From 8efb11915fe1c3319a46fbc391c67991abbe275f Mon Sep 17 00:00:00 2001
From: David Capello <david@igarastudio.com>
Date: Thu, 2 Jan 2020 18:39:23 -0300
Subject: [PATCH] Fix usage of freed memory after check_flood_line() returns
true when 8-connectivity is used
---
src/doc/algorithm/floodfill.cpp | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/doc/algorithm/floodfill.cpp b/src/doc/algorithm/floodfill.cpp
index c3116e0f2..8d4ab89b7 100644
--- a/src/doc/algorithm/floodfill.cpp
+++ b/src/doc/algorithm/floodfill.cpp
@@ -393,7 +393,6 @@ void floodfill(const Image* image,
// For each line on the screen
for (int c=0; c<flood_count; c++) {
-
p = FLOOD_LINE(c);
// Check below the segment?
@@ -446,28 +445,35 @@ void floodfill(const Image* image,
check_flood_line(image, mask, p->y-1, p->lpos+1, p->rpos, bounds,
src_color, tolerance, data, proc)) {
done = false;
+ p = FLOOD_LINE(c);
}
+
if (p->lpos-1 >= 0 &&
check_flood_line(image, mask, p->y-1, p->lpos-1, p->rpos, bounds,
src_color, tolerance, data, proc)) {
done = false;
+ p = FLOOD_LINE(c);
}
if (p->rpos+1 < bounds.x2() &&
check_flood_line(image, mask, p->y-1, p->lpos, p->rpos+1, bounds,
src_color, tolerance, data, proc)) {
done = false;
+ p = FLOOD_LINE(c);
}
+
if (p->rpos-1 >= 0 &&
check_flood_line(image, mask, p->y-1, p->lpos, p->rpos-1, bounds,
src_color, tolerance, data, proc)) {
done = false;
+ p = FLOOD_LINE(c);
}
}
if (check_flood_line(image, mask, p->y-1, p->lpos, p->rpos, bounds,
src_color, tolerance, data, proc)) {
done = false;
+
// Special case shortcut for going backwards
if ((c > bounds.y) && (c < bounds.y2()))
c -= 2;