aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorGravatar caryclark <caryclark@google.com>2015-11-20 14:06:28 -0800
committerGravatar Commit bot <commit-bot@chromium.org>2015-11-20 14:06:28 -0800
commit1c9ce610501b7b864617356aeda12cd0caebe066 (patch)
treefd8a8c6ea250a247a92fd021fcaad9a8164e53ff
parent73ee6770260dbeeabc4a78eee4f13533f0031211 (diff)
fix pathops coincidence fuzz bug
Simplifying a series of rects with very large bounds triggers a coincidence bug where, after one of the intersection points that marks a coincident range has been deleted, it is referenced. Both the deletion and reference is (probably) happening in the SkOpCoincidence::AddExpanded() phase of HandleCoincidence(), and may signify a bug that could happen with usable input data, but I haven't been able to determine that. For now, abort the Simplify() when the erroneous condition is detected. TBR=reed@google.com BUG=558281 Review URL: https://codereview.chromium.org/1463923002
-rwxr-xr-xsrc/pathops/SkOpCoincidence.cpp3
-rw-r--r--tests/PathOpsSimplifyTest.cpp32
2 files changed, 35 insertions, 0 deletions
diff --git a/src/pathops/SkOpCoincidence.cpp b/src/pathops/SkOpCoincidence.cpp
index 0d808db454..87bb913869 100755
--- a/src/pathops/SkOpCoincidence.cpp
+++ b/src/pathops/SkOpCoincidence.cpp
@@ -85,6 +85,9 @@ bool SkOpCoincidence::addExpanded(SkChunkAlloc* allocator
SkOpSpanBase* oStart = oStartPtT->span();
const SkOpSpanBase* end = coin->fCoinPtTEnd->span();
const SkOpSpanBase* oEnd = coin->fOppPtTEnd->span();
+ if (oEnd->deleted()) {
+ return false;
+ }
SkOpSpanBase* test = start->upCast()->next();
SkOpSpanBase* oTest = coin->fFlipped ? oStart->prev() : oStart->upCast()->next();
while (test != end || oTest != oEnd) {
diff --git a/tests/PathOpsSimplifyTest.cpp b/tests/PathOpsSimplifyTest.cpp
index 622118248d..a4a33eb68c 100644
--- a/tests/PathOpsSimplifyTest.cpp
+++ b/tests/PathOpsSimplifyTest.cpp
@@ -5024,11 +5024,43 @@ path.close();
testSimplify(reporter, path, filename);
}
+static void fuzz_twister2(skiatest::Reporter* reporter, const char* filename) {
+ SkPath path;
+
+path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x44160000)); // 0, 600
+path.lineTo(SkBits2Float(0x4bfffffe), SkBits2Float(0x44160000)); // 3.35544e+07f, 600
+path.lineTo(SkBits2Float(0x4bfffffe), SkBits2Float(0x00000000)); // 3.35544e+07f, 0
+path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000)); // 0, 0
+path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x44160000)); // 0, 600
+path.close();
+
+path.moveTo(SkBits2Float(0x427c0000), SkBits2Float(0x00000000)); // 63, 0
+path.lineTo(SkBits2Float(0x4c00000f), SkBits2Float(0x00000000)); // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x4c00000f), SkBits2Float(0x00000000)); // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x427c0000), SkBits2Float(0x00000000)); // 63, 0
+path.close();
+
+path.moveTo(SkBits2Float(0x42ba0000), SkBits2Float(0x00000000)); // 93, 0
+path.lineTo(SkBits2Float(0x4c000016), SkBits2Float(0x00000000)); // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x4c000016), SkBits2Float(0x00000000)); // 3.35545e+07f, 0
+path.lineTo(SkBits2Float(0x42ba0000), SkBits2Float(0x00000000)); // 93, 0
+path.close();
+
+path.moveTo(SkBits2Float(0x42f60000), SkBits2Float(0x00000000)); // 123, 0
+path.lineTo(SkBits2Float(0x4c00001e), SkBits2Float(0x00000000)); // 3.35546e+07f, 0
+path.lineTo(SkBits2Float(0x4c00001e), SkBits2Float(0x00000000)); // 3.35546e+07f, 0
+path.lineTo(SkBits2Float(0x42f60000), SkBits2Float(0x00000000)); // 123, 0
+path.close();
+
+ REPORTER_ASSERT(reporter, !Simplify(path, &path));
+}
+
static void (*skipTest)(skiatest::Reporter* , const char* filename) = 0;
static void (*firstTest)(skiatest::Reporter* , const char* filename) = 0;
static void (*stopTest)(skiatest::Reporter* , const char* filename) = 0;
static TestDesc tests[] = {
+ TEST(fuzz_twister2),
TEST(fuzz_twister),
TEST(fuzz994s_3414),
TEST(fuzz994s_11),