1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
|
diff --git a/fuzz/FuzzPathMeasure.cpp b/fuzz/FuzzPathMeasure.cpp
index e6933a856f..f802cc2250 100644
--- a/fuzz/FuzzPathMeasure.cpp
+++ b/fuzz/FuzzPathMeasure.cpp
@@ -22,6 +22,9 @@ DEF_FUZZ(PathMeasure, fuzz) {
BuildPath(fuzz, &path, SkPath::Verb::kDone_Verb);
SkRect bounds = path.getBounds();
SkScalar maxDim = SkTMax(bounds.width(), bounds.height());
+ if (maxDim > 10000000) {
+ return;
+ }
SkScalar resScale = maxDim / 1000;
SkPathMeasure measure(path, bits & 1, resScale);
SkPoint position;
diff --git a/src/core/SkAAClip.cpp b/src/core/SkAAClip.cpp
index b22b8ebebb..aec422fa96 100644
--- a/src/core/SkAAClip.cpp
+++ b/src/core/SkAAClip.cpp
@@ -1630,6 +1630,12 @@ static void operateY(SkAAClip::Builder& builder, const SkAAClip& A,
int topB = iterB.top();
int botB = iterB.bottom();
+#if defined(IS_FUZZING)
+ if ((botA - topA) > 100000 || (botB - topB) > 100000) {
+ return;
+ }
+#endif
+
do {
const uint8_t* rowA = nullptr;
const uint8_t* rowB = nullptr;
diff --git a/src/core/SkDraw.cpp b/src/core/SkDraw.cpp
index 7e526e6098..c728d3e209 100644
--- a/src/core/SkDraw.cpp
+++ b/src/core/SkDraw.cpp
@@ -1138,6 +1138,12 @@ void SkDraw::drawPath(const SkPath& origSrcPath, const SkPaint& origPaint,
// transform the path into device space
pathPtr->transform(*matrix, devPathPtr);
+#if defined(IS_FUZZING)
+ if (devPathPtr->countPoints() > 1000) {
+ return;
+ }
+#endif
+
this->drawDevPath(*devPathPtr, *paint, drawCoverage, customBlitter, doFill, iData);
}
diff --git a/src/core/SkImageFilter.cpp b/src/core/SkImageFilter.cpp
index a9447212d3..d12aefaad3 100644
--- a/src/core/SkImageFilter.cpp
+++ b/src/core/SkImageFilter.cpp
@@ -117,6 +117,12 @@ bool SkImageFilter::Common::unflatten(SkReadBuffer& buffer, int expectedCount) {
return false;
}
+#if defined(IS_FUZZING)
+ if (count > 4) {
+ return false;
+ }
+#endif
+
SkASSERT(fInputs.empty());
for (int i = 0; i < count; i++) {
fInputs.push_back(buffer.readBool() ? buffer.readImageFilter() : nullptr);
diff --git a/src/core/SkMallocPixelRef.cpp b/src/core/SkMallocPixelRef.cpp
index 2933e48cc4..1ae9dd0404 100644
--- a/src/core/SkMallocPixelRef.cpp
+++ b/src/core/SkMallocPixelRef.cpp
@@ -73,6 +73,11 @@ sk_sp<SkPixelRef> SkMallocPixelRef::MakeUsing(void*(*allocProc)(size_t),
return nullptr;
}
}
+#if defined(IS_FUZZING)
+ if (size > 100000) {
+ return nullptr;
+ }
+#endif
void* addr = allocProc(size);
if (nullptr == addr) {
return nullptr;
diff --git a/src/core/SkMaskFilter.cpp b/src/core/SkMaskFilter.cpp
index 52cdc3cc9b..aaac96cc45 100644
--- a/src/core/SkMaskFilter.cpp
+++ b/src/core/SkMaskFilter.cpp
@@ -261,6 +261,11 @@ bool SkMaskFilterBase::filterPath(const SkPath& devPath, const SkMatrix& matrix,
SkMask srcM, dstM;
+#if defined(IS_FUZZING)
+ if (devPath.countVerbs() > 1000 || devPath.countPoints() > 1000) {
+ return false;
+ }
+#endif
if (!SkDraw::DrawToMask(devPath, &clip.getBounds(), this, &matrix, &srcM,
SkMask::kComputeBoundsAndRenderImage_CreateMode,
style)) {
diff --git a/src/core/SkPaint.cpp b/src/core/SkPaint.cpp
index 82dec0ea8c..96ff4b62a8 100644
--- a/src/core/SkPaint.cpp
+++ b/src/core/SkPaint.cpp
@@ -1315,6 +1315,13 @@ bool SkPaint::getFillPath(const SkPath& src, SkPath* dst, const SkRect* cullRect
SkStrokeRec rec(*this, resScale);
+#if defined(IS_FUZZING)
+ // Prevent lines with small widths from timing out.
