From 7b38e3cf75296c749c843fa89af14f70f4e4b2db Mon Sep 17 00:00:00 2001 From: fmalita Date: Thu, 26 May 2016 11:13:52 -0700 Subject: Fix int32 overflow in LinearGradientContext::shade4_dx_clamp The unconditional increment in shade4_dx_clamp can overflow int32 => n == SK_MinS32 => count ~= SK_MinS32 => we skip the main shader loop 'cause count < 0 R=reed@google.com,mtklein@google.com BUG=chromium:599458 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2010843002 Review-Url: https://codereview.chromium.org/2010843002 --- src/effects/gradients/SkLinearGradient.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/effects/gradients/SkLinearGradient.cpp b/src/effects/gradients/SkLinearGradient.cpp index 1bdce39d98..209b833973 100644 --- a/src/effects/gradients/SkLinearGradient.cpp +++ b/src/effects/gradients/SkLinearGradient.cpp @@ -610,7 +610,10 @@ void SkLinearGradient::LinearGradientContext::shade4_dx_clamp(SkPMColor dstC[], if (dx_is_pos) { if (fx < 0) { - int n = SkTMin(SkFloatToIntFloor(-fx * invDx) + 1, count); + // count is guaranteed to be positive, but the first arg may overflow int32 after + // increment => casting to uint32 ensures correct clamping. + int n = SkTMin(SkFloatToIntFloor(-fx * invDx) + 1, count); + SkASSERT(n > 0); fill(dstC, n, rec[0].fColor); count -= n; dstC += n; @@ -622,7 +625,10 @@ void SkLinearGradient::LinearGradientContext::shade4_dx_clamp(SkPMColor dstC[], } } else { // dx < 0 if (fx > 1) { - int n = SkTMin(SkFloatToIntFloor((1 - fx) * invDx) + 1, count); + // count is guaranteed to be positive, but the first arg may overflow int32 after + // increment => casting to uint32 ensures correct clamping. + int n = SkTMin(SkFloatToIntFloor((1 - fx) * invDx) + 1, count); + SkASSERT(n > 0); fill(dstC, n, rec[fRecs.count() - 1].fColor); count -= n; dstC += n; -- cgit v1.2.3