diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-10-29 12:59:22 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2018-11-05 15:37:34 +0000 |
commit | 4a6c45c124a5fc8f60aecd17ee21cbeafe53de4b (patch) | |
tree | b7d4f5175f5fdddacba5b37c0de2d35d83f9531c | |
parent | cf0481a4fbab8d69806842f2f0e0837aed5a03ae (diff) |
[Backport] Second fix for CVE-2018-12371
check for overflow in maxedgecount
Bug: 848521
Change-Id: I285c683518400c276663b575d7ec0534d66e541a
Reviewed-on: https://skia-review.googlesource.com/146880
Auto-Submit: Mike Reed <reed@google.com>
Commit-Queue: Herb Derby <herb@google.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/skia/src/core/SkEdgeBuilder.cpp | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp b/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp index d0a22537403..04970ede28f 100644 --- a/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp +++ b/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp @@ -5,12 +5,15 @@ * found in the LICENSE file. */ #include "SkEdgeBuilder.h" -#include "SkPath.h" -#include "SkEdge.h" + #include "SkAnalyticEdge.h" +#include "SkEdge.h" #include "SkEdgeClipper.h" -#include "SkLineClipper.h" #include "SkGeometry.h" +#include "SkLineClipper.h" +#include "SkPath.h" +#include "SkPathPriv.h" +#include "SkSafeMath.h" /////////////////////////////////////////////////////////////////////////////// @@ -263,7 +266,11 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift // clipping can turn 1 line into (up to) kMaxClippedLineSegments, since // we turn portions that are clipped out on the left/right into vertical // segments. - maxEdgeCount *= SkLineClipper::kMaxClippedLineSegments; + SkSafeMath safe; + maxEdgeCount = safe.mul(maxEdgeCount, SkLineClipper::kMaxClippedLineSegments); + if (!safe) { + return 0; + } } size_t edgeSize; |