check for inconsistent counts in drawTextRSXform

Bug: skia:7425 Change-Id: Iaf096124b86d34269cf926eeb2da28662ad686c5 Reviewed-on: https://skia-review.googlesource.com/96861 Reviewed-by: Mike Reed <reed@google.com> Commit-Queue: Mike Reed <reed@google.com>
author: Mike Reed <reed@google.com> 2018-01-18 13:36:27 -0500
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> 2018-01-18 18:56:58 +0000
commit: 09a57b935b3e8aad0e96e2a7be91336748837055 (patch)
tree: 3ee9021804a461cef904d740fd6d8f0a19b06758
parent: 40a29d7705d970be03ff94f9fa062db75dccbd0f (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp
index 894e84081b..9a57816a20 100644
--- a/src/core/SkPicturePlayback.cpp
+++ b/src/core/SkPicturePlayback.cpp
@@ -647,14 +647,15 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
         } break;
         case DRAW_TEXT_RSXFORM: {
             const SkPaint* paint = fPictureData->getPaint(reader);
-            int count = reader->readInt();
-            uint32_t flags = reader->read32();
+            uint32_t count = reader->readUInt();
+            uint32_t flags = reader->readUInt();
             TextContainer text(reader, paint);
             const SkRSXform* xform = (const SkRSXform*)reader->skip(count, sizeof(SkRSXform));
             const SkRect* cull = nullptr;
             if (flags & DRAW_TEXT_RSXFORM_HAS_CULL) {
                 cull = (const SkRect*)reader->skip(sizeof(SkRect));
             }
+            reader->validate(count == text.count());
             BREAK_ON_READ_ERROR(reader);
 
             if (text.text()) {
author	Mike Reed <reed@google.com>	2018-01-18 13:36:27 -0500
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	2018-01-18 18:56:58 +0000
commit	09a57b935b3e8aad0e96e2a7be91336748837055 (patch)
tree	3ee9021804a461cef904d740fd6d8f0a19b06758
parent	40a29d7705d970be03ff94f9fa062db75dccbd0f (diff)