fix very large clipped path limit

Mozilla notes that clipped paths conservatively triple the reserved space for a path edge list, potentially overflowing an int if the point count is 2^31/3 or larger, making maxEdgeCount negative if maxEdgeCount is an int. By making maxEdgeCount size_t, the multiply stays in range. A couple of lines down, makeArrayDefault is going to trigger an SkASSERT_RELEASE because the record size times the point count exceeds the allowable limit. R=scroggo@google.com Bug: skia:7391 Change-Id: Ib20b392a369133c91fe2785be248dce3a2100202 Reviewed-on: https://skia-review.googlesource.com/85720 Commit-Queue: Cary Clark <caryclark@google.com> Reviewed-by: Leon Scroggins <scroggo@google.com>
2017-12-15 10:11:15 -05:00 · 2017-12-15 10:11:15 -05:00 · 29c14a7606
commit 29c14a7606
parent 834fb8ed90
1 changed files with 2 additions and 2 deletions
--- a/src/core/SkEdgeBuilder.cpp
+++ b/src/core/SkEdgeBuilder.cpp
@ -258,7 +258,7 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift
    SkPoint         pts[4];
    SkPath::Verb    verb;

-    int maxEdgeCount = path.countPoints();
+    size_t maxEdgeCount = path.countPoints();
    if (iclip) {
        // clipping can turn 1 line into (up to) kMaxClippedLineSegments, since
        // we turn portions that are clipped out on the left/right into vertical
@ -331,7 +331,7 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift
        }
    }
    SkASSERT((size_t)(edge - edgeStart) <= maxEdgeCount * edgeSize);
-    SkASSERT(edgePtr - (char**)fEdgeList <= maxEdgeCount);
+    SkASSERT((size_t)(edgePtr - (char**)fEdgeList) <= maxEdgeCount);
    return SkToInt(edgePtr - (char**)fEdgeList);
 }