| commit | 675576f023c8fa10cdb0c18bc0a6c214e0bab069 | [log] [tgz] |
|---|---|---|
| author | senorblanco <senorblanco@chromium.org> | Fri May 06 08:48:57 2016 -0700 |
| committer | Commit bot <commit-bot@chromium.org> | Fri May 06 08:48:57 2016 -0700 |
| tree | 1a66f10f92a45de77e8a84f111574b6bad1f8df8 | |
| parent | bad1abc748a4a7cd4863803e1c90ac0769a98d0a [diff] |
Detect an invalid intervalCount in SkRegion during deserialiation. BUG=609260 GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1961463003 Review-Url: https://codereview.chromium.org/1961463003
diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp index 38d12d2..a50425a 100644 --- a/src/core/SkRegion.cpp +++ b/src/core/SkRegion.cpp
@@ -1136,7 +1136,8 @@ tmp.fRunHead = SkRegion_gRectRunHeadPtr; } else { int32_t ySpanCount, intervalCount; - if (buffer.readS32(&ySpanCount) && buffer.readS32(&intervalCount)) { + if (buffer.readS32(&ySpanCount) && buffer.readS32(&intervalCount) && + intervalCount > 1) { tmp.allocateRuns(count, ySpanCount, intervalCount); buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunType)); }