From cd36bd9bf512815e3e167d2974ac3f74ea4d3646 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Sat, 29 May 2021 15:05:19 -0400 Subject: [PATCH] Merge pull request #3266 from Carbenium/fill-out-of-bounds Image: Remove std::vector out-of-bounds access when filling polygons --- cmake/compiler/gcc/settings.cmake | 1 + src/zm_image.cpp | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/cmake/compiler/gcc/settings.cmake b/cmake/compiler/gcc/settings.cmake index ce84dcc1a..2eb3baaed 100644 --- a/cmake/compiler/gcc/settings.cmake +++ b/cmake/compiler/gcc/settings.cmake @@ -19,6 +19,7 @@ endif() if(ASAN) target_compile_options(zm-compile-option-interface INTERFACE + -D_GLIBCXX_SANITIZE_VECTOR=1 -fno-omit-frame-pointer -fsanitize=address -fsanitize-recover=address diff --git a/src/zm_image.cpp b/src/zm_image.cpp index 1acb49e03..60b1dcc02 100644 --- a/src/zm_image.cpp +++ b/src/zm_image.cpp @@ -2513,10 +2513,16 @@ void Image::Fill(Rgb colour, int density, const Polygon &polygon) { ++it; } } + + // Not enough edges to perform the fill operation. + // Continue to next line. + if (active_edges.size() < 2) { + continue; + } std::sort(active_edges.begin(), active_edges.end(), PolygonFill::Edge::CompareX); if (!(scan_line % density)) { - for (auto it = active_edges.begin(); it != active_edges.end(); ++it) { + for (auto it = active_edges.begin(); it < active_edges.end() - 1; ++it) { int32 lo_x = static_cast(it->min_x); int32 hi_x = static_cast(std::next(it)->min_x); if (colours == ZM_COLOUR_GRAY8) {