Hi,

In file : XamlObjectFactory.cpp, I have a drawing that corrupts emory of the toolkit becuase of an index out of bounds issue.
At approx line : 534

If there is more than one graphics object in the iterator, the pPoints will be re-allocated, and memory will be lost, as on the second time through the loop, it is overriden at line (also nIndex can be possibly pointing to a larger size array (previous allocation) and now pPoints to a smaller size allocation) :

pPoints = DWFCORE_ALLOC_MEMORY( WT_Logical_Point, nCount );


To fix it for now I re-allocated the size of the points, and used the nIndex as the final count, this is probably not the 100% correct way to do it, but it works for now without crashing it.

for( ; iter != pPath->data().geometry().figure().graphics().end(); iter++ )
{
XamlGraphicsObject *pGraphicsObject = *iter;
if ( pGraphicsObject->type() != XamlGraphicsObject::PolylineSegment )
{
// arcs and ellispes found here, discarding for now.
//WD_Assert( false );
//return WT_Result::Internal_Error;
continue;
}

const XamlPolylineSegment *pSegment = static_cast( pGraphicsObject );
nCount = pSegment->pointSet().count() + (pSegment->closed() ? 1 : 0);
if( pPoints ) {
WT_Logical_Point *pExtendedPoints = DWFCORE_ALLOC_MEMORY( WT_Logical_Point, nCount + nIndex );
DWFCORE_ZERO_MEMORY( pExtendedPoints, nCount + nIndex );
DWFCORE_COPY_MEMORY( pExtendedPoints, pPoints, nIndex * sizeof( WT_Logical_Point ) );
DWFCORE_FREE_MEMORY( pPoints );
pPoints = pExtendedPoints;
} else {
pPoints = DWFCORE_ALLOC_MEMORY( WT_Logical_Point, nCount );
}
if (pPoints == NULL)
{
return WT_Result::Out_Of_Memory_Error;
}
for ( int i=0; i< pSegment->pointSet().count(); i++ )
{
pPoints[nIndex].m_x = (WT_Integer32)floor( 0.5 + pSegment->pointSet().points().m_x ); //round for fuzz or noise
pPoints[nIndex++].m_y = (WT_Integer32)floor( 0.5 + pSegment->pointSet().points().m_y ); //round for fuzz or noise
}

//Exactal Changes to fix crash!!!!! J.A
if (pSegment->closed())
{
// add first point if figure is closed
pPoints[nIndex].m_x = (WT_Integer32)floor( 0.5 + pSegment->pointSet().points()[0].m_x ); //round for fuzz or noise
pPoints[nIndex++].m_y = (WT_Integer32)floor( 0.5 + pSegment->pointSet().points()[0].m_y ); //round for fuzz or noise

}
}

if( nIndex ) {
WT_Polygon* pPolygon = static_cast< WT_Polygon* >( pObject );
pPolygon->set( nIndex, pPoints, WD_True );
rFile.set_materialized( pPolygon );
DWFCORE_FREE_MEMORY( pPoints );
}

I figured you guys know the whole code base much better, and will create a more appropriate fix then the above, also note the file I have also contains an arc inside the iterator and the test above fails :

if ( pGraphicsObject->type() != XamlGraphicsObject::PolylineSegment )
{
WD_Assert( false );
return WT_Result::Internal_Error;

}



For now I have coded around these in the dwftoolkit and made it work for me, but of course this is a bug that will affect anyone that receives a drawing as such.

Anymore I can help with in this issue, please let me know.
The offending drawing is too large to attach, so if you need it please let me know how to get it to you.

Cheers
Jason

Edited by: janderssen on Mar 3, 2010 2:58 AM

Edited by: janderssen on Mar 3, 2010 3:03 AM Edited by: janderssen on Mar 3, 2010 3:05 AM