diff options
author | Cary Clark <caryclark@skia.org> | 2017-12-15 10:11:15 -0500 |
---|---|---|
committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2017-12-15 16:52:13 +0000 |
commit | 29c14a760682e2c449fa043b5e8b69937cb58f3a (patch) | |
tree | 66901f51b852bf1d8a650fbe3a28b901e5c9ac33 /src/core/SkEdgeBuilder.cpp | |
parent | 834fb8ed906984739aee6b61417afddb9c6e469c (diff) |
fix very large clipped path limit
Mozilla notes that clipped paths conservatively triple
the reserved space for a path edge list, potentially
overflowing an int if the point count is 2^31/3 or
larger, making maxEdgeCount negative if maxEdgeCount
is an int.
By making maxEdgeCount size_t, the multiply stays in
range. A couple of lines down, makeArrayDefault is going
to trigger an SkASSERT_RELEASE because the record size
times the point count exceeds the allowable limit.
R=scroggo@google.com
Bug: skia:7391
Change-Id: Ib20b392a369133c91fe2785be248dce3a2100202
Reviewed-on: https://skia-review.googlesource.com/85720
Commit-Queue: Cary Clark <caryclark@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
Diffstat (limited to 'src/core/SkEdgeBuilder.cpp')
-rw-r--r-- | src/core/SkEdgeBuilder.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/core/SkEdgeBuilder.cpp b/src/core/SkEdgeBuilder.cpp index b921db33c1..d0a2253740 100644 --- a/src/core/SkEdgeBuilder.cpp +++ b/src/core/SkEdgeBuilder.cpp @@ -258,7 +258,7 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift SkPoint pts[4]; SkPath::Verb verb; - int maxEdgeCount = path.countPoints(); + size_t maxEdgeCount = path.countPoints(); if (iclip) { // clipping can turn 1 line into (up to) kMaxClippedLineSegments, since // we turn portions that are clipped out on the left/right into vertical @@ -331,7 +331,7 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift } } SkASSERT((size_t)(edge - edgeStart) <= maxEdgeCount * edgeSize); - SkASSERT(edgePtr - (char**)fEdgeList <= maxEdgeCount); + SkASSERT((size_t)(edgePtr - (char**)fEdgeList) <= maxEdgeCount); return SkToInt(edgePtr - (char**)fEdgeList); } |