[skottie] Fix OOB access in Parse<SkPoint>

SkJSON requires valid array indices, so callers must guard against
out-of-bounds conditions explicitly.

Bug: oss-fuzz:8956
Change-Id: I50b96b088e44a4c1a569e6911d4be5d75799b464
Reviewed-on: https://skia-review.googlesource.com/135445
Commit-Queue: Florin Malita <fmalita@chromium.org>
Reviewed-by: Kevin Lubick <kjlubick@google.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/modules/skottie/src/SkottieJson.cpp b/modules/skottie/src/SkottieJson.cpp
index 4f23939d15..186cd42c31 100644
--- a/modules/skottie/src/SkottieJson.cpp
+++ b/modules/skottie/src/SkottieJson.cpp
@@ -84,8 +84,12 @@ bool Parse<SkPoint>(const Value& v, SkPoint* pt) {
     const auto& jvy = ov["y"];
 
     // Some BM versions seem to store x/y as single-element arrays.
-    return Parse<SkScalar>(jvx.is<ArrayValue>() ? jvx.as<ArrayValue>()[0] : jvx, &pt->fX)
-        && Parse<SkScalar>(jvy.is<ArrayValue>() ? jvy.as<ArrayValue>()[0] : jvy, &pt->fY);
+    // TODO: We should be able to check size == 1 below, or just delegate to Parse<SkScalar>,
+    //       but that change introduces diffs.  Investigate.
+    const ArrayValue* jvxa = jvx;
+    const ArrayValue* jvya = jvy;
+    return Parse<SkScalar>(jvxa && jvxa->size() > 0 ? (*jvxa)[0] : jvx, &pt->fX)
+        && Parse<SkScalar>(jvya && jvya->size() > 0 ? (*jvya)[0] : jvy, &pt->fY);
 }
 
 template <>