From 29c14a760682e2c449fa043b5e8b69937cb58f3a Mon Sep 17 00:00:00 2001 From: Cary Clark Date: Fri, 15 Dec 2017 10:11:15 -0500 Subject: [PATCH] fix very large clipped path limit Mozilla notes that clipped paths conservatively triple the reserved space for a path edge list, potentially overflowing an int if the point count is 2^31/3 or larger, making maxEdgeCount negative if maxEdgeCount is an int. By making maxEdgeCount size_t, the multiply stays in range. A couple of lines down, makeArrayDefault is going to trigger an SkASSERT_RELEASE because the record size times the point count exceeds the allowable limit. R=scroggo@google.com Bug: skia:7391 Change-Id: Ib20b392a369133c91fe2785be248dce3a2100202 Reviewed-on: https://skia-review.googlesource.com/85720 Commit-Queue: Cary Clark Reviewed-by: Leon Scroggins --- src/core/SkEdgeBuilder.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/core/SkEdgeBuilder.cpp b/src/core/SkEdgeBuilder.cpp index b921db33c1..d0a2253740 100644 --- a/src/core/SkEdgeBuilder.cpp +++ b/src/core/SkEdgeBuilder.cpp @@ -258,7 +258,7 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift SkPoint pts[4]; SkPath::Verb verb; - int maxEdgeCount = path.countPoints(); + size_t maxEdgeCount = path.countPoints(); if (iclip) { // clipping can turn 1 line into (up to) kMaxClippedLineSegments, since // we turn portions that are clipped out on the left/right into vertical @@ -331,7 +331,7 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift } } SkASSERT((size_t)(edge - edgeStart) <= maxEdgeCount * edgeSize); - SkASSERT(edgePtr - (char**)fEdgeList <= maxEdgeCount); + SkASSERT((size_t)(edgePtr - (char**)fEdgeList) <= maxEdgeCount); return SkToInt(edgePtr - (char**)fEdgeList); }