Fix fuzzer-found deserialization bugs

This fixes deserialization bugs found by fuzzing SkPaintImageFilter. BUG=576908,576910 GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589533002 Review URL: https://codereview.chromium.org/1589533002
author: ajuma <ajuma@chromium.org> 2016-01-13 13:46:31 -0800
committer: Commit bot <commit-bot@chromium.org> 2016-01-13 13:46:32 -0800
commit: f8aec588bfd2df17130ee93593a8f4ae781afe1f (patch)
tree: 1e351d951aa5cafd57155c59d968f5c4248c8451 /src/core/SkPathRef.cpp
parent: 97c40072b0ed5fdca3724ec79dd09d5467a981b5 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/core/SkPathRef.cpp b/src/core/SkPathRef.cpp
index 28bffcbde8..cf4e8ffba2 100644
--- a/src/core/SkPathRef.cpp
+++ b/src/core/SkPathRef.cpp
@@ -138,8 +138,11 @@ SkPathRef* SkPathRef::CreateFromBuffer(SkRBuffer* buffer) {
     int32_t verbCount, pointCount, conicCount;
     if (!buffer->readU32(&(ref->fGenerationID)) ||
         !buffer->readS32(&verbCount) ||
+        verbCount < 0 ||
         !buffer->readS32(&pointCount) ||
-        !buffer->readS32(&conicCount)) {
+        pointCount < 0 ||
+        !buffer->readS32(&conicCount) ||
+        conicCount < 0) {
         delete ref;
         return nullptr;
     }
author	ajuma <ajuma@chromium.org>	2016-01-13 13:46:31 -0800
committer	Commit bot <commit-bot@chromium.org>	2016-01-13 13:46:32 -0800
commit	f8aec588bfd2df17130ee93593a8f4ae781afe1f (patch)
tree	1e351d951aa5cafd57155c59d968f5c4248c8451 /src/core/SkPathRef.cpp
parent	97c40072b0ed5fdca3724ec79dd09d5467a981b5 (diff)