Fix int32 overflow in LinearGradientContext::shade4_dx_clamp

The unconditional increment in shade4_dx_clamp can overflow int32

=> n == SK_MinS32
=> count ~= SK_MinS32
=> we skip the main shader loop 'cause count < 0

R=reed@google.com,mtklein@google.com
BUG=chromium:599458
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2010843002

Review-Url: https://codereview.chromium.org/2010843002

1 files changed, 8 insertions, 2 deletions

diff --git a/src/effects/gradients/SkLinearGradient.cpp b/src/effects/gradients/SkLinearGradient.cpp
index 1bdce39d98..209b833973 100644
--- a/src/effects/gradients/SkLinearGradient.cpp
+++ b/src/effects/gradients/SkLinearGradient.cpp
@@ -610,7 +610,10 @@ void SkLinearGradient::LinearGradientContext::shade4_dx_clamp(SkPMColor dstC[],
 
     if (dx_is_pos) {
         if (fx < 0) {
-            int n = SkTMin(SkFloatToIntFloor(-fx * invDx) + 1, count);
+            // count is guaranteed to be positive, but the first arg may overflow int32 after
+            // increment => casting to uint32 ensures correct clamping.
+            int n = SkTMin<uint32_t>(SkFloatToIntFloor(-fx * invDx) + 1, count);
+            SkASSERT(n > 0);
             fill<apply_alpha>(dstC, n, rec[0].fColor);
             count -= n;
             dstC += n;
@@ -622,7 +625,10 @@ void SkLinearGradient::LinearGradientContext::shade4_dx_clamp(SkPMColor dstC[],
         }
     } else { // dx < 0
         if (fx > 1) {
-            int n = SkTMin(SkFloatToIntFloor((1 - fx) * invDx) + 1, count);
+            // count is guaranteed to be positive, but the first arg may overflow int32 after
+            // increment => casting to uint32 ensures correct clamping.
+            int n = SkTMin<uint32_t>(SkFloatToIntFloor((1 - fx) * invDx) + 1, count);
+            SkASSERT(n > 0);
             fill<apply_alpha>(dstC, n, rec[fRecs.count() - 1].fColor);
             count -= n;
             dstC += n;