From 650f40d39b7a3486589221bbbaf4e7874e560bdd Mon Sep 17 00:00:00 2001
From: Brian Osman <brianosman@google.com>
Date: Tue, 29 Oct 2019 11:24:30 -0400
Subject: [PATCH] SkMorphologyImageFilter: Avoid integer overflow with large
 radii

We later compute the "width" of the filter as (2*radius)+1, so fail
early if that will overflow.

Bug: chromium:1018190
Change-Id: I6554693067be4b52b1304d9f6fd0376ce4b3be19
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/251364
Reviewed-by: Robert Phillips <robertphillips@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
---
 src/effects/imagefilters/SkMorphologyImageFilter.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/effects/imagefilters/SkMorphologyImageFilter.cpp b/src/effects/imagefilters/SkMorphologyImageFilter.cpp
index 47e563b886..eb834a3749 100644
--- a/src/effects/imagefilters/SkMorphologyImageFilter.cpp
+++ b/src/effects/imagefilters/SkMorphologyImageFilter.cpp
@@ -766,7 +766,10 @@ sk_sp<SkSpecialImage> SkMorphologyImageFilterImpl::onFilterImage(const Context&
     int width = SkScalarFloorToInt(radius.width());
     int height = SkScalarFloorToInt(radius.height());
 
-    if (width < 0 || height < 0) {
+    // Width (or height) must fit in a signed 32-bit int to avoid UBSAN issues (crbug.com/1018190)
+    constexpr int kMaxRadius = (std::numeric_limits<int>::max() - 1) / 2;
+
+    if (width < 0 || height < 0 || width > kMaxRadius || height > kMaxRadius) {
         return nullptr;
     }