From 8c6abaf3fab0e88fde24693127615bd7f39d1ac1 Mon Sep 17 00:00:00 2001
From: Jason Wray <jason@mapbox.com>
Date: Tue, 27 Mar 2018 20:20:57 -0400
Subject: [ios] Fix heap buffer overflow in two-coordinate MGLPolyline

---
 platform/darwin/src/MGLPolyline.mm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/platform/darwin/src/MGLPolyline.mm b/platform/darwin/src/MGLPolyline.mm
index e011d09215..26e3518cd8 100644
--- a/platform/darwin/src/MGLPolyline.mm
+++ b/platform/darwin/src/MGLPolyline.mm
@@ -72,9 +72,12 @@
     
     if (count > 1 || middle > traveled) {
         for (NSUInteger i = 0; i < count; i++) {
-            
+
+            // Avoid a heap buffer overflow when there are only two coordinates.
+            NSUInteger nextIndex = (i + 1 == count) ? 0 : 1;
+
             MGLRadianCoordinate2D from = MGLRadianCoordinateFromLocationCoordinate(coordinates[i]);
-            MGLRadianCoordinate2D to = MGLRadianCoordinateFromLocationCoordinate(coordinates[i + 1]);
+            MGLRadianCoordinate2D to = MGLRadianCoordinateFromLocationCoordinate(coordinates[i + nextIndex]);
             
             if (traveled >= middle) {
                 double overshoot = middle - traveled;
@@ -91,7 +94,6 @@
             }
             
             traveled += (MGLDistanceBetweenRadianCoordinates(from, to) * mbgl::util::EARTH_RADIUS_M);
-            
         }
     }
 
-- 
cgit v1.2.1