Posts: 19
Registered: ‎11-25-2008
Message 1 of 2 (191 Views)

Memory Corruption in DWF Toolkit parsing Xaml

191 Views, 1 Replies
03-02-2010 06:05 PM

In file : XamlObjectFactory.cpp, I have a drawing that corrupts emory of the toolkit becuase of an index out of bounds issue.
At approx line : 534

If there is more than one graphics object in the iterator, the pPoints will be re-allocated, and memory will be lost, as on the second time through the loop, it is overriden at line (also nIndex can be possibly pointing to a larger size array (previous allocation) and now pPoints to a smaller size allocation) :

pPoints = DWFCORE_ALLOC_MEMORY( WT_Logical_Point, nCount );

To fix it for now I re-allocated the size of the points, and used the nIndex as the final count, this is probably not the 100% correct way to do it, but it works for now without crashing it.

for( ; iter != pPath->data().geometry().figure().graphics().end(); iter++ )
XamlGraphicsObject *pGraphicsObject = *iter;
if ( pGraphicsObject->type() != XamlGraphicsObject::smileytongue:olylineSegment )
// arcs and ellispes found here, discarding for now.
//WD_Assert( false );
//return WT_Result::Internal_Error;

const XamlPolylineSegment *pSegment = static_cast( pGraphicsObject );
nCount = pSegment->pointSet().count() + (pSegment->closed() ? 1 : 0);
if( pPoints ) {
WT_Logical_Point *pExtendedPoints = DWFCORE_ALLOC_MEMORY( WT_Logical_Point, nCount + nIndex );
DWFCORE_ZERO_MEMORY( pExtendedPoints, nCount + nIndex );
DWFCORE_COPY_MEMORY( pExtendedPoints, pPoints, nIndex * sizeof( WT_Logical_Point ) );
pPoints = pExtendedPoints;
} else {
pPoints = DWFCORE_ALLOC_MEMORY( WT_Logical_Point, nCount );
if (pPoints == NULL)
return WT_Result::smileysurprised:ut_Of_Memory_Error;
for ( int i=0; i< pSegment->pointSet().count(); i++ )
pPoints[nIndex].m_x = (WT_Integer32)floor( 0.5 + pSegment->pointSet().points().m_x ); //round for fuzz or noise
pPoints[nIndex++].m_y = (WT_Integer32)floor( 0.5 + pSegment->pointSet().points().m_y ); //round for fuzz or noise

//Exactal Changes to fix crash!!!!! J.A
if (pSegment->closed())
// add first point if figure is closed
pPoints[nIndex].m_x = (WT_Integer32)floor( 0.5 + pSegment->pointSet().points()[0].m_x ); //round for fuzz or noise
pPoints[nIndex++].m_y = (WT_Integer32)floor( 0.5 + pSegment->pointSet().points()[0].m_y ); //round for fuzz or noise


if( nIndex ) {
WT_Polygon* pPolygon = static_cast< WT_Polygon* >( pObject );
pPolygon->set( nIndex, pPoints, WD_True );
rFile.set_materialized( pPolygon );

I figured you guys know the whole code base much better, and will create a more appropriate fix then the above, also note the file I have also contains an arc inside the iterator and the test above fails :

if ( pGraphicsObject->type() != XamlGraphicsObject::smileytongue:olylineSegment )
WD_Assert( false );
return WT_Result::Internal_Error;


For now I have coded around these in the dwftoolkit and made it work for me, but of course this is a bug that will affect anyone that receives a drawing as such.

Anymore I can help with in this issue, please let me know.
The offending drawing is too large to attach, so if you need it please let me know how to get it to you.


Edited by: janderssen on Mar 3, 2010 2:58 AM

Edited by: janderssen on Mar 3, 2010 3:03 AM Edited by: janderssen on Mar 3, 2010 3:05 AM
Active Contributor
Posts: 45
Registered: ‎05-08-2009
Message 2 of 2 (191 Views)

Re: Memory Corruption in DWF Toolkit parsing Xaml

03-10-2010 02:49 AM in reply to: janderssen
Thank you for your help.

I am one of the developers of toolkit. Could you please send the drawing to my email-box: jerry.gao@autodesk.com.

Thanks again.


You are not logged in.

Log into access your profile, ask and answer questions, share ideas and more. Haven't signed up yet? Register

Are you familiar with the Autodesk Expert Elites? The Expert Elite program is made up of customers that help other customers by sharing knowledge and exemplifying an engaging style of collaboration. To learn more, please visit our Expert Elite website.

Need installation help?

Start with some of our most frequented solutions to get help installing your software.

Ask the Community