From 1ac99c890b8afe957385a7625fd3b759f31be249 Mon Sep 17 00:00:00 2001
From: "commit-bot@chromium.org"
 <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>
Date: Tue, 29 Apr 2014 15:35:23 +0000
Subject: Fixed issue found by clusterfuzz

An integer overflow was causing an issue when reading a string with a very large (or negative) size.

BUG=367764
R=senorblanco@google.com, senorblanco@chromium.org, reed@google.com, borenet@google.com

Author: sugoi@chromium.org

Review URL: https://codereview.chromium.org/255693003

git-svn-id: http://skia.googlecode.com/svn/trunk@14434 2bbb7eff-a529-9590-31e7-b0007b416f81
---
 include/core/SkReader32.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'include')

diff --git a/include/core/SkReader32.h b/include/core/SkReader32.h
index 7e8038d0ae..51e28ef146 100644
--- a/include/core/SkReader32.h
+++ b/include/core/SkReader32.h
@@ -40,7 +40,7 @@ public:
     const void* peek() const { return fCurr; }
 
     size_t available() const { return fStop - fCurr; }
-    bool isAvailable(size_t size) const { return fCurr + size <= fStop; }
+    bool isAvailable(size_t size) const { return size <= this->available(); }
 
     void rewind() { fCurr = fBase; }
 
-- 
cgit v1.2.3