copy points in array that may stretch

Description:
Potential SkOpSegment::addT() use-after-free

The 'pt' arg can be a reference to a point stored in the local fTs
TDArray => appending may cause a realloc and leave the reference
pointing to deallocated mem.

Copy the points from the stretchy array before adding them.

R=fmalita@google.com, fmalita@chromium.org, fmalita
BUG=405417

Author: caryclark@google.com

Review URL: https://codereview.chromium.org/489853002

1 files changed, 4 insertions, 3 deletions

diff --git a/src/pathops/SkOpSegment.cpp b/src/pathops/SkOpSegment.cpp
index 747cd9d497..f929455e0f 100644
--- a/src/pathops/SkOpSegment.cpp
+++ b/src/pathops/SkOpSegment.cpp
@@ -251,8 +251,8 @@ void SkOpSegment::addCancelOutsides(const SkPoint& startPt, const SkPoint& endPt
                     fTs[tIndexStart].fT, xyAtT(tIndexStart).fX,
                     xyAtT(tIndexStart).fY);
 #endif
-            addTPair(fTs[tIndexStart].fT, other, other->fTs[oIndex].fT, false,
-                    fTs[tIndexStart].fPt);
+            SkPoint copy = fTs[tIndexStart].fPt;  // add t pair may move the point array
+            addTPair(fTs[tIndexStart].fT, other, other->fTs[oIndex].fT, false, copy);
         }
         if (nextT < 1 && fTs[tIndex].fWindValue) {
 #if DEBUG_CONCIDENT
@@ -261,7 +261,8 @@ void SkOpSegment::addCancelOutsides(const SkPoint& startPt, const SkPoint& endPt
                     fTs[tIndex].fT, xyAtT(tIndex).fX,
                     xyAtT(tIndex).fY);
 #endif
-            addTPair(fTs[tIndex].fT, other, other->fTs[oIndexStart].fT, false, fTs[tIndex].fPt);
+            SkPoint copy = fTs[tIndex].fPt;  // add t pair may move the point array
+            addTPair(fTs[tIndex].fT, other, other->fTs[oIndexStart].fT, false, copy);
         }
     } else {
         SkASSERT(!other->fTs[oIndexStart].fWindValue);