From ad28486cef212ca31af12f75c95d0fbe6ee2d8a5 Mon Sep 17 00:00:00 2001
From: Mike Klein <mtklein@google.com>
Date: Mon, 30 Dec 2019 10:44:53 -0600
Subject: [PATCH] range check before casting to DrawType

Bug: oss-fuzz:19583
Change-Id: I656e8ddd5699cfc4998f3f424a1a46380f310c63
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/261591
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Mike Reed <reed@google.com>
Auto-Submit: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Reed <reed@google.com>
---
 src/core/SkPicturePlayback.cpp | 8 ++++----
 src/core/SkPicturePlayback.h   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp
index da793f0837..f9941d4d20 100644
--- a/src/core/SkPicturePlayback.cpp
+++ b/src/core/SkPicturePlayback.cpp
@@ -42,7 +42,7 @@ SkCanvas::SaveLayerFlags SkCanvasPriv::LegacySaveFlagsToSaveLayerFlags(uint32_t
  * to the next chunk's op code. This also means that the size of a chunk
  * with no arguments (just an opcode) will be 4.
  */
-DrawType SkPicturePlayback::ReadOpAndSize(SkReadBuffer* reader, uint32_t* size) {
+uint32_t SkPicturePlayback::ReadOpAndSize(SkReadBuffer* reader, uint32_t* size) {
     uint32_t temp = reader->readInt();
     uint32_t op;
     if ((temp & 0xFF) == temp) {
@@ -55,7 +55,7 @@ DrawType SkPicturePlayback::ReadOpAndSize(SkReadBuffer* reader, uint32_t* size)
             *size = reader->readInt();
         }
     }
-    return (DrawType)op;
+    return op;
 }
 
 
@@ -89,12 +89,12 @@ void SkPicturePlayback::draw(SkCanvas* canvas,
 
         fCurOffset = reader.offset();
         uint32_t size;
-        DrawType op = ReadOpAndSize(&reader, &size);
+        uint32_t op = ReadOpAndSize(&reader, &size);
         if (!reader.validate(op > UNUSED && op <= LAST_DRAWTYPE_ENUM)) {
             return;
         }
 
-        this->handleOp(&reader, op, size, canvas, initialMatrix);
+        this->handleOp(&reader, (DrawType)op, size, canvas, initialMatrix);
     }
 
     // need to propagate invalid state to the parent reader
diff --git a/src/core/SkPicturePlayback.h b/src/core/SkPicturePlayback.h
index 76f7cad6b9..4189f69a94 100644
--- a/src/core/SkPicturePlayback.h
+++ b/src/core/SkPicturePlayback.h
@@ -43,7 +43,7 @@ protected:
                   SkCanvas* canvas,
                   const SkMatrix& initialMatrix);
 
-    static DrawType ReadOpAndSize(SkReadBuffer* reader, uint32_t* size);
+    static uint32_t ReadOpAndSize(SkReadBuffer* reader, uint32_t* size);
 
     class AutoResetOpID {
     public: