detect bad/corrupt flattenable factory indices

BUG=skia:4814
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1615883002

Review URL: https://codereview.chromium.org/1615883002

1 files changed, 10 insertions, 3 deletions

diff --git a/src/core/SkReadBuffer.cpp b/src/core/SkReadBuffer.cpp
index 06aa9cb6a9..ca89022d12 100644
--- a/src/core/SkReadBuffer.cpp
+++ b/src/core/SkReadBuffer.cpp
@@ -340,7 +340,10 @@ SkFlattenable* SkReadBuffer::readFlattenable(SkFlattenable::Type ft) {
             return nullptr; // writer failed to give us the flattenable
         }
         index -= 1;     // we stored the index-base-1
-        SkASSERT(index < fFactoryCount);
+        if ((unsigned)index >= (unsigned)fFactoryCount) {
+            this->validate(false);
+            return nullptr;
+        }
         factory = fFactoryArray[index];
     } else if (fFactoryTDArray) {
         int32_t index = fReader.readU32();
@@ -348,6 +351,10 @@ SkFlattenable* SkReadBuffer::readFlattenable(SkFlattenable::Type ft) {
             return nullptr; // writer failed to give us the flattenable
         }
         index -= 1;     // we stored the index-base-1
+        if ((unsigned)index >= (unsigned)fFactoryCount) {
+            this->validate(false);
+            return nullptr;
+        }
         factory = (*fFactoryTDArray)[index];
     } else {
         factory = (SkFlattenable::Factory)readFunctionPtr();
@@ -366,8 +373,8 @@ SkFlattenable* SkReadBuffer::readFlattenable(SkFlattenable::Type ft) {
         // check that we read the amount we expected
         size_t sizeRead = fReader.offset() - offset;
         if (sizeRecorded != sizeRead) {
-            // we could try to fix up the offset...
-            sk_throw();
+            this->validate(false);
+            return nullptr;
         }
     } else {
         // we must skip the remaining data