Clamp shading_steps index before use
Bug: 440028542
Change-Id: Id5732a6eaea7a9054d14ad921f58602c9825998f
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/135290
Commit-Queue: Nico Weber <thakis@chromium.org>
Auto-Submit: Nico Weber <thakis@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Nico Weber <thakis@google.com>
diff --git a/core/fpdfapi/render/cpdf_rendershading.cpp b/core/fpdfapi/render/cpdf_rendershading.cpp
index a524a10..bd70dd4 100644
--- a/core/fpdfapi/render/cpdf_rendershading.cpp
+++ b/core/fpdfapi/render/cpdf_rendershading.cpp
@@ -784,10 +784,19 @@
fill_options.aliased_path = true;
}
- FX_ARGB color = shading_steps ? (*shading_steps)[div_colors[0].comp[0]]
- : ArgbEncode(alpha, div_colors[0].comp[0],
- div_colors[0].comp[1],
- div_colors[0].comp[2]);
+ FX_ARGB color;
+ if (shading_steps) {
+ // Statically check that shading_steps->size() is > 0
+ // (which it is because it has size kShadingSteps).
+ // `shading_steps->size()` directly isn't constexpr.
+ static_assert(decltype(*shading_steps){}.size() > 0);
+ int index = std::clamp(div_colors[0].comp[0], 0,
+ static_cast<int>(shading_steps->size()) - 1);
+ color = (*shading_steps)[index];
+ } else {
+ color = ArgbEncode(alpha, div_colors[0].comp[0], div_colors[0].comp[1],
+ div_colors[0].comp[2]);
+ }
pDevice->DrawPath(path, nullptr, nullptr, color, 0, fill_options);
} else {
if (d_bottom < kCoonColorThreshold && d_top < kCoonColorThreshold) {
