Guard some uint32_t -> int cases in SkPictureData reading

Change-Id: I67e6a67a57bf83922d159083e359df1a8ce053c1
Reviewed-on: https://skia-review.googlesource.com/6275
Reviewed-by: Herb Derby <herb@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/src/core/SkPictureData.cpp b/src/core/SkPictureData.cpp
index 5f9cb7180e..1aff1e46b9 100644
--- a/src/core/SkPictureData.cpp
+++ b/src/core/SkPictureData.cpp
@@ -485,6 +485,10 @@ bool new_array_from_buffer(SkReadBuffer& buffer, uint32_t inCount,
     if (0 == inCount) {
         return true;
     }
+    if (!buffer.validate(SkTFitsIn<int>(inCount))) {
+        return false;
+    }
+
     *outCount = inCount;
     *array = new const T* [*outCount];
     bool success = true;
@@ -519,6 +523,9 @@ bool SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t
             }
             break;
         case SK_PICT_PAINT_BUFFER_TAG: {
+            if (!buffer.validate(SkTFitsIn<int>(size))) {
+                return false;
+            }
             const int count = SkToInt(size);
             fPaints.reset(count);
             for (int i = 0; i < count; ++i) {