 0; static TestDesc tests[] = { + TEST(fuzz_twister2), TEST(fuzz_twister), TEST(fuzz994s_3414), TEST(fuzz994s_11), |