From cf0481a4fbab8d69806842f2f0e0837aed5a03ae Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Mon, 29 Oct 2018 12:57:11 +0100 Subject: [Backport] Fix for security issue 875494 fix dashimpl underflow Previous impl would assert (and read past legal memory) for the new test. Bug: skia: 8274 Bug: 875494 Change-Id: I26a56a166892444b34512a120940f7cfd6f453d8 Reviewed-on: https://skia-review.googlesource.com/148940 Commit-Queue: Mike Reed Reviewed-by: Allan Sandfeld Jensen --- chromium/third_party/skia/src/utils/SkDashPath.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/chromium/third_party/skia/src/utils/SkDashPath.cpp b/chromium/third_party/skia/src/utils/SkDashPath.cpp index e4840c84b6e..ef33b4d9d5c 100644 --- a/chromium/third_party/skia/src/utils/SkDashPath.cpp +++ b/chromium/third_party/skia/src/utils/SkDashPath.cpp @@ -355,6 +355,8 @@ bool SkDashPath::InternalFilter(SkPath* dst, const SkPath& src, SkStrokeRec* rec int32_t count, SkScalar initialDashLength, int32_t initialDashIndex, SkScalar intervalLength, StrokeRecApplication strokeRecApplication) { + // we must always have an even number of intervals + SkASSERT(is_even(count)); // we do nothing if the src wants to be filled SkStrokeRec::Style style = rec->getStyle(); @@ -378,6 +380,14 @@ bool SkDashPath::InternalFilter(SkPath* dst, const SkPath& src, SkStrokeRec* rec while (endPhase > intervals[index]) { endPhase -= intervals[index++]; SkASSERT(index <= count); + if (index == count) { + // We have run out of intervals. endPhase "should" never get to this point, + // but it could if the subtracts underflowed. Hence we will pin it as if it + // perfectly ran through the intervals. + // See crbug.com/875494 (and skbug.com/8274) + endPhase = 0; + break; + } } // if dash ends inside "on", or ends at beginning of "off" if (is_even(index) == (endPhase > 0)) { -- cgit v1.2.3