[Backport] Second fix for CVE-2018-12371

check for overflow in maxedgecount

Bug: 848521
Change-Id: I285c683518400c276663b575d7ec0534d66e541a
Reviewed-on: https://skia-review.googlesource.com/146880
Auto-Submit: Mike Reed <reed@google.com>
Commit-Queue: Herb Derby <herb@google.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 11 insertions, 4 deletions

diff --git a/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp b/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp
index d0a22537403..04970ede28f 100644
--- a/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp
+++ b/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp
@@ -5,12 +5,15 @@
  * found in the LICENSE file.
  */
 #include "SkEdgeBuilder.h"
-#include "SkPath.h"
-#include "SkEdge.h"
+
 #include "SkAnalyticEdge.h"
+#include "SkEdge.h"
 #include "SkEdgeClipper.h"
-#include "SkLineClipper.h"
 #include "SkGeometry.h"
+#include "SkLineClipper.h"
+#include "SkPath.h"
+#include "SkPathPriv.h"
+#include "SkSafeMath.h"
 
 ///////////////////////////////////////////////////////////////////////////////
 
@@ -263,7 +266,11 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift
         // clipping can turn 1 line into (up to) kMaxClippedLineSegments, since
         // we turn portions that are clipped out on the left/right into vertical
         // segments.
-        maxEdgeCount *= SkLineClipper::kMaxClippedLineSegments;
+        SkSafeMath safe;
+        maxEdgeCount = safe.mul(maxEdgeCount, SkLineClipper::kMaxClippedLineSegments);
+        if (!safe) {
+            return 0;
+        }
     }
 
     size_t edgeSize;