add fuzzer timeout escape

SkOpSegment::moveNearby may loop for a long time, maybe forever.
The longest loop isolated is 500 in a fuzzer generated test, and
50 in a real world test. Add an escape hatch to abandon the op
after 9999 loops.

While this puts a limit on the complexity path ops can handle,
realistically paths this complex fail otherwise.

TBR:hcm@google.com
Bug: 764699
Change-Id: Iad62b9d505b94b2c2845ad2874342ac90478642e
Reviewed-on: https://skia-review.googlesource.com/61200
Reviewed-by: Cary Clark <caryclark@skia.org>
Commit-Queue: Cary Clark <caryclark@skia.org>

1 files changed, 4 insertions, 1 deletions

diff --git a/src/pathops/SkOpSegment.cpp b/src/pathops/SkOpSegment.cpp
index f266ed949f..402f6664de 100644
--- a/src/pathops/SkOpSegment.cpp
+++ b/src/pathops/SkOpSegment.cpp
@@ -1377,10 +1377,14 @@ bool SkOpSegment::moveNearby() {
     debugValidate();
     // release undeleted spans pointing to this seg that are linked to the primary span
     SkOpSpanBase* spanBase = &fHead;
+    int escapeHatch = 9999;  // the largest count for a regular test is 50; for a fuzzer, 500
     do {
         SkOpPtT* ptT = spanBase->ptT();
         const SkOpPtT* headPtT = ptT;
         while ((ptT = ptT->next()) != headPtT) {
+            if (!--escapeHatch) {
+                return false;
+            }
             SkOpSpanBase* test = ptT->span();
             if (ptT->segment() == this && !ptT->deleted() && test != spanBase
                     && test->ptT() == ptT) {
@@ -1398,7 +1402,6 @@ bool SkOpSegment::moveNearby() {
         }
         spanBase = spanBase->upCast()->next();
     } while (!spanBase->final());
-
     // This loop looks for adjacent spans which are near by
     spanBase = &fHead;
     do {  // iterate through all spans associated with start