Do more validation in CPDF_Annot quad point methods. CPDF_Annot::BoundingRectFromQuadPoints() and CPDF_Annot::RectFromQuadPoints() should handle out of bound indices gracefully, rather than hitting an ASSERT(). BUG=pdfium:1198 Change-Id: I548691dc4110ff509e94a9e961bd760fa10e505f Reviewed-on: https://pdfium-review.googlesource.com/c/46412 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>

commit: bf0fe01cec3af868ef83bb9a3ac981a9129eb020 [log] [tgz]
author: Lei Zhang <thestig@chromium.org> Tue Dec 04 18:52:00 2018 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Tue Dec 04 18:52:00 2018 +0000
tree: 57f4d601cc122f18c7da59facff70a8bff5c48c9
parent: c0837abc22abe63c2773d16fcca5a51951bea1a2 [diff]
diff --git a/core/fpdfdoc/cpdf_annot.cpp b/core/fpdfdoc/cpdf_annot.cpp
index 39707b8..ee15879 100644
--- a/core/fpdfdoc/cpdf_annot.cpp
+++ b/core/fpdfdoc/cpdf_annot.cpp

@@ -234,11 +234,11 @@
     const CPDF_Dictionary* pAnnotDict) {
   CFX_FloatRect ret;
   const CPDF_Array* pArray = pAnnotDict->GetArrayFor("QuadPoints");
-  if (!pArray)
+  size_t nQuadPointCount = pArray ? QuadPointCount(pArray) : 0;
+  if (nQuadPointCount == 0)
     return ret;
 
   ret = RectFromQuadPointsArray(pArray, 0);
-  size_t nQuadPointCount = QuadPointCount(pArray);
   for (size_t i = 1; i < nQuadPointCount; ++i) {
     CFX_FloatRect rect = RectFromQuadPointsArray(pArray, i);
     ret.Union(rect);
@@ -250,7 +250,8 @@
 CFX_FloatRect CPDF_Annot::RectFromQuadPoints(const CPDF_Dictionary* pAnnotDict,
                                              size_t nIndex) {
   const CPDF_Array* pArray = pAnnotDict->GetArrayFor("QuadPoints");
-  if (!pArray)
+  size_t nQuadPointCount = pArray ? QuadPointCount(pArray) : 0;
+  if (nIndex >= nQuadPointCount)
     return CFX_FloatRect();
   return RectFromQuadPointsArray(pArray, nIndex);
 }

diff --git a/core/fpdfdoc/cpdf_annot_unittest.cpp b/core/fpdfdoc/cpdf_annot_unittest.cpp
index 287f034..40817f4 100644
--- a/core/fpdfdoc/cpdf_annot_unittest.cpp
+++ b/core/fpdfdoc/cpdf_annot_unittest.cpp

@@ -48,6 +48,13 @@
   EXPECT_EQ(0.0f, rect.right);
   EXPECT_EQ(0.0f, rect.top);
 
+  dict.SetFor("QuadPoints", CreateQuadPointArrayFromVector({0, 1, 2}));
+  rect = CPDF_Annot::BoundingRectFromQuadPoints(&dict);
+  EXPECT_EQ(0.0f, rect.left);
+  EXPECT_EQ(0.0f, rect.bottom);
+  EXPECT_EQ(0.0f, rect.right);
+  EXPECT_EQ(0.0f, rect.top);
+
   dict.SetFor("QuadPoints",
               CreateQuadPointArrayFromVector({0, 1, 2, 3, 4, 5, 6, 7}));
   rect = CPDF_Annot::BoundingRectFromQuadPoints(&dict);
@@ -86,6 +93,11 @@
   EXPECT_EQ(5.0f, rect.bottom);
   EXPECT_EQ(2.0f, rect.right);
   EXPECT_EQ(3.0f, rect.top);
+  rect = CPDF_Annot::RectFromQuadPoints(&dict, 5);
+  EXPECT_EQ(0.0f, rect.left);
+  EXPECT_EQ(0.0f, rect.bottom);
+  EXPECT_EQ(0.0f, rect.right);
+  EXPECT_EQ(0.0f, rect.top);
 
   dict.SetFor("QuadPoints", CreateQuadPointArrayFromVector(
                                 {0, 1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5,
commit	bf0fe01cec3af868ef83bb9a3ac981a9129eb020	[log] [tgz]
author	Lei Zhang <thestig@chromium.org>	Tue Dec 04 18:52:00 2018 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Tue Dec 04 18:52:00 2018 +0000
tree	57f4d601cc122f18c7da59facff70a8bff5c48c9
parent	c0837abc22abe63c2773d16fcca5a51951bea1a2 [diff]