From 8efb11915fe1c3319a46fbc391c67991abbe275f Mon Sep 17 00:00:00 2001 From: David Capello Date: Thu, 2 Jan 2020 18:39:23 -0300 Subject: [PATCH] Fix usage of freed memory after check_flood_line() returns true when 8-connectivity is used --- src/doc/algorithm/floodfill.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/doc/algorithm/floodfill.cpp b/src/doc/algorithm/floodfill.cpp index c3116e0f2..8d4ab89b7 100644 --- a/src/doc/algorithm/floodfill.cpp +++ b/src/doc/algorithm/floodfill.cpp @@ -393,7 +393,6 @@ void floodfill(const Image* image, // For each line on the screen for (int c=0; cy-1, p->lpos+1, p->rpos, bounds, src_color, tolerance, data, proc)) { done = false; + p = FLOOD_LINE(c); } + if (p->lpos-1 >= 0 && check_flood_line(image, mask, p->y-1, p->lpos-1, p->rpos, bounds, src_color, tolerance, data, proc)) { done = false; + p = FLOOD_LINE(c); } if (p->rpos+1 < bounds.x2() && check_flood_line(image, mask, p->y-1, p->lpos, p->rpos+1, bounds, src_color, tolerance, data, proc)) { done = false; + p = FLOOD_LINE(c); } + if (p->rpos-1 >= 0 && check_flood_line(image, mask, p->y-1, p->lpos, p->rpos-1, bounds, src_color, tolerance, data, proc)) { done = false; + p = FLOOD_LINE(c); } } if (check_flood_line(image, mask, p->y-1, p->lpos, p->rpos, bounds, src_color, tolerance, data, proc)) { done = false; + // Special case shortcut for going backwards if ((c > bounds.y) && (c < bounds.y2())) c -= 2;