From 09a8b2f19689b679b1268a3004ec5e3f37b9732a Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sun, 1 Sep 2019 16:39:40 +0200 Subject: Correctly return zero vertices if clipping plane 0 or 2 clip away the entire polygon. This fixes a regression caused by the fix for CVE-2016-5252 --- gfx/2d/Matrix.h | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/gfx/2d/Matrix.h b/gfx/2d/Matrix.h index 22a01ca103..84c9a52803 100644 --- a/gfx/2d/Matrix.h +++ b/gfx/2d/Matrix.h @@ -734,7 +734,8 @@ public: // Initialize a double-buffered array of points in homogenous space with // the input rectangle, aRect. Point4DTyped points[2][kTransformAndClipRectMaxVerts]; - Point4DTyped* dstPoint = points[0]; + Point4DTyped* dstPointStart = points[0]; + Point4DTyped* dstPoint = dstPointStart; *dstPoint++ = TransformPoint(Point4DTyped(aRect.x, aRect.y, 0, 1)); *dstPoint++ = TransformPoint(Point4DTyped(aRect.XMost(), aRect.y, 0, 1)); @@ -754,11 +755,11 @@ public: // points[1]. for (int plane=0; plane < 4; plane++) { planeNormals[plane].Normalize(); - Point4DTyped* srcPoint = points[plane & 1]; + Point4DTyped* srcPoint = dstPointStart; Point4DTyped* srcPointEnd = dstPoint; - dstPoint = points[~plane & 1]; - Point4DTyped* dstPointStart = dstPoint; + dstPointStart = points[~plane & 1]; + dstPoint = dstPointStart; Point4DTyped* prevPoint = srcPointEnd - 1; F prevDot = planeNormals[plane].DotProduct(*prevPoint); @@ -787,10 +788,10 @@ public: } } - size_t dstPointCount = 0; - size_t srcPointCount = dstPoint - points[0]; - for (Point4DTyped* srcPoint = points[0]; srcPoint < points[0] + srcPointCount; srcPoint++) { - + Point4DTyped* srcPoint = dstPointStart; + Point4DTyped* srcPointEnd = dstPoint; + size_t vertCount = 0; + while (srcPoint < srcPointEnd) { PointTyped p; if (srcPoint->w == 0.0) { // If a point lies on the intersection of the clipping planes at @@ -800,12 +801,13 @@ public: p = srcPoint->As2DPoint(); } // Emit only unique points - if (dstPointCount == 0 || p != aVerts[dstPointCount - 1]) { - aVerts[dstPointCount++] = p; + if (vertCount == 0 || p != aVerts[vertCount - 1]) { + aVerts[vertCount++] = p; } + srcPoint++; } - return dstPointCount; + return vertCount; } static const int kTransformAndClipRectMaxVerts = 32; -- cgit v1.2.3