abort if glyph metrics fall outside safe rect

Caught this while debugging a fuzz from Kevin.

Haven't seen this on Windows, but seems like it's got roughly the same
possible issue.

Change-Id: I5e1c7328890492b3f3295af27757e456e26f9cbf
Reviewed-on: https://skia-review.googlesource.com/55760
Reviewed-by: Ben Wagner <bungeman@google.com>
Commit-Queue: Mike Klein <mtklein@chromium.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/src/ports/SkFontHost_mac.cpp b/src/ports/SkFontHost_mac.cpp
index d19ac5b6b4..8fadb805a2 100644
--- a/src/ports/SkFontHost_mac.cpp
+++ b/src/ports/SkFontHost_mac.cpp
@@ -1035,6 +1035,12 @@ void SkScalerContext_Mac::generateMetrics(SkGlyph* glyph) {
         skBounds.fBottom += SkFixedToFloat(glyph->getSubYFixed());
     }
 
+    // We're trying to pack left and top into int16_t,
+    // and width and height into uint16_t, after outsetting by 1.
+    if (!SkRect::MakeXYWH(-32767, -32767, 65535, 65535).contains(skBounds)) {
+        return;
+    }
+
     SkIRect skIBounds;
     skBounds.roundOut(&skIBounds);
     // Expand the bounds by 1 pixel, to give CG room for anti-aliasing.