From f975b3eb65bb923cde5df6ff154d5c040271c450 Mon Sep 17 00:00:00 2001
From: Hal Canary <halcanary@google.com>
Date: Thu, 22 Jun 2017 11:21:57 +0000
Subject: Revert "Revert "SkRegion: more robust validation""

This reverts commit 7f4124058eda42e8379f2e979fabc339b8580348.

Original change's description:
> Revert "SkRegion: more robust validation"
>
> This reverts commit 711450e948b9900011dc0d474f82bf7bc9913259.
>
> Reason for revert: speculative revert to fix chrome roll.
>
> Original change's description:
> > SkRegion: more robust validation
> >
> > BUG=oss-fuzz:1864
> > Change-Id: I4c3d3c4c7b0717399fe16f227e032682b13ebc74
> > Reviewed-on: https://skia-review.googlesource.com/20322
> > Reviewed-by: Cary Clark <caryclark@google.com>
> > Commit-Queue: Hal Canary <halcanary@google.com>

TBR=halcanary@google.com,caryclark@google.com,reed@google.com

Change-Id: I1e5500cb83adeeda544282577ce55812e1b5d682
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: oss-fuzz:1864
Reviewed-on: https://skia-review.googlesource.com/20501
Reviewed-by: Hal Canary <halcanary@google.com>
Commit-Queue: Hal Canary <halcanary@google.com>
---
 src/core/SkRegion.cpp | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'src/core')

diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
index e873ebb453..b25633b67c 100644
--- a/src/core/SkRegion.cpp
+++ b/src/core/SkRegion.cpp
@@ -1155,6 +1155,9 @@ static bool validate_run(const int32_t* runs,
     if (rect.fTop == SkRegion::kRunTypeSentinel) {
         return false;  // no rect can contain SkRegion::kRunTypeSentinel
     }
+    if (rect.fTop != givenBounds.fTop) {
+        return false;  // Must not begin with empty span that does not contribute to bounds.
+    }
     do {
         --ySpanCount;
         if (ySpanCount < 0) {
@@ -1164,6 +1167,13 @@ static bool validate_run(const int32_t* runs,
         if (rect.fBottom == SkRegion::kRunTypeSentinel) {
             return false;
         }
+        if (rect.fBottom > givenBounds.fBottom) {
+            return false;  // Must not end with empty span that does not contribute to bounds.
+        }
+        if (rect.fBottom <= rect.fTop) {
+            return false;  // y-intervals must be ordered; rects must be non-empty.
+        }
+
         int32_t xIntervals = *runs++;
         SkASSERT(runs < end);
         if (xIntervals < 0 || runs + 1 + 2 * xIntervals > end) {
@@ -1173,13 +1183,19 @@ static bool validate_run(const int32_t* runs,
         if (intervalCount < 0) {
             return false;  // too many intervals
         }
+        bool firstInterval = true;
+        int32_t lastRight;  // check that x-intervals are distinct and ordered.
         while (xIntervals-- > 0) {
             rect.fLeft = *runs++;
             rect.fRight = *runs++;
             if (rect.fLeft == SkRegion::kRunTypeSentinel ||
-                rect.fRight == SkRegion::kRunTypeSentinel || rect.isEmpty()) {
+                rect.fRight == SkRegion::kRunTypeSentinel ||
+                rect.fLeft >= rect.fRight ||  // check non-empty rect
+                (!firstInterval && rect.fLeft <= lastRight)) {
                 return false;
             }
+            lastRight = rect.fRight;
+            firstInterval = false;
             bounds.join(rect);
         }
         if (*runs++ != SkRegion::kRunTypeSentinel) {
-- 
cgit v1.2.3