Fix fuzzer-found deserialization bug in SkPathRef
[Cherry pick of 0735de67c8a0812ae2fd103ae1bd7f2157c6a0b2 to chrome/m49.]
This fixes a bug in SkPathRef::CreateFromBuffer found by
fuzzing SkPaintImageFilter.
BUG=582705
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1653003004
Review URL: https://codereview.chromium.org/1653003004
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true
Review URL: https://codereview.chromium.org/1665613003
diff --git a/src/core/SkPathRef.cpp b/src/core/SkPathRef.cpp
index cf4e8ff..49a0499 100644
--- a/src/core/SkPathRef.cpp
+++ b/src/core/SkPathRef.cpp
@@ -9,6 +9,7 @@
#include "SkOncePtr.h"
#include "SkPath.h"
#include "SkPathRef.h"
+#include <limits>
//////////////////////////////////////////////////////////////////////////////
SkPathRef::Editor::Editor(SkAutoTUnref<SkPathRef>* pathRef,
@@ -136,11 +137,16 @@
bool isRRect = (packed >> kIsRRect_SerializationShift) & 1;
int32_t verbCount, pointCount, conicCount;
+ ptrdiff_t maxPtrDiff = std::numeric_limits<ptrdiff_t>::max();
if (!buffer->readU32(&(ref->fGenerationID)) ||
!buffer->readS32(&verbCount) ||
verbCount < 0 ||
+ static_cast<uint32_t>(verbCount) > maxPtrDiff/sizeof(uint8_t) ||
!buffer->readS32(&pointCount) ||
pointCount < 0 ||
+ static_cast<uint32_t>(pointCount) > maxPtrDiff/sizeof(SkPoint) ||
+ sizeof(uint8_t) * verbCount + sizeof(SkPoint) * pointCount >
+ static_cast<size_t>(maxPtrDiff) ||
!buffer->readS32(&conicCount) ||
conicCount < 0) {
delete ref;