From 4a6c45c124a5fc8f60aecd17ee21cbeafe53de4b Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Mon, 29 Oct 2018 12:59:22 +0100 Subject: [Backport] Second fix for CVE-2018-12371 check for overflow in maxedgecount Bug: 848521 Change-Id: I285c683518400c276663b575d7ec0534d66e541a Reviewed-on: https://skia-review.googlesource.com/146880 Auto-Submit: Mike Reed Commit-Queue: Herb Derby Reviewed-by: Allan Sandfeld Jensen --- chromium/third_party/skia/src/core/SkEdgeBuilder.cpp | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp b/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp index d0a22537403..04970ede28f 100644 --- a/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp +++ b/chromium/third_party/skia/src/core/SkEdgeBuilder.cpp @@ -5,12 +5,15 @@ * found in the LICENSE file. */ #include "SkEdgeBuilder.h" -#include "SkPath.h" -#include "SkEdge.h" + #include "SkAnalyticEdge.h" +#include "SkEdge.h" #include "SkEdgeClipper.h" -#include "SkLineClipper.h" #include "SkGeometry.h" +#include "SkLineClipper.h" +#include "SkPath.h" +#include "SkPathPriv.h" +#include "SkSafeMath.h" /////////////////////////////////////////////////////////////////////////////// @@ -263,7 +266,11 @@ int SkEdgeBuilder::buildPoly(const SkPath& path, const SkIRect* iclip, int shift // clipping can turn 1 line into (up to) kMaxClippedLineSegments, since // we turn portions that are clipped out on the left/right into vertical // segments. - maxEdgeCount *= SkLineClipper::kMaxClippedLineSegments; + SkSafeMath safe; + maxEdgeCount = safe.mul(maxEdgeCount, SkLineClipper::kMaxClippedLineSegments); + if (!safe) { + return 0; + } } size_t edgeSize; -- cgit v1.2.1