summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2018-10-29 12:59:22 +0100
committerAllan Sandfeld Jensen <allan.jensen@qt.io>2018-10-30 22:08:34 +0000
commit3eeb84af35d154cb60e5d0516d809612adc1a4a5 (patch)
treeb412627407c2b14dfe3b44f72e3bfccd219ffd94
parentc6e9629156caae26b617836bb28a9938c7aab7b2 (diff)
downloadqtwebengine-chromium-3eeb84af35d154cb60e5d0516d809612adc1a4a5.tar.gz
[Backport] Second fix for CVE-2018-12371
check for overflow in maxedgecount Bug: 848521 Change-Id: I5d5f28bc2ceef6e7a90b87f5e8c064473c6f67a3 Reviewed-on: https://skia-review.googlesource.com/146880 Auto-Submit: Mike Reed <reed@google.com> Commit-Queue: Herb Derby <herb@google.com> Reviewed-by: Herb Derby <herb@google.com> Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/third_party/skia/src/core/SkEdgeBuilder.cpp7
1 files changed, 6 insertions, 1 deletions
diff --git a/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp b/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp
index 48c1bca5ac2..853f5409fc9 100644
--- a/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp
+++ b/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp
@@ -14,6 +14,7 @@
#include "SkLineClipper.h"
#include "SkPath.h"
#include "SkPathPriv.h"
+#include "SkSafeMath.h"
#include "SkTo.h"
///////////////////////////////////////////////////////////////////////////////
@@ -272,7 +273,11 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift
// clipping can turn 1 line into (up to) kMaxClippedLineSegments, since
// we turn portions that are clipped out on the left/right into vertical
// segments.
- maxEdgeCount *= SkLineClipper::kMaxClippedLineSegments;
+ SkSafeMath safe;
+ maxEdgeCount = safe.mul(maxEdgeCount, SkLineClipper::kMaxClippedLineSegments);
+ if (!safe) {
+ return 0;
+ }
}
size_t edgeSize;
View Lorry Controller Status