+ if (rec.getStyle() == SkStrokeRec::Style::kStroke_Style && rec.getWidth() < 0.001) {
+ return false;
+ }
+#endif
+
const SkPath* srcPtr = &src;
SkPath tmpPath;
diff --git a/src/core/SkPath.cpp b/src/core/SkPath.cpp
index 510efd6d9d..9692f8a461 100644
--- a/src/core/SkPath.cpp
+++ b/src/core/SkPath.cpp
@@ -3375,7 +3375,11 @@ void SkPathPriv::CreateDrawArcPath(SkPath* path, const SkRect& oval, SkScalar st
SkScalar sweepAngle, bool useCenter, bool isFillNoPathEffect) {
SkASSERT(!oval.isEmpty());
SkASSERT(sweepAngle);
-
+#if defined(IS_FUZZING)
+ if (sweepAngle > 3600.0f || sweepAngle < 3600.0f) {
+ return;
+ }
+#endif
path->reset();
path->setIsVolatile(true);
path->setFillType(SkPath::kWinding_FillType);
diff --git a/src/core/SkReadBuffer.cpp b/src/core/SkReadBuffer.cpp
index d41f2902f2..dc90ddd2be 100644
--- a/src/core/SkReadBuffer.cpp
+++ b/src/core/SkReadBuffer.cpp
@@ -279,7 +279,12 @@ sk_sp<SkData> SkReadBuffer::readByteArrayAsData() {
uint32_t SkReadBuffer::getArrayCount() {
const size_t inc = sizeof(uint32_t);
fError = fError || !IsPtrAlign4(fReader.peek()) || !fReader.isAvailable(inc);
+#if defined(IS_FUZZING)
+ uint32_t retVal = fError ? 0 : *(uint32_t*)fReader.peek();
+ return retVal < 1000 ? retVal: 1000;
+#else
return fError ? 0 : *(uint32_t*)fReader.peek();
+#endif
}
sk_sp<SkImage> SkReadBuffer::readImage() {
diff --git a/src/core/SkScan_AAAPath.cpp b/src/core/SkScan_AAAPath.cpp
index 5e7f232ff7..e8acd9a109 100644
--- a/src/core/SkScan_AAAPath.cpp
+++ b/src/core/SkScan_AAAPath.cpp
@@ -1583,6 +1583,11 @@ static SK_ALWAYS_INLINE void aaa_fill_path(const SkPath& path, const SkIRect& cl
SkASSERT(blitter);
SkEdgeBuilder builder;
+#if defined(IS_FUZZING)
+ if (path.countPoints() > 1000) {
+ return;
+ }
+#endif
int count = builder.build_edges(path, &clipRect, 0, pathContainedInClip,
SkEdgeBuilder::kAnalyticEdge);
SkAnalyticEdge** list = builder.analyticEdgeList();
diff --git a/src/core/SkScan_Hairline.cpp b/src/core/SkScan_Hairline.cpp
index 815130d532..310d464bb7 100644
--- a/src/core/SkScan_Hairline.cpp
+++ b/src/core/SkScan_Hairline.cpp
@@ -118,7 +118,11 @@ void SkScan::HairLineRgn(const SkPoint array[], int arrayCount, const SkRegion*
if (ix0 == ix1) {// too short to draw
continue;
}
-
+#if defined(IS_FUZZING)
+ if ((ix1 - ix0) > 100000 || (ix1 - ix0) < 0) {
+ continue; // too big to draw
+ }
+#endif
SkFixed slope = SkFixedDiv(dy, dx);
SkFixed startY = SkFDot6ToFixed(y0) + (slope * ((32 - x0) & 63) >> 6);
@@ -133,7 +137,11 @@ void SkScan::HairLineRgn(const SkPoint array[], int arrayCount, const SkRegion*
if (iy0 == iy1) { // too short to draw
continue;
}
-
+#if defined(IS_FUZZING)
+ if ((iy1 - iy0) > 100000 || (iy1 - iy0) < 0) {
+ continue; // too big to draw
+ }
+#endif
SkFixed slope = SkFixedDiv(dx, dy);
SkFixed startX = SkFDot6ToFixed(x0) + (slope * ((32 - y0) & 63) >> 6);
diff --git a/src/core/SkScan_Path.cpp b/src/core/SkScan_Path.cpp
index 2373e62d46..410fa8a276 100644
--- a/src/core/SkScan_Path.cpp
+++ b/src/core/SkScan_Path.cpp
@@ -245,6 +245,11 @@ static void walk_convex_edges(SkEdge* prevHead, SkPath::FillType,
SkFixed dRite = riteE->fDX;
int count = local_bot - local_top;
SkASSERT(count >= 0);
+#if defined(IS_FUZZING)
+ if (count > 1000) {
+ return;
+ }
+#endif
if (0 == (dLeft | dRite)) {
int L = SkFixedRoundToInt(left);
int R = SkFixedRoundToInt(rite);
diff --git a/src/effects/Sk1DPathEffect.cpp b/src/effects/Sk1DPathEffect.cpp
index 57f2d2b6ce..186ce5d25b 100644
--- a/src/effects/Sk1DPathEffect.cpp
+++ b/src/effects/Sk1DPathEffect.cpp
@@ -19,6 +19,11 @@
bool Sk1DPathEffect::filterPath(SkPath* dst, const SkPath& src,
SkStrokeRec*, const SkRect*) const {
SkPathMeasure meas(src, false);
+#if defined(IS_FUZZING)
+ if (meas.getLength() < 0 || meas.getLength() > 100) {
+ return false;
+ }
+#endif
do {
int governor = MAX_REASONABLE_ITERATIONS;
SkScalar length = meas.getLength();
diff --git a/src/effects/Sk2DPathEffect.cpp b/src/effects/Sk2DPathEffect.cpp
index a541b91476..53cd354b79 100644
--- a/src/effects/Sk2DPathEffect.cpp
+++ b/src/effects/Sk2DPathEffect.cpp
@@ -51,6 +51,11 @@ void Sk2DPathEffect::nextSpan(int x, int y, int count, SkPath* path) const {
if (!fMatrixIsInvertible) {
return;
}
+#if defined(IS_FUZZING)
+ if (count > 100) {
+ return;
+ }
+#endif
const SkMatrix& mat = this->getMatrix();
SkPoint src, dst;
diff --git a/src/effects/SkDashPathEffect.cpp b/src/effects/SkDashPathEffect.cpp
index 4cb98b3ad8..2710c122d8 100644
--- a/src/effects/SkDashPathEffect.cpp
+++ b/src/effects/SkDashPathEffect.cpp
@@ -373,6 +373,12 @@ sk_sp<SkFlattenable> SkDashImpl::CreateProc(SkReadBuffer& buffer) {
return nullptr;
}
+#if defined(IS_FUZZING)
+ // TODO(kjlubick) Can this be removed now that we have the check above?
+ if (count > 20) {
+ return nullptr;
+ }
+#endif
SkAutoSTArray<32, SkScalar> intervals(count);
if (buffer.readScalarArray(intervals.get(), count)) {
return SkDashPathEffect::Make(intervals.get(), SkToInt(count), phase);
diff --git a/src/effects/SkDiscretePathEffect.cpp b/src/effects/SkDiscretePathEffect.cpp
index 57d8f9639e..148b1f756b 100644
--- a/src/effects/SkDiscretePathEffect.cpp
+++ b/src/effects/SkDiscretePathEffect.cpp
@@ -97,6 +97,11 @@ bool SkDiscretePathEffect::filterPath(SkPath* dst, const SkPath& src,
do {
SkScalar length = meas.getLength();
+#if defined(IS_FUZZING)
+ if (length > 1000) {
+ return false;
+ }
+#endif
if (fSegLength * (2 + doFill) > length) {
meas.getSegment(0, length, dst, true); // to short for us to mangle
diff --git a/src/effects/SkLayerDrawLooper.cpp b/src/effects/SkLayerDrawLooper.cpp
index 6a8254d894..b55371cfb7 100644
--- a/src/effects/SkLayerDrawLooper.cpp
+++ b/src/effects/SkLayerDrawLooper.cpp
@@ -261,6 +261,11 @@ void SkLayerDrawLooper::flatten(SkWriteBuffer& buffer) const {
sk_sp<SkFlattenable> SkLayerDrawLooper::CreateProc(SkReadBuffer& buffer) {
int count = buffer.readInt();
+#if defined(IS_FUZZING)
+ if (count > 100) {
+ count = 100;
+ }
+#endif
Builder builder;
for (int i = 0; i < count; i++) {
LayerInfo info;
diff --git a/src/gpu/GrPathUtils.cpp b/src/gpu/GrPathUtils.cpp
index 549a4dd411..13d52e18ca 100644
--- a/src/gpu/GrPathUtils.cpp
+++ b/src/gpu/GrPathUtils.cpp
@@ -401,6 +401,11 @@ void convert_noninflect_cubic_to_quads(const SkPoint p[4],
SkPathPriv::FirstDirection dir,
SkTArray<SkPoint, true>* quads,
int sublevel = 0) {
+#if defined(IS_FUZZING)
+ if (sublevel >= 7) {
+ return;
+ }
+#endif
// Notation: Point a is always p[0]. Point b is p[1] unless p[1] == p[0], in which case it is
// p[2]. Point d is always p[3]. Point c is p[2] unless p[2] == p[3], in which case it is p[1].
diff --git a/src/ports/SkDebug_stdio.cpp b/src/ports/SkDebug_stdio.cpp
index ec4e3fec77..4bc01d5d51 100644
--- a/src/ports/SkDebug_stdio.cpp
+++ b/src/ports/SkDebug_stdio.cpp
@@ -12,9 +12,13 @@
#include <stdio.h>
void SkDebugf(const char format[], ...) {
+#if !defined(IS_FUZZING_WITH_LIBFUZZER)
va_list args;
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
+#else
+ (void) format;
+#endif
}
#endif//!defined(SK_BUILD_FOR_WIN) && !defined(SK_BUILD_FOR_ANDROID)
diff --git a/src/utils/SkOffsetPolygon.cpp b/src/utils/SkOffsetPolygon.cpp
index 47b41250e2..ce69469e80 100755
--- a/src/utils/SkOffsetPolygon.cpp
+++ b/src/utils/SkOffsetPolygon.cpp
@@ -260,6 +260,11 @@ bool SkInsetConvexPolygon(const SkPoint* inputPolygonVerts, int inputPolygonSize
if (inputPolygonSize < 3) {
return false;
}
+#if defined(IS_FUZZING)
+ if (inputPolygonSize > 500) {
+ return false;
+ }
+#endif
int winding = get_winding(inputPolygonVerts, inputPolygonSize);
if (0 == winding) {
diff --git a/src/utils/SkShadowTessellator.cpp b/src/utils/SkShadowTessellator.cpp
index ee2375ebf2..3ffe7147a8 100755
--- a/src/utils/SkShadowTessellator.cpp
+++ b/src/utils/SkShadowTessellator.cpp
@@ -270,6 +270,11 @@ bool SkBaseShadowTessellator::addArc(const SkVector& nextNormal, bool finishArc)
SkScalar rotSin, rotCos;
int numSteps;
compute_radial_steps(fPrevOutset, nextNormal, fRadius, &rotSin, &rotCos, &numSteps);
+#if defined(IS_FUZZING)
+ if (numSteps > 50 || numSteps < 0) {
+ return false;
+ }
+#endif
SkVector prevNormal = fPrevOutset;
for (int i = 0; i < numSteps-1; ++i) {
SkVector currNormal;
|
