commit af26f61e6ed7320b5b4e555f7a0084d2b2806129
author Lei Zhang <thestig@chromium.org> Wed Apr 05 16:23:09 2023 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Apr 05 16:23:09 2023 +0000
tree 3b50dcbcde6ec609a03e1760e2b7fc3c4694778f
parent 5d9acaac1abbbe45558f2bd6cbd3b3e9efde4414

Fix a span CHECK() failure in RgbByteOrderTransferBitmap()

When https://pdfium.googlesource.com/pdfium/+/ae74575530 converted
RgbByteOrderTransferBitmap() to use spans, the span calculations can now
trigger a CHECK() failure after processing the last row. The span
position can go out of bounds because the span started with an offset.

Avoid this failure by not taking a subspan after processing the last
row. Add a new pixel test that covers this code path.

Bug: chromium:1430333
Change-Id: I1310130092b688d5d26be71baedce999b8848246
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/105856
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

core/fxge/agg/fx_agg_driver.cpp

diff --git a/core/fxge/agg/fx_agg_driver.cpp b/core/fxge/agg/fx_agg_driver.cpp
index bf066e0..19b46ff 100644
--- a/core/fxge/agg/fx_agg_driver.cpp
+++ b/core/fxge/agg/fx_agg_driver.cpp
@@ -192,7 +192,12 @@
         *dest_scan++ = src_scan[0];
         src_scan += 4;
       }
-      dest_span = dest_span.subspan(dest_pitch);
+      if (row < height - 1) {
+        // Since `dest_scan` was initialized in a way that takes `dest_x_offset`
+        // and `dest_y_offset` into account, it may go past the end of the span
+        // after processing the last row.
+        dest_span = dest_span.subspan(dest_pitch);
+      }
     }
     return;
   }

testing/resources/pixel/bug_1430333.in

diff --git a/testing/resources/pixel/bug_1430333.in b/testing/resources/pixel/bug_1430333.in
new file mode 100644
index 0000000..e715f8f
--- /dev/null
+++ b/testing/resources/pixel/bug_1430333.in
@@ -0,0 +1,44 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Count 1
+  /Kids [3 0 R]
+>>
+endobj
+{{object 3 0}} <<
+  /Type /Page
+  /Parent 2 0 R
+  /Contents 4 0 R
+  /MediaBox [0 0 200 200]
+  /Resources <<
+    /ExtGState <<
+      /A3 <<
+        /Type /ExtGState
+        /CA 0.5
+        /ca 0.5
+      >>
+    >>
+  >>
+>>
+endobj
+{{object 4 0}} <<
+  {{streamlen}}
+>>
+stream
+q
+/A3 gs
+-100 10 m
+140 20 l
+b
+Q
+endstream
+endobj
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF

testing/resources/pixel/bug_1430333_expected.pdf.0.png

diff --git a/testing/resources/pixel/bug_1430333_expected.pdf.0.png b/testing/resources/pixel/bug_1430333_expected.pdf.0.png
new file mode 100644
index 0000000..b9fc3e9
--- /dev/null
+++ b/testing/resources/pixel/bug_1430333_expected.pdf.0.png
Binary files differ

testing/resources/pixel/bug_1430333_expected_skia.pdf.0.png

diff --git a/testing/resources/pixel/bug_1430333_expected_skia.pdf.0.png b/testing/resources/pixel/bug_1430333_expected_skia.pdf.0.png
new file mode 100644
index 0000000..e6a1827
--- /dev/null
+++ b/testing/resources/pixel/bug_1430333_expected_skia.pdf.0.png
Binary files differ