diff options
| author |  Mike Reed <reed@google.com> | 2018-05-11 09:04:12 -0400 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-05-11 16:47:27 +0000 |
| commit | b35002d323134e2a441ce2f912a305cd9b3bd321 (patch) | |
| tree | 13bbc7db0817f27e2460c29c553e9eb93e96ff2e /src | |
| parent | 103d6f616b4081d29469b4c1386972bb5b32e0d6 (diff) | |
reject large paths to avoid potential float overflows
I think this change can catch a host of potential fuzzer issues up-front,
rather than adding finite tests in lots and lots of places down-stream.
Bug: oss-fuzz:8131
Change-Id: I421aa72c6ca3df57b40dd32b805d6c847d8e8d29
Reviewed-on: https://skia-review.googlesource.com/127388
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Mike Reed <reed@google.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/SkDraw.cpp | 3 | ||||
| -rw-r--r-- | src/core/SkPathPriv.h | 22 |
2 files changed, 25 insertions, 0 deletions
diff --git a/src/core/SkDraw.cpp b/src/core/SkDraw.cpp index 34f5da5cfe..c465b8fd8e 100644 --- a/src/core/SkDraw.cpp +++ b/src/core/SkDraw.cpp @@ -951,6 +951,9 @@ SkScalar SkDraw::ComputeResScaleForStroking(const SkMatrix& matrix) { void SkDraw::drawDevPath(const SkPath& devPath, const SkPaint& paint, bool drawCoverage, SkBlitter* customBlitter, bool doFill, SkInitOnceData* iData) const { + if (SkPathPriv::TooBigForMath(devPath)) { + return; + } SkBlitter* blitter = nullptr; SkAutoBlitterChoose blitterStorage; if (nullptr == customBlitter) { diff --git a/src/core/SkPathPriv.h b/src/core/SkPathPriv.h index 3ee1f83d06..9190962962 100644 --- a/src/core/SkPathPriv.h +++ b/src/core/SkPathPriv.h @@ -222,6 +222,28 @@ public: static bool IsBadForDAA(const SkPath& path) { return path.fIsBadForDAA; } static void SetIsBadForDAA(SkPath& path, bool isBadForDAA) { path.fIsBadForDAA = isBadForDAA; } + /** + * Sometimes in the drawing pipeline, we have to perform math on path coordinates, even after + * the path is in device-coordinates. Tessellation and clipping are two examples. Usually this + * is pretty modest, but it can involve subtracting/adding coordinates, or multiplying by + * small constants (e.g. 2,3,4). To try to preflight issues where these optionations could turn + * finite path values into infinities (or NaNs), we allow the upper drawing code to reject + * the path if its bounds (in device coordinates) is too close to max float. + */ + static bool TooBigForMath(const SkRect& bounds) { + // This value is just a guess. smaller is safer, but we don't want to reject largish paths + // that we don't have to. + constexpr SkScalar scale_down_to_allow_for_small_multiplies = 0.25f; + constexpr SkScalar max = SK_ScalarMax * scale_down_to_allow_for_small_multiplies; + + // use ! expression so we return true if bounds contains NaN + return !(bounds.fLeft >= -max && bounds.fTop >= -max && + bounds.fRight <= max && bounds.fBottom <= max); + } + static bool TooBigForMath(const SkPath& path) { + return TooBigForMath(path.getBounds()); + } + // Returns number of valid points for each SkPath::Iter verb static int PtsInIter(unsigned verb) { static const uint8_t gPtsInVerb[] = { |