abort if glyph metrics fall outside safe rect

Caught this while debugging a fuzz from Kevin.

Haven't seen this on Windows, but seems like it's got roughly the same
possible issue.

Change-Id: I5e1c7328890492b3f3295af27757e456e26f9cbf
Reviewed-on: https://skia-review.googlesource.com/55760
Reviewed-by: Ben Wagner <bungeman@google.com>
Commit-Queue: Mike Klein <mtklein@chromium.org>

2 files changed, 14 insertions, 0 deletions

diff --git a/src/ports/SkFontHost_mac.cpp b/src/ports/SkFontHost_mac.cpp
index d19ac5b6b4..8fadb805a2 100644
--- a/src/ports/SkFontHost_mac.cpp
+++ b/src/ports/SkFontHost_mac.cpp
@@ -1035,6 +1035,12 @@ void SkScalerContext_Mac::generateMetrics(SkGlyph* glyph) {
         skBounds.fBottom += SkFixedToFloat(glyph->getSubYFixed());
     }
 
+    // We're trying to pack left and top into int16_t,
+    // and width and height into uint16_t, after outsetting by 1.
+    if (!SkRect::MakeXYWH(-32767, -32767, 65535, 65535).contains(skBounds)) {
+        return;
+    }
+
     SkIRect skIBounds;
     skBounds.roundOut(&skIBounds);
     // Expand the bounds by 1 pixel, to give CG room for anti-aliasing.
diff --git a/src/ports/SkScalerContext_win_dw.cpp b/src/ports/SkScalerContext_win_dw.cpp
index b7fbe8f171..3b207c2440 100644
--- a/src/ports/SkScalerContext_win_dw.cpp
+++ b/src/ports/SkScalerContext_win_dw.cpp
@@ -505,6 +505,14 @@ static bool glyph_check_and_set_bounds(SkGlyph* glyph, const RECT& bbox) {
     if (bbox.left >= bbox.right || bbox.top >= bbox.bottom) {
         return false;
     }
+
+    // We're trying to pack left and top into int16_t,
+    // and width and height into uint16_t, after outsetting by 1.
+    if (!SkIRect::MakeXYWH(-32767, -32767, 65535, 65535).contains(
+                SkIRect::MakeLTRB(bbox.left, bbox.top, bbox.right, bbox.bottom))) {
+        return false;
+    }
+
     glyph->fWidth = SkToU16(bbox.right - bbox.left);
     glyph->fHeight = SkToU16(bbox.bottom - bbox.top);
     glyph->fLeft = SkToS16(bbox.left);