Restore block in CStretchEnging::Calc(). This was removed as unreachable by the CL at https://pdfium-review.googlesource.com/c/pdfium/+/82011 but the fuzzer found a way to actually reach this code. -- Add test case for this condition. Bug: pdfium:1236805 Change-Id: I6d07228f0f73e2dda484d200b82dbdf2a692e43c Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/83930 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org>

commit: 1a65ae533db8341f7e4cc4aeca15c60e7381682e [log] [tgz]
author: Tom Sepez <tsepez@chromium.org> Thu Aug 05 21:27:00 2021 +0000
committer: Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Aug 05 21:27:00 2021 +0000
tree: 94d015e6edd7e7a86ca350ffba3e077f70e2f4be
parent: 1926efa13f8482a237f9836129c2d1904cd97688 [diff]
diff --git a/core/fxge/dib/cstretchengine.cpp b/core/fxge/dib/cstretchengine.cpp
index 59d7390..1ff69a2 100644
--- a/core/fxge/dib/cstretchengine.cpp
+++ b/core/fxge/dib/cstretchengine.cpp

@@ -128,6 +128,11 @@
     int end_i = floor(std::max(src_start, src_end));
     start_i = std::max(start_i, src_min);
     end_i = std::min(end_i, src_max - 1);
+    if (start_i > end_i) {
+      start_i = std::min(start_i, src_max - 1);
+      pixel_weights.SetStartEnd(start_i, start_i, weight_count);
+      continue;
+    }
     pixel_weights.SetStartEnd(start_i, end_i, weight_count);
     uint32_t remaining = kFixedPointOne;
     double rounding_error = 0.0;

diff --git a/testing/resources/pixel/bug_1236805.in b/testing/resources/pixel/bug_1236805.in
new file mode 100644
index 0000000..564f048
--- /dev/null
+++ b/testing/resources/pixel/bug_1236805.in

@@ -0,0 +1,86 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Count 1
+  /Kids [3 0 R]
+>>
+endobj
+{{object 3 0}} <<
+  /Type /Page
+  /Contents 6 0 R
+  /CropBox [0 0 612 792]
+  /MediaBox [0 0 612 792]
+  /Parent 2 0 R
+  /Resources 7 0 R
+>>
+endobj
+{{object 6 0}} <<
+  {{streamlen}}
+ >>
+stream
+BT
+/T4 1 Tf
+0.12 0 0 -0.12 99.84 684.1801 Tm
+0 g
+/GS1 gs
+0 Tc
+0 Tw
+()Tj
+ET
+endstream
+endobj
+{{object 7 0}} <<
+  /Font <<
+    /T4 11 0 R
+  >>
+  /ProcSet [/PDF /Text]
+>>
+endobj
+{{object 11 0}} <<
+  /Type /Font
+  /Subtype /Type3
+  /CharProcs 12 0 R
+  /Encoding 13 0 R
+  /FirstChar 0
+  /FontBBox [4 -19 53 56]
+  /FontMatrix [1 0.0112920878908041593329204334 0 -1 0 0]
+  /LastChar 4
+  /Name /T4
+  /Widths [60 38 38 38 21]
+>>
+endobj
+{{object 12 0}} <<
+   /CV 17 0 R
+>>
+endobj
+{{object 13 0}} <<
+   /Type /Encoding
+   /Differences [0 /A0 /CU /CV /D2 /CY]
+ >>
+endobj
+{{object 17 0}} <<
+  {{streamlen}}
+>>
+stream
+38 0 5 -19 32 56 d1
+q
+27 0 0 75 5.1 -19.1 cm
+BI
+/W 27
+/H 75
+/BPC 1
+/IM true
+ID
+EI
+Q
+endstream
+endobj
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF

diff --git a/testing/resources/pixel/bug_1236805_expected.pdf.0.png b/testing/resources/pixel/bug_1236805_expected.pdf.0.png
new file mode 100644
index 0000000..589822f
--- /dev/null
+++ b/testing/resources/pixel/bug_1236805_expected.pdf.0.png
Binary files differ
commit	1a65ae533db8341f7e4cc4aeca15c60e7381682e	[log] [tgz]
author	Tom Sepez <tsepez@chromium.org>	Thu Aug 05 21:27:00 2021 +0000
committer	Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>	Thu Aug 05 21:27:00 2021 +0000
tree	94d015e6edd7e7a86ca350ffba3e077f70e2f4be
parent	1926efa13f8482a237f9836129c2d1904cd97688 [diff]