[Backport] Fix for security issue 875494

fix dashimpl underflow

Previous impl would assert (and read past legal memory) for the new test.

Bug: skia: 8274
Bug: 875494
Change-Id: I26a56a166892444b34512a120940f7cfd6f453d8
Reviewed-on: https://skia-review.googlesource.com/148940
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 10 insertions, 0 deletions

diff --git a/chromium/third_party/skia/src/utils/SkDashPath.cpp b/chromium/third_party/skia/src/utils/SkDashPath.cpp
index e4840c84b6e..ef33b4d9d5c 100644
--- a/chromium/third_party/skia/src/utils/SkDashPath.cpp
+++ b/chromium/third_party/skia/src/utils/SkDashPath.cpp
@@ -355,6 +355,8 @@ bool SkDashPath::InternalFilter(SkPath* dst, const SkPath& src, SkStrokeRec* rec
                                 int32_t count, SkScalar initialDashLength, int32_t initialDashIndex,
                                 SkScalar intervalLength,
                                 StrokeRecApplication strokeRecApplication) {
+    // we must always have an even number of intervals
+    SkASSERT(is_even(count));
 
     // we do nothing if the src wants to be filled
     SkStrokeRec::Style style = rec->getStyle();
@@ -378,6 +380,14 @@ bool SkDashPath::InternalFilter(SkPath* dst, const SkPath& src, SkStrokeRec* rec
             while (endPhase > intervals[index]) {
                 endPhase -= intervals[index++];
                 SkASSERT(index <= count);
+                if (index == count) {
+                    // We have run out of intervals. endPhase "should" never get to this point,
+                    // but it could if the subtracts underflowed. Hence we will pin it as if it
+                    // perfectly ran through the intervals.
+                    // See crbug.com/875494 (and skbug.com/8274)
+                    endPhase = 0;
+                    break;
+                }
             }
             // if dash ends inside "on", or ends at beginning of "off"
             if (is_even(index) == (endPhase > 0)) {