| Index: src/core/SkPathRef.cpp
|
| diff --git a/src/core/SkPathRef.cpp b/src/core/SkPathRef.cpp
|
| index cf4e8ffba20477e471f53c454ebced02be523523..49a04999ac201e831363b37a0fdc0b666500bd72 100644
|
| --- a/src/core/SkPathRef.cpp
|
| +++ b/src/core/SkPathRef.cpp
|
| @@ -9,6 +9,7 @@
|
| #include "SkOncePtr.h"
|
| #include "SkPath.h"
|
| #include "SkPathRef.h"
|
| +#include <limits>
|
|
|
| //////////////////////////////////////////////////////////////////////////////
|
| SkPathRef::Editor::Editor(SkAutoTUnref<SkPathRef>* pathRef,
|
| @@ -136,11 +137,16 @@ SkPathRef* SkPathRef::CreateFromBuffer(SkRBuffer* buffer) {
|
| bool isRRect = (packed >> kIsRRect_SerializationShift) & 1;
|
|
|
| int32_t verbCount, pointCount, conicCount;
|
| + ptrdiff_t maxPtrDiff = std::numeric_limits<ptrdiff_t>::max();
|
| if (!buffer->readU32(&(ref->fGenerationID)) ||
|
| !buffer->readS32(&verbCount) ||
|
| verbCount < 0 ||
|
| + static_cast<uint32_t>(verbCount) > maxPtrDiff/sizeof(uint8_t) ||
|
| !buffer->readS32(&pointCount) ||
|
| pointCount < 0 ||
|
| + static_cast<uint32_t>(pointCount) > maxPtrDiff/sizeof(SkPoint) ||
|
| + sizeof(uint8_t) * verbCount + sizeof(SkPoint) * pointCount >
|
| + static_cast<size_t>(maxPtrDiff) ||
|
| !buffer->readS32(&conicCount) ||
|
| conicCount < 0) {
|
| delete ref;
|
|
|
Chromium Code Reviews
Issue 1653003004:
Fix fuzzer-found deserialization bug in SkPathRef (Closed)
Base URL: https://chromium.googlesource.com/skia.git@master