From f00faa3f7fe1dc5300f063767a5fa59b74407e18 Mon Sep 17 00:00:00 2001 From: Mike Reed Date: Tue, 9 Jan 2018 13:30:54 -0500 Subject: fix bad counts deserializing SkVertices Bug: skia:7475 Change-Id: I8064de3f564385f085720772d95934845f3c1dc3 Reviewed-on: https://skia-review.googlesource.com/92741 Reviewed-by: Herb Derby Commit-Queue: Mike Reed --- src/core/SkVertices.cpp | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) (limited to 'src/core') diff --git a/src/core/SkVertices.cpp b/src/core/SkVertices.cpp index 853bd31ca8..fcec6e2810 100644 --- a/src/core/SkVertices.cpp +++ b/src/core/SkVertices.cpp @@ -9,6 +9,7 @@ #include "SkVertices.h" #include "SkData.h" #include "SkReader32.h" +#include "SkSafeMath.h" #include "SkWriter32.h" static int32_t gNextID = 1; @@ -22,21 +23,22 @@ static int32_t next_id() { struct SkVertices::Sizes { Sizes(int vertexCount, int indexCount, bool hasTexs, bool hasColors) { - int64_t vSize = (int64_t)vertexCount * sizeof(SkPoint); - int64_t tSize = hasTexs ? (int64_t)vertexCount * sizeof(SkPoint) : 0; - int64_t cSize = hasColors ? (int64_t)vertexCount * sizeof(SkColor) : 0; - int64_t iSize = (int64_t)indexCount * sizeof(uint16_t); - - int64_t total = sizeof(SkVertices) + vSize + tSize + cSize + iSize; - if (!sk_64_isS32(total)) { - sk_bzero(this, sizeof(*this)); - } else { - fTotal = SkToSizeT(total); - fVSize = SkToSizeT(vSize); - fTSize = SkToSizeT(tSize); - fCSize = SkToSizeT(cSize); - fISize = SkToSizeT(iSize); + SkSafeMath safe; + + fVSize = safe.mul(vertexCount, sizeof(SkPoint)); + fTSize = hasTexs ? safe.mul(vertexCount, sizeof(SkPoint)) : 0; + fCSize = hasColors ? safe.mul(vertexCount, sizeof(SkColor)) : 0; + fISize = safe.mul(indexCount, sizeof(uint16_t)); + fTotal = safe.add(sizeof(SkVertices), + safe.add(fVSize, + safe.add(fTSize, + safe.add(fCSize, + fISize)))); + + if (safe.ok()) { fArrays = fTotal - sizeof(SkVertices); // just the sum of the arrays + } else { + sk_bzero(this, sizeof(*this)); } } -- cgit v1.2.3