AuroraMiddleware/skia2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

protect against fuzz generated fLastMoveToIndex

Browse Source 
If fLastMoveToIndex exceeds SkPath::countPoints(),
SkPath::internalGetConvexity() reads outside allocated
memory.

R=kjlubick@google.com

Bug: skia:11842
Change-Id: Iba20c1a977645d882f0b86c22134d1d055692a0c
Reviewed-on: https://skia-review.googlesource.com/c/177801
Commit-Queue: Cary Clark <caryclark@skia.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Auto-Submit: Cary Clark <caryclark@skia.org>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
This commit is contained in:
Cary Clark 2018-12-14 10:15:13 -05:00 committed by Skia Commit-Bot
parent af67819ee1
commit eb82b5a3ee
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/core/SkPath.cpp
View File

@ -2803,7 +2803,11 @@ SkPath::Convexity SkPath::internalGetConvexity() const {
};
// Check to see if path changes direction more than three times as quick concave test
int pointCount = fLastMoveToIndex > 0 ? fLastMoveToIndex : this->countPoints();
int pointCount = this->countPoints();
// last moveTo index may exceed point count if data comes from fuzzer (via SkImageFilter)
if (0 < fLastMoveToIndex && fLastMoveToIndex < pointCount) {
pointCount = fLastMoveToIndex;
}
if (pointCount > 3) {
const SkPoint* points = fPathRef->points();
const SkPoint* last = &points[pointCount